[unisog] Secure EMail System

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Wed Oct 30 15:53:21 GMT 2002


On Wed, 30 Oct 2002 20:00:18 +0800, "kamalho at pd.jaring.my" <kamalho at pd.jaring.my>  said:
> Hi
> Has anyone come across on building secure email system ?
> I'm looking for pointers / suggestion on managing and using secure smtp 
> and secure pop-3.

First, decide what you mean by "secure" - devise a "threat model" that lists
what you expect to be able to protect against, and what you are NOT going
to protect against.  Things to consider:

1) "secure smtp" - I assume you mean STARTTLS support.  This is a Good Thing,
except that in my experience only some 5-6% of hosts support it, so you can't
usually rely on the authentication-via-certificate support except in a closed
environment.  Also, remember that STARTTLS is only securing things on a
hop-by-hop basis - data is still stored in cleartext on the servers.  If that
is a concern, look at deploying PGP or S/MIME. (Note that personally, I set
up STARTTLS with a self-signed certificate if I have to, just to enable the
opportunistic encryption - I consider it a donation to fighting things like
Echelon - if only critical data is encrypted, the fact it's encrypted is a
big flag for adversaries.  If mundane stuff is encrypted too, traffic analysis
becomes a lot more challenging).

2) If you do a lot of POP, you'll want to be using some sort of hardware SSL
accelerator (at least at our site, we have a lot more POP checks than
SMTP connections, so an accelerator is more important there).

3) You should *definitely* close down open relaying of mail, and only allow
injection of mail after a successful SMTP AUTH or similar.

4) You'll have to decide for yourself what amount of effort you want to put
into preventing your users from sending spam/etc.  If your users are mostly
well-behaved, just having a policy preventing it and a hefty piece of lead
pipe for the offenders may be sufficient. ;)

5) You probably want to look at doing some sort of virus-scanning on the
mail hub if you aren't already doing it.  Do *NOT* assume that this means
you don't have to do it on the desktops too - this is IN ADDITION to doing
it on the desktop.  If feasible, you would probably want to do the hub scanning
with a different vendor's product than you use on the desktops.

-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20021030/7cebe7b7/attachment-0007.bin


More information about the unisog mailing list