V-279060

Discussion

Passwords need to be protected at all times, and encryption is the standard method for protecting passwords during transmission. If passwords are not encrypted, they can be plainly read (i.e., clear text) and easily compromised. ColdFusion may use username/password to connect to a mail server. When this authentication method is used, it is important that the credentials be protected when transmitted by being encrypted. While TLS encryption is the preferred method by DOD, SSL can be used when the mail server does not offer any other method of encryption. Satisfies: SRG-APP-000172-AS-000120, SRG-APP-000435-AS-000163, SRG-APP-000516-AS-000237

Check Content

If the "mail" package is not installed, this is Not Applicable.

Verify Mail Service Configurations.

From the Admin Console Landing Screen, navigate to Server Settings >> Mail.

If no mail server is configured, this requirement is not a finding.

If a username and password are required for authentication and "Enable TLS connection to mail server" is unchecked and "Enable SSL socket connects to mail server" is unchecked, this is a finding.

If "Spool mail messages for delivery to" is unchecked, this is a finding.

If "Connection Timeout (in seconds)" is set to greater than 15 seconds, this is a finding.

If "Log all mail messages sent by ColdFusion" is not checked, this is a finding.

If the default and recommended setting of "Warning" is not selected for error log severity, this is a finding.