|
| 1 | +function Invoke-CIPPStandardDisableBasicAuthSMTPCustom { |
| 2 | + <# |
| 3 | + .FUNCTIONALITY |
| 4 | + Internal |
| 5 | + .COMPONENT |
| 6 | + (APIName) DisableBasicAuthSMTP |
| 7 | + .SYNOPSIS |
| 8 | + (Label) Disable SMTP Basic Authentication |
| 9 | + .DESCRIPTION |
| 10 | + (Helptext) Disables SMTP AUTH for the organization and all users, with ability to set exclusion group. |
| 11 | + (DocsDescription) Disables SMTP basic authentication for the tenant and all users with it explicitly enabled, unless in defined exclusion group. |
| 12 | + .NOTES |
| 13 | + CAT |
| 14 | + Global Standards |
| 15 | + TAG |
| 16 | + ADDEDCOMPONENT |
| 17 | + IMPACT |
| 18 | + Medium Impact |
| 19 | + ADDEDDATE |
| 20 | + 2021-11-16 |
| 21 | + POWERSHELLEQUIVALENT |
| 22 | + Set-TransportConfig -SmtpClientAuthenticationDisabled \$true |
| 23 | + RECOMMENDEDBY |
| 24 | + "CIS" |
| 25 | + "CIPP" |
| 26 | + UPDATECOMMENTBLOCK |
| 27 | + Run the Tools\Update-StandardsComments.ps1 script to update this comment block |
| 28 | + .LINK |
| 29 | + https://docs.cipp.app/user-documentation/tenant/standards/list-standards/global-standards#medium-impact |
| 30 | + #> |
| 31 | + |
| 32 | + param($Tenant, $Settings) |
| 33 | + ##$Rerun -Type Standard -Tenant $Tenant -Settings $Settings 'DisableBasicAuthSMTP' |
| 34 | + |
| 35 | + $CurrentInfo = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-TransportConfig' |
| 36 | + $ExcludeUsers = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-DistributionGroupMember -cmdParams @{ Identity = "$Settings.ExcludeGroup" } |
| 37 | + $SMTPusers = New-ExoRequest -tenantid $Tenant -cmdlet 'Get-CASMailbox' -cmdParams @{ ResultSize = 'Unlimited' } | Where-Object { ($_.SmtpClientAuthenticationDisabled -eq $false) -and ($_.Name -notin $ExcludedUsers.Name } |
| 38 | + |
| 39 | + If ($Settings.remediate -eq $true) { |
| 40 | + Write-Host 'Time to remediate' |
| 41 | + |
| 42 | + if ($CurrentInfo.SmtpClientAuthenticationDisabled -and $SMTPusers.Count -eq 0) { |
| 43 | + Write-LogMessage -API 'Standards' -tenant $tenant -message 'SMTP Basic Authentication for tenant and all users is already disabled' -sev Info |
| 44 | + } else { |
| 45 | + # Disable SMTP Basic Authentication for the tenant |
| 46 | + try { |
| 47 | + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-TransportConfig' -cmdParams @{ SmtpClientAuthenticationDisabled = $true } |
| 48 | + Write-LogMessage -API 'Standards' -tenant $tenant -message 'Disabled SMTP Basic Authentication' -sev Info |
| 49 | + } catch { |
| 50 | + $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message |
| 51 | + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable SMTP Basic Authentication. Error: $ErrorMessage" -sev Error |
| 52 | + } |
| 53 | + |
| 54 | + # Disable SMTP Basic Authentication for all users |
| 55 | + $SMTPusers | ForEach-Object { |
| 56 | + try { |
| 57 | + New-ExoRequest -tenantid $Tenant -cmdlet 'Set-CASMailbox' -cmdParams @{ Identity = $_.Identity; SmtpClientAuthenticationDisabled = $null } -UseSystemMailbox $true |
| 58 | + Write-LogMessage -API 'Standards' -tenant $tenant -message "Disabled SMTP Basic Authentication for $($_.DisplayName), $($_.PrimarySmtpAddress)" -sev Info |
| 59 | + } catch { |
| 60 | + $ErrorMessage = Get-NormalizedError -Message $_.Exception.Message |
| 61 | + Write-LogMessage -API 'Standards' -tenant $tenant -message "Failed to disable SMTP Basic Authentication for $($_.DisplayName), $($_.PrimarySmtpAddress). Error: $ErrorMessage" -sev Error |
| 62 | + } |
| 63 | + } |
| 64 | + } |
| 65 | + } |
| 66 | + |
| 67 | + $LogMessage = [System.Collections.Generic.List[string]]::new() |
| 68 | + if ($Settings.alert -eq $true -or $Settings.report -eq $true) { |
| 69 | + |
| 70 | + # Build the log message for use in the alert and report |
| 71 | + if ($CurrentInfo.SmtpClientAuthenticationDisabled) { |
| 72 | + $LogMessage.add('SMTP Basic Authentication for tenant is disabled. ') |
| 73 | + } else { |
| 74 | + $LogMessage.add('SMTP Basic Authentication for tenant is not disabled. ') |
| 75 | + } |
| 76 | + if ($SMTPusers.Count -eq 0) { |
| 77 | + $LogMessage.add('SMTP Basic Authentication for all users is disabled') |
| 78 | + } else { |
| 79 | + $LogMessage.add("SMTP Basic Authentication for the following $($SMTPusers.Count) users is not disabled: $($SMTPusers.PrimarySmtpAddress -join ',')") |
| 80 | + } |
| 81 | + |
| 82 | + if ($Settings.alert -eq $true) { |
| 83 | + |
| 84 | + if ($CurrentInfo.SmtpClientAuthenticationDisabled -and $SMTPusers.Count -eq 0) { |
| 85 | + Write-LogMessage -API 'Standards' -tenant $tenant -message 'SMTP Basic Authentication for tenant and all users is disabled' -sev Info |
| 86 | + } else { |
| 87 | + Write-LogMessage -API 'Standards' -tenant $tenant -message $LogMessage -sev Alert |
| 88 | + } |
| 89 | + } |
| 90 | + |
| 91 | + if ($Settings.report -eq $true) { |
| 92 | + |
| 93 | + if ($CurrentInfo.SmtpClientAuthenticationDisabled -and $SMTPusers.Count -eq 0) { |
| 94 | + Add-CIPPBPAField -FieldName 'DisableBasicAuthSMTPCustom' -FieldValue $CurrentInfo.SmtpClientAuthenticationDisabled -StoreAs bool -Tenant $tenant |
| 95 | + } else { |
| 96 | + Add-CIPPBPAField -FieldName 'DisableBasicAuthSMTPCustom' -FieldValue $LogMessage -StoreAs string -Tenant $tenant |
| 97 | + } |
| 98 | + } |
| 99 | + } |
| 100 | +} |
0 commit comments