Preventing local email addresses from leaking

Russell Fulton r.fulton at auckland.ac.nz
Fri Dec 5 00:27:57 GMT 2003


Hi All,
	We maintain email aliases for all staff (and soon all students) on
campus.  We have a unique ID (UPI for Unique Public Identifier) which we
use for our central authentication system and many email system use UPI
for mail box names.  Our mail system rewrites outbound email to
<alias>@auckland.ac.nz so the UPI is generally hidden.

There are however circumstances where email bounces contain the actual
mail box name so there is some 'leakage' of UPIs.

Lastly the NZ privacy laws prohibit the publication of of people's
unique identifiers so as to guard against data matching by third
parties.  I'm pretty sure that what the legislator had in mind was
wholesale publication, not accidental leakage but the lawyers are
cagey.  We will ignore the issue that email alias is another unique
identifier, as are phone numbers, etc, etc...

One way of dealing with this is to decouple the authentication ID from
the mailbox name (This is straight forward with Exchange but we are
still investigating how to do it with cyrus IMAP -- cyrus was designed
assuming such things would be handled via IMSP, but almost no clients
support IMSP :( ). 

Another approach would be to try and grab all bounce messages and post
process them to rewrite addresses.  This is difficult and error prone. I
have told our management (loudly) that there is no we we can completely
stop the leakage mailbox names.

There is another issue with leakage of UPIs to the outside world and
that is the belief that some hold that the login name is part of the
security credentials.  Aside: I was taught (a long ago ;) that the login
name should be considered public information and that it was not part of
the authentication credentials but most modern texts don't take this
view.

So, finally, a couple of questions:

How do other institutions that use central authentication system view
the leakage of login names and internal email addresses?  If you do take
measures to prevent leakage then how do you do it? 

Cheers, Russell

-- 
Russell Fulton                                    /~\  The ASCII
Network Security Officer                          \ /  Ribbon Campaign
The University of Auckland                         X   Against HTML
New Zealand                                       / \  Email!




More information about the unisog mailing list