Email (Internet Messaging) security issues (MSS Admin)

Disabling POP3 and IMAP4 access

On the General Options and Settings page, if the POP3 and IMAP4 enabled fields are set to Yes, hackers could determine a subscriber's login name and password, and then access the subscriber's messages or commit toll fraud through the subscriber's mailbox. Use Internet Messaging only behind a corporate firewall and restrict external Internet access to the POP3 & IMAP 4 designated ports.

If your company is concerned with subscriber login security, consider the following alternatives:

Disable the POP3 and IMAP4 interfaces by selecting No on the General Options and Settings page.

Exclusively use email clients such as Qualcomm's Eudora client that support the POP3 APOP or IMAP4 CRAM-MD5 (encrypted password) login mechanisms.

Deploy secure socket layer (SSL) for POP3 and IMAP 4 by using an external SSL accelerator. Current products on the market include SSL100 Accelerator by Avaya.

Protecting against viruses

The ease with which messages can be broadcast and transmitted over the Internet simplifies the distribution of computer viruses. Enact a policy to ensure that subscribers check incoming messages and files for viruses.

Another precaution, especially important if this is your company's first email deployment, is a system-wide virus scanning application. The applications scan all incoming mail for viruses and intercept infected mail and files before they get to the subscriber. Current examples include:

Interscan Virus Wall by Trend Micro

Webshield products by McAfee

Antivirus for Gateways by Norton

eSafe Gateway by Aladdin

Spoofing or sending email under a false name

Although the originator of messages received from subscribers of the S3400 is authenticated, Internet email addresses are typically not validated for identity. As a result, the identity of the message sender is not guaranteed. Warn your subscribers not to respond to messages from unverified sources, especially if the message contains requests for private information or any form of payment. The name of the machine that delivered a message to the local server can be checked by reading the message's header information.

Note: A subscriber using a POP3 or IMAP4 email client in conjunction with their S3400 mailbox may or may not use this mailbox as their 'from' identity when sending messages. If the subscriber does use this mailbox and uses the S3400 as their outgoing email gateway, they must also configure their client to provide authentication when sending messages. Messages from subscribers are also accepted (without authentication) from mail servers administered as trusted servers. This configuration allows use of external email list servers, which generally do not relay authentication information, as well as centralized corporate email gateways.

Disabling LDAP access

On the General Options and Settings web-based administration page, if the LDAP enabled field is set to Yes, spammers could obtain each subscriber's email address and then either directly send spam to your subscribers or sell these address to other spammers. Allow LDAP access only if your subscribers will be using it in conjunction with email client applications for "by name" addressing or if you are using subscriber management products such as Mailbox Manager or Avaya's ProVision software. If LDAP access is enabled, restrict external access to the LDAP port. For more information about enabling LDAP access, see LDAP directory.