Preventing the uncontrolled spread of confidential or sensitive information is an overriding prerogative for the University. Based on recommendations from Internal Audit after the bugbear.b virus that struck the University in June of 2003, the President and Provost have decided to limit the ability to send outbound email to a set of trusted, registered servers.
Departments with identified business needs and qualified staff resources to appropriately support this effort, as well as researchers with a research-related need to run an outbound email server may request to become one of these trusted servers. All other traffic will continue to be routed through the Stanford SMTP servers.
All servers that are trusted to send email must meet certain minimum standards of security and upkeep. Below is the latest version of these standards and requirements. Please note that these criteria are the recommended standards and servers may have legitimate reasons for not meeting all of the criteria to the fullest extent. If a mail server cannot meet the defined standards, a petition for waiver can be applied for. This petition should include a risk analysis and risk assumption agreement for review by Internal Audit and the Information Security Office (ISO).
Standards and requirements
- The server must meet all of ISO's Minimum Security Standards for a moderate-risk server.
- The server must be on a campus network that is provisioned by University IT.
- In the server's NetDB record, there must be at least one Administrator listed whose mobile phone is visible to anyone at Stanford, who is available 24/7, and who is able to answer technical questions and respond to issues.
- All outgoing mail must be filtered through an anti-virus scanner capable of completely quarantining infected messages. The scanner's virus signatures should be updated at least daily.
- The server must not relay emails that originated outside of Stanford.
- MTA logs must be kept for no less than 1 year, and must be made accessible to ISO upon request.
- The server must not use clear-text passwords over an unencrypted connection, including but not limited to SMTP authentication not using TLS, or remote login (i.e., telnet).
- The server must not run any unnecessary network services.
- When handling emails containing High Risk Data, all connections must use connection-level encryption. In addition, the content of the email must be encrypted before the email leaves the Stanford network.
If you or your department have an email server that meets these requirements and you would like an exemption from the port 25 block, please submit a Help request and describe your situation. The Information Security Office will process your request within two business days. For those who receive an exemption, the entire process takes roughly a week. Note, however, that there is a limit to how many servers can be handled this way: qualified applicants may have to be prioritized.