Security policy requires that Messaging Gateway (SMG) be secured from unauthorized access beyond it's default configuration.

Messaging Gateway (SMG) is a secure and hardended appliance / virtual machine solution which is scanned for known vulnerabilities as part of the standard software development process. Where possible, vulnerabilities are addressed either through replacement, configuration, or software patch of the vulnerable component. The underlying SMG operating system requires no additional "hardening" from its default installation provided that the software version is up to data and all available patches have been applied.

There are a number of SMG services which can be further secured via IP access control lists (ACL) or increased protocol security.

• Administrator Account Security
• Securing the Control Center Web Application
• Securing the SMTP Service
• Securing the Directory Data Service
• Securing the Command Line Interface

Administrator Account Security

Messaging Gateway administrator policy groups can be populated with both local administrator accounts and Active Directory / LDAP users or groups if Directory Intergation has been configured. For Active Directory / LDAP based administrator accounts, it is expected that password complexity and expiration policies will be set at the AD level. For local administrator accounts, please ensure that the following options are set for local administrator accounts in Administration > Administrators

• Require strong passwords is checked
• Password expiration is set to a time limit which aligns with your security policy
• Administrator accounts other than the default 'admin' account are assigned to an administration policy group which provides the minimum system rights needed to perform their job functions

Note that the default admin account cannot be deleted but if another account has Full Administration rights the default admin account can had its access level reduced.

Securing the Control Center Web Application

The SMG Control Center web application may be further secured by setting a network access control list to limit which IPs can connect to the web application. Additionally, the minimum TLS protocol level for the web application can be set from the admin command line (CLI).

• Configuring the Control Center web application network access control list
• Setting the Control Center web application network minimum TLS level

Configuring the Control Center web application network access control list

1. 1. Log into the SMG Control Center as an administrator with Manage Settings rights (the default admin account and administrators with Full Admin Rights have this right)
   2. Go to Administration > Control Center > Access
   3. Select "Only the following hosts"
   4. Enter the IP addresses or networks you wish to allow to connect to the SMG Control Center either for administration, quarantine access, or API access.
   5. Click Save

In the event that an error was made in setting the Control Center web application network access control list, the ACL can be reset from the admin CLI via the following command:

delete bbchostacl

Setting the Control Center web application minimum TLS level

1. 1. Log into the admin CLI via ssh / putty
   2. Run the following command to set the minimum TLS level for the Control Center web application (this will restart the control center GUI)

      cc-config set-min-tls-level --tls12

Minimum TLS level can be set to TLS 1.0, TLS 1.1, or TLS 1.2

Note: Due to an issue with the upgrade to SMG 10.7.5, the minimum TLS level is reset to TLS 1.0 following the upgrade and cannot be changed although SMG will report that it is limited to later protocol versions. Please see TLS 1.0 allowed for Control Center connection regardless of cc-config set-min-tls-level in Messaging Gateway version 10.7.5 to address this.

Securing the SMTP Service

• Setting the minimum TLS level for SMTP communication
• Restricting TLS ciphers used by the SMTP service

Setting the minimum TLS level for SMTP communication

1. 1. Log into the SMG Control Center as an administrator with Manage Settings rights (the default admin account and administrators with Full Admin Rights have this right)
   2. Go to Protocols > Setting > SSL Restrictions
   3. Check the "Disable support for... " checkbox and set the TLS protocol level to disallow. All lower protocol versions are also disallowed.
   4. Click Save

Restricting TLS ciphers used by the SMTP service

Please see Messaging Gateway and Diffie-Hellman key length for details on restricting ciphersuites and key exchange algorithms.

Securing the Directory Data Service

• Using LDAPS for directory server connections
• Requirements for LDAP server TLS certificate validation

Using LDAPS for directory server connections

1. 1. Log into the Control Center as an admin with administrator rights
   2. Go to Administration > Directory Integration
   3. Under LDAP server configuration select "Enable SSL"
   4. Ensure that the LDAP server port used in either port 636 or the TCP port used for LDAPS by your directory server
   5. Click Save

Requirements for LDAP server TLS certificate validation

The TLS certificate presented by the AD/LDAP server need to have either the hostname or IP used in the Messaging Gateway LDAP server configuration configured as a Subject Alternative Name (SAN) in the certificate. Certificate validation may work if the hostname is listed in the certificate's Subject distinguished name as the common name but use of the SAN extension is preferred.

Securing the Command Line Interface

• Setting the SSH network access control list
• Limiting SSH ciphers and hash algorithms

Setting the network access control list for the SMG ssh interface

1. 1. Log into the SMG admin command line
   2. Allow access for networks or hosts that can connect to the admin command line via ssh

      sshd-config --add allow 192.168.1.0/24

   3. Deny access to all other networks / hosts

      sshd-config --add deny ALL

Note: You MUST set the allowed networks and hosts before denying access to all other connections otherwise you risk being unable to connect to the SMG command line.

Limiting SSH ciphers and hash algorithms

Some vulnerability scanners will raise alerts regarding the SMG SSH service accepting some CBC ciphers, MAC algorithms, or key exchange algorithms. To further secure and limit the ciphers used by the SMG command line SSH service please see

• • Limiting SSH ciphers and MAC algorithms in Messaging Gateway
  • Changing Messaging Gateway ssh key exchange algorithms