[unisog] Forwarding email and security.

Stasiniewicz, Adam stasinia at msoe.edu
Mon Dec 5 22:52:28 GMT 2005

We have the following instructions for using Exchange rules published on
our website: http://ccsd.msoe.edu/faq/email.jsp?IDFaq=159.  

We have explored using "contact" objects and the settings in ADUC to
forward emails (so it can be done programmatically) but we have higher
development priorities so we have not gotten there yet.

As for security: I would estimate 75% of our email traffic is
non-academic/non-university business related.  So putting a policy
limiter on outgoing emails would cause too much of a hassle for our end
users.  We do try to tell the staff not to send out confidential
information via email (even internal email) and I have to say they do a
good job of following the rule, but any comments to the faculty/students
always fall on deaf ears.

As for the security issues that might arise: 
1. Like all unencrypted traffic, it could be intercepted.  Outlook (in
Exchange mode) does have an option to encrypt all traffic.
2. You loss control of what servers the mail will reside, and as such
you can't validate the integrity of the server admin from reading a
users email.
3. You cannot control the password policy of the outside email server,
so allowing for someone to easily guess the password and download the
end users password.

Hope that helps,
Adam Stasiniewicz 
Computer and Communication Services Department 
Milwaukee School of Engineering

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Cary, Kim
Sent: Monday, December 05, 2005 4:23 PM
To: unisog at lists.sans.org
Subject: [unisog] Forwarding email and security.

I've been asked to find out how other schools allow end-users to forward
their email to external accounts (in our case, Exchange2k3 is the back
-- if anyone is doing this with Exchange2k3 I'd love a quick "how to"

Given that task, I've also heard that autoforwarding email to external
accounts is a security issue. Does anyone have any policy or technical
safeguards to share related to that problem?

unisog mailing list
unisog at lists.sans.org

More information about the unisog mailing list