Security policy requires that Messaging Gateway (SMG) be secured from unauthorized access beyond it's default configuration.
Versions: All
Messaging Gateway (SMG) is a secure and hardended appliance / virtual machine solution which is scanned for known vulnerabilities as part of the standard software development process. Where possible, vulnerabilities are addressed either through replacement of the affected component, configuration, or software patch of the vulnerable component as part of the normal software update and patch release process.
When conducting vulnerability scans of the Messaging Gateway system, the SMG should first be updated to the latest release and available patches applied.
The underlying SMG operating system requires no additional "hardening" from its default installation provided that the software version is up to date and all available patches have been applied.
There are a number of SMG services which can be further secured via IP access control lists (ACL) or increased protocol security.
Messaging Gateway administrator policy groups can be populated with both local administrator accounts and Active Directory / LDAP users or groups if Directory Intergation has been configured. For Active Directory / LDAP based administrator accounts, it is expected that password complexity and expiration policies will be set at the AD level. For local administrator accounts, please ensure that the following options are set for local administrator accounts in Administration > Administrators
Note that the default admin account cannot be deleted but if another account has Full Administration rights the default admin account can had its access level reduced.
The SMG Control Center web application may be further secured by setting a network access control list to limit which IPs can connect to the web application. Additionally, the minimum TLS protocol level for the web application can be set from the admin command line (CLI).
The Messaging Gateway Control Center ships with a demonstration TLS certificate which will ensure that connections to the Control Center web interface and REST API are encrypted but the demo certificate is not signed by a trusted third party and will warn connecting web browsers that the identify of the server cannot be confirmed. To address this, an updated TLS certificate signed by a trusted third party.
In the event that an error was made in setting the Control Center web application network access control list, the ACL can be reset from the admin CLI via the following command:
delete bbchostacl
In its default configuration, the Messaging Gateway Control Center web interface will allow TLS 1.0 secured connections for backwards compatibility with some older web browsers. This may be flagged as a security concern by vulnerability scanners and the process to set the minimum TLS version for HTTPS sessions is as follows:
cc-config set-min-tls-level --tls12
Minimum TLS level can be set to TLS 1.0, TLS 1.1, or TLS 1.2
Note: Due to an issue with the upgrade to SMG 10.7.5, the minimum TLS level is reset to TLS 1.0 following the upgrade and cannot be changed although SMG will report that it is limited to later protocol versions. Please see TLS 1.0 allowed for Control Center connection regardless of cc-config set-min-tls-level in Messaging Gateway version 10.7.5 to address this.
In its default configuration the Messaging Gateway mail server will allow encryption to be be negotiated using SSLv3, TLS 1.0, TLS 1.1, and TLS 1.2. Encryption protocols below TLS 1.2 are currently viewed as insecure and potentially being vulnerable to exploitation. To bring the SMTP TLS communication into alignment with current encryption standards the minimum TLS version should be increased to TLS 1.2 and the key exchange cipher list should be restricted to disallow insecure Diffie-Hellman key exchange.
Please see Messaging Gateway and Diffie-Hellman key length for details on restricting ciphersuites and key exchange algorithms.
The TLS certificate presented by the AD/LDAP server need to have either the hostname or IP used in the Messaging Gateway LDAP server configuration configured as a Subject Alternative Name (SAN) in the certificate. Certificate validation may work if the hostname is listed in the certificate's Subject distinguished name as the common name but use of the SAN extension is preferred.
sshd-config --add allow 192.168.1.0/24
sshd-config --add deny ALL
Note: You MUST set the allowed networks and hosts before denying access to all other connections otherwise you risk being unable to connect to the SMG command line.
Some vulnerability scanners will raise alerts regarding the SMG SSH service accepting some CBC ciphers, MAC algorithms, or key exchange algorithms. To further secure and limit the ciphers used by the SMG command line SSH service please see