Preventing the uncontrolled spread of confidential or sensitive information is an overriding prerogative for the University. Based on recommendations from Internal Audit after the bugbear.b virus that struck the University in June of 2003, the President and Provost have decided to limit the ability to send outbound email to a set of trusted, registered servers. Departments with identified business needs and qualified staff resources to appropriately support this effort, as well as researchers with a research-related need to run an outbound email server may request to become one of these trusted servers. All other traffic will continue to be routed through the @Stanford servers.
All servers that are trusted to send email must meet certain minimum standards of security and upkeep. Below is the latest version of these standards and requirements. Please note that these criteria are the recommended standards and servers may have legitimate reasons for not meeting all of the criteria to the fullest extent. If a mail server cannot meet the defined standards, a petition for waiver can be applied for. This petition should include a risk analysis and risk assumption agreement for review by Internal Audit.
Standards and requirements
- The server's IP address must be moved to a campus-wide server network which will be provisioned by University IT Communication Services.
- The server must have a 24-hour technical phone contact, and contact information must be kept current.
- All outgoing mail must be filtered through an anti-virus scanner capable of completely quarantining infected messages. The scanner's virus signatures should be updated at least daily.
- The server must not relay (accept and deliver mail for non-local addresses) for any non-Stanford client connection without authentication. This includes multilevel relaying (in other words, the server must not accept non-local mail from another system which accepts mail from non-Stanford clients).
- The Mail Transport Agent must be kept up to date with all relevant security patches.
- MTA logs must be kept for no less than 1 year, and must be made accessible to authorized infrastructure and security personnel upon request.
- The operating system must be kept up to date with all relevant security patches.
- The server must employ a host-based intrusion detection system, such as Tripwire.
- The server must not use clear-text passwords for any reason whatsoever, including but not limited to SMTP authentication or remote login.
- The server must not run any unnecessary network services.
- Communications between the email servers transmitting High Risk Data must be encrypted or be confined to a network segment that meets PCI-DSS guidelines.
- Email servers transmitting High Risk Data must be configured to require an encrypted connection with clients downloading email from the server.
If you or your department have an email server that meets these requirements and you would like an exemption from the port25 block, please file a HelpSU ticket and describe your situation. Information Security Services will process your request within two business days. For those who receive an exemption, the entire process takes roughly a week. Note, however, that there is a limit to how many servers can be handled this way: qualified applicants may have to be prioritized.