CSAPP_SMTPD_MAIL_RELAY
- Description:
- Checks to see if the INBOUNDOPENLIMIT statement is set to 0.
- Reason for check:
- Specifying the INBOUNDOPENLIMIT statement to a valid non-zero value or allowing it to default to the value of 256 causes the SMTP server to open a listening port and implicitly become exploitable by remote users as a mail relay.
- z/OS® releases the check applies to:
- z/OS V2R1 and V2R2, with the PTFs for APARs
PI51640 and OA50122 applied.
- User override of IBM values:
- The following sample shows the defaults for customizable
values for this check. Use this sample to make permanent check
customizations in an HZSPRMxx parmlib member used at
IBM Health Checker for z/OS startup. If you just want a one-time
only update to the check defaults, omit the first line (ADDREPLACE POLICY)
and use the UPDATE statement on a MODIFY hzsproc command.
Note that using non-POLICY UPDATEs in HZSPRMxx can
lead to unexpected results and is therefore not recommended.ADDREPLACE POLICY[(policyname)] [STATEMENT(name)]
UPDATE
CHECK(IBMCS,CSAPP_SMTPD_MAIL_RELAY)
DATE('date_of_the_change')
REASON('Your reason for making the update.')
ACTIVE
SEVERITY(MEDIUM)
INTERVAL(ONETIME)
- Debug support:
- No
- Verbose support:
- No
- Parameters accepted:
- No
- Reference:
- For more information on the INBOUNDOPENLIMIT statement, see the INBOUNDOPENLIMIT statement section in z/OS Communications Server: IP Configuration Reference.
- Messages:
- This check issues the following exception messages:
- ISTH032E
- SECLABEL recommended for multilevel security users:
- SYSLOW - see z/OS Planning for Multilevel Security and the Common Criteria for information on using SECLABELs.