Restrict emails by domain for user creation (instance security hardening)
Use the glide.user.trusted_domain property to specify the comma-separated list of trusted domains used in the creation of users from incoming emails.
By default, an asterisk (*) is used to trust all domains. Specific domains should be provided if it is not required to allow email from every domain. The instance ignores incoming email from other domains unless it is from an existing user's address. The instance doesn't create guest users from email from untrusted domains.
Prerequisites
Before setting this property:
- Set the glide.email.read.active property to true. To learn more, see Enable using your own POP3 server.
- Set the glide.pop3readerjob.create_caller property to true. To
learn more, see Enable automatic user creation. Note:Skip the glide.user.default_password property if the glide.pop3readerjob.create_caller property is set to false.
More information
| Attribute | Description |
|---|---|
| Property name | glide.user.trusted_domain |
| Configuration type | System Properties (/sys_properties_list.do) |
| Configure in Instance Security Center | Yes |
| Recommended value | Comma-separated list of trusted domains [Ex. servicenow.com (a specific domain name)]. |
| Functional Impact | Once this property is configured, the instance only accepts emails from trusted domains. If you do not include the domain in the trusted list, there is an impact to guest users because accounts are created automatically. |
| Security risk | (Medium) If the property is not enabled, an attacker might use an email spoofing/spamming campaign to send multiple emails resulting in the creation of more unnecessary guest users. |
| References |
To learn more about adding or creating a system property, see Add a system property.