STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 4 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide

V-259692

CAT II (Medium)

Exchange must not send automated replies to remote domains.

Rule ID

SV-259692r961161_rule

STIG

Microsoft Exchange 2019 Mailbox Server Security Technical Implementation Guide

Version

V2R3

CCIs

CCI-001308

Discussion

Attackers can use automated messages to determine whether a user account is active, in the office, traveling, and so on. An attacker might use this information to conduct future attacks. Remote users will not receive automated "Out of Office" delivery reports. This setting can be used to determine if all the servers in the organization can send "Out of Office" messages.

Check Content

Note: Automated replies to .mil or .gov sites are allowed.

Open the Exchange Management Shell and enter the following command:

Get-RemoteDomain | Select-Object -Property Name, Identity, AutoReplyEnabled

If the value of "AutoReplyEnabled" is set to "True" and is configured to only reply to .mil or .gov sites, this is not a finding.

If the value of "AutoReplyEnabled" is not set to "False", this is a finding.

Fix Text

Open the Exchange Management Shell and enter the following command:

Set-RemoteDomain -Identity <'IdentityName'> -AutoReplyEnabled $false

Note: The <IdentityName> value must be in quotes.