Back

Disable or configure the e-mail server, as necessary.


CONTROL ID
06563
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain system hardening procedures., CC ID: 12001

This Control has the following implementation support Control(s):
  • Configure e-mail servers to enable receiver-side verification., CC ID: 12223
  • Configure the e-mail server to prevent it from listening to external interfaces., CC ID: 01561
  • Configure the "Local-Only Mode" setting for the "Mail Transfer Agent" to organizational standards., CC ID: 09940


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Email is routed through a centralised email gateway. (Security Control: 0569; Revision: 3, Australian Government Information Security Manual, March 2021)
  • Email servers only relay emails destined for or originating from their domains. (Security Control: 0567; Revision: 4, Australian Government Information Security Manual, March 2021)
  • Opportunistic TLS encryption, as defined in IETF RFC 3207, is enabled on email servers that make incoming or outgoing email connections over public network infrastructure. (Security Control: 0572; Revision: 3, Australian Government Information Security Manual, March 2021)
  • Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway. (Security Control: 0570; Revision: 4, Australian Government Information Security Manual, March 2021)
  • Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway. (Control: ISM-0570; Revision: 4, Australian Government Information Security Manual, June 2023)
  • Email servers are configured to block, log and report emails with inappropriate protective markings. (Control: ISM-0565; Revision: 4, Australian Government Information Security Manual, June 2023)
  • Emails are routed via centralised email gateways. (Control: ISM-0569; Revision: 5, Australian Government Information Security Manual, June 2023)
  • Email servers only relay emails destined for or originating from their domains (including subdomains). (Control: ISM-0567; Revision: 5, Australian Government Information Security Manual, June 2023)
  • MTA-STS is enabled to prevent the unencrypted transfer of emails between complying servers. (Control: ISM-1589; Revision: 2, Australian Government Information Security Manual, June 2023)
  • Where backup or alternative email gateways are in place, they are maintained at the same standard as the primary email gateway. (Control: ISM-0570; Revision: 4, Australian Government Information Security Manual, September 2023)
  • Email servers are configured to block, log and report emails with inappropriate protective markings. (Control: ISM-0565; Revision: 4, Australian Government Information Security Manual, September 2023)
  • Emails are routed via centralised email gateways. (Control: ISM-0569; Revision: 5, Australian Government Information Security Manual, September 2023)
  • Email servers only relay emails destined for or originating from their domains (including subdomains). (Control: ISM-0567; Revision: 5, Australian Government Information Security Manual, September 2023)
  • MTA-STS is enabled to prevent the unencrypted transfer of emails between complying servers. (Control: ISM-1589; Revision: 2, Australian Government Information Security Manual, September 2023)
  • The organization should block e-mail from unclassified systems that is unmarked or inappropriately marked and being sent to intended recipients at the e-mail server. (Control: 0562, Australian Government Information Security Manual: Controls)
  • The organization must block e-mail from classified systems that is unmarked or inappropriately marked and being sent to intended recipients at the e-mail server. (Control: 0875, Australian Government Information Security Manual: Controls)
  • The organization must configure the e-mail system to reject, log, and report all inbound e-mails that have protective markings showing the e-mail contains information that exceeds the classification or sensitivity of the system. (Control: 0565, Australian Government Information Security Manual: Controls)
  • The organization must configure the E-mail systems to block outbound e-mails that have a protective marking higher than the sensitivity or classification of the path over which the e-mail will be transmitted. (Control: 0563, Australian Government Information Security Manual: Controls)
  • The organization should configure the E-mail systems to log every blocked e-mail. (Control: 0564, Australian Government Information Security Manual: Controls)
  • The e-mail servers should strip the active web addresses and replace them with inactive web addresses. (Control: 1057, Australian Government Information Security Manual: Controls)
  • The organization must specify the e-mail servers using sender policy framework or sender id. (Control: 0574, Australian Government Information Security Manual: Controls)
  • Mail servers shall be configured to prevent the messaging system being overloaded by limiting the size of messages. (CF.15.01.03-1, The Standard of Good Practice for Information Security)
  • Mail servers shall be configured to prevent the messaging system being overloaded by limiting the size of user mailboxes. (CF.15.01.03-2, The Standard of Good Practice for Information Security)
  • Mail servers shall be configured to prevent the messaging system being overloaded by automatically identifying and canceling e-mail loops. (CF.15.01.03-3, The Standard of Good Practice for Information Security)
  • Mail servers shall be configured to prevent the accidental disclosure of e-mail and attachments to unauthorized individuals by preventing users from configuring the 'auto-forward' feature. (CF.15.01.04a, The Standard of Good Practice for Information Security)
  • Mail servers shall be configured to prevent the accidental disclosure of e-mail and attachments to unauthorized individuals by restricting the use of large distribution lists (e.g., every individual in the organization). (CF.15.01.04b, The Standard of Good Practice for Information Security)
  • E-mail systems shall be reviewed to ensure that requirements for up-time and future availability can be met. (CF.15.01.05, The Standard of Good Practice for Information Security)
  • E-mail systems should protect messages by blocking messages that are considered undesirable (e.g., by using an e-mail blacklist consisting of known undesirable websites or e-mail list servers). (CF.15.01.07a, The Standard of Good Practice for Information Security)
  • E-mail systems should protect messages by providing Non-Repudiation of Receipt of important messages (e.g., by returning a digitally signed receipt message). (CF.15.01.07d, The Standard of Good Practice for Information Security)
  • The business integrity of e-mail messages should be protected by appending legally required information and return address details (for misdelivered e-mail) to business e-mail (e.g., as a disclaimer). (CF.15.01.08a, The Standard of Good Practice for Information Security)
  • Mail servers shall be configured to prevent the messaging system being overloaded by limiting the size of messages. (CF.15.01.03-1, The Standard of Good Practice for Information Security, 2013)
  • Mail servers shall be configured to prevent the messaging system being overloaded by limiting the size of user mailboxes. (CF.15.01.03-2, The Standard of Good Practice for Information Security, 2013)
  • Mail servers shall be configured to prevent the messaging system being overloaded by automatically identifying and canceling e-mail loops. (CF.15.01.03-3, The Standard of Good Practice for Information Security, 2013)
  • Mail servers should be configured to prevent the accidental disclosure of e-mail and attachments to unauthorized individuals by enforcing encryption between e-mail servers (e.g., using Secure Sockets Layer, Transport Layer Security, or equivalent). (CF.15.01.04a, The Standard of Good Practice for Information Security, 2013)
  • Mail servers shall be configured to prevent the accidental disclosure of e-mail and attachments to unauthorized individuals by preventing users from configuring the 'auto-forward' feature. (CF.15.01.04b, The Standard of Good Practice for Information Security, 2013)
  • E-mail systems shall be reviewed to ensure that requirements for up-time and future availability can be met. (CF.15.01.05, The Standard of Good Practice for Information Security, 2013)
  • E-mail systems should protect messages by blocking messages that are considered undesirable (e.g., by using an e-mail blacklist consisting of known undesirable websites or e-mail list servers). (CF.15.01.07a, The Standard of Good Practice for Information Security, 2013)
  • E-mail systems should protect messages by providing Non-Repudiation of Receipt of important messages (e.g., by returning a digitally signed receipt message). (CF.15.01.07d, The Standard of Good Practice for Information Security, 2013)
  • The business integrity of e-mail messages should be protected by appending legally required information and return address details (for misdelivered e-mail) to business e-mail (e.g., as a disclaimer). (CF.15.01.08a, The Standard of Good Practice for Information Security, 2013)
  • E-mail systems should protect messages by verifying the source Internet Protocol address of senders' e-mails (e.g., using an e-mail validation system, such as the Sender Policy Framework or Sender ID that check the Domain Name System) to limit spoofing. (CF.15.01.07e, The Standard of Good Practice for Information Security, 2013)
  • Mail servers shall be configured to prevent the accidental disclosure of e-mail and attachments to unauthorized individuals by restricting the use of large distribution lists (e.g., every individual in the organization). (CF.15.01.04c, The Standard of Good Practice for Information Security, 2013)
  • For Solaris, the organization must configure the system to disable the e-mail server, if the system does not function as an e-mail server. (Table F-6, CMS Business Partners Systems Security Manual, Rev. 10)
  • The information assurance officer must ensure that the e-mail system supports the sending and receiving of e-mail that has been signed by Department of Defense-approved certificates. (§ 3.4.2.2 ¶ AC34.115, DISA Access Control STIG, Version 2, Release 3)
  • All BCAPs must support Mission Owner's and implement the appropriate routing of server-to- server email traffic to/from the EEMSG capability at the CAP end of the connection for all CSOs that contain an email server. This includes routing to/from such servers and the IAP for email servers that are e… (Section 5.19 ¶ 5, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Mail servers and clients must be securely configured. Underlying operating systems of on-premises mail servers must be hardened and included in the agency's FTI inventory. A 45-day cloud notification must be submitted for cloud-hosted mail solutions. (3.3.2 ¶ 3 a., Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • Does the Credit Union maintain the e-mail server? (IT - General Q 36, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the e-mail server able to restrict the types of files employees can send by e-mail? (IT - General Q 36f, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Unless granted written exemption from the OIT, all State agencies shall use the email system in the alabama.gov domain name space maintained by OIT. (STATEMENT OF POLICY ¶ 3 (b), Policy 540: Email and Directory Services, 540-02)
  • Maintain and administer a statewide email system in the alabama.gov domain name space. (OIT RESPONSIBILITIES ¶ 1, Policy 540: Email and Directory Services, 540-02)