Controls/EDCA-TLS-043.json
|
{
"id": "EDCA-TLS-043", "title": "Edge internal Send connectors use mutual-TLS domain security", "description": "Internal Send connectors on the Edge Transport server (those delivering mail back to Mailbox servers) MUST use mutual TLS (domain security). Without MTLS on the internal path, mail forwarded from Edge back to internal Mailbox servers is not authenticated, allowing man-in-the-middle interception.", "verify": true, "subject": "Server", "category": "Transport Security", "severity": "High", "severityWeight": 8, "frameworks": [ "Best Practice", "DISA" ], "references": [ { "name": "Microsoft — Domain security in Exchange Server", "url": "https://learn.microsoft.com/exchange/mail-flow/connectors/domain-security" }, { "name": "DISA STIG EX19-ED-000058: The Exchange Send connector must use Domain Security (Mutual Auth TLS) (V-259594)", "url": "https://www.stigviewer.com/stigs/microsoft_exchange_2019_edge_server/2024-12-06/finding/V-259594" } ], "remediation": { "automatable": false, "description": "Set TlsAuthLevel to DomainValidation and DomainSecureEnabled to $true on internal Send connectors.", "scriptTemplate": "Get-SendConnector | Select-Object Identity, TlsAuthLevel, DomainSecureEnabled, SmartHosts" }, "considerations": "MTLS on the Edge-to-Mailbox Send connector requires that both sides present valid certificates and that the sending domain is listed in the receiving connector's TlsDomain. Ensure the Edge subscription is active and certificates are valid before enabling.", "roles": [ "Edge" ] } |