Avaya

Modular Messaging Help

Print | Back | Fwd | Close
Home | Search the Help
 Getting Started 
 Administration 
 Maintenance 
 Reference 
Home > Getting started > Modular Messaging and Security > Access mechanisms

Access mechanisms

Avaya Modular Messaging supports various access mechanisms, depending on the way it is configured. Modular Messaging provides added functionality including remote administration and desktop client access to mailboxes using Microsoft Outlook or a Web browser, by connecting to the customer’s LAN. If no LAN-based subscriber access is needed by the customer (no desktop e-mail clients), and if administration on only the console is acceptable, the system does not need to be connected to the customer's LAN.

If customers want to have remote LAN administration, but want to prevent desktop GUI access, the system can be configured to disable client IMAP4, POP3, and LDAP access (or via appropriate administration of an external firewall). Again, from a security viewpoint, this would lock down the system, but at a cost to the functionality and productivity benefits. In addition, the LAN connection is required if customers want to network Modular Messaging with other voice mail systems using Avaya Message Networking with the Avaya S3210 Message Server.

Like most voice mail systems, customers should be aware that messages in user mailboxes are neither stored nor backed up in encrypted form. Therefore, Avaya recommends that customers take precautions to limit physical access to Modular Messaging and it's backups.

TUI Access

Subscribers can access their mailboxes using the telephone user interface (TUI). For TUI access, Modular Messaging invokes a normal user IMAP4 login sequence with the MAS using the mailbox ID and password provided by the user. For enhancing security, administrators should use the following methods:

  • Use minimum password length (6-15 characters)

  • Use password aging

  • Force password change during user’s first login

  • Ensure that checks for trivial passwords are always enabled. For example, users can never set the password to be the same as the mailbox ID.

Client LAN Access

E-mail clients

Users can access their mailboxes using e-mail clients that use the standard POP3 and IMAP4 protocols, such as Microsoft Outlook or Outlook Express. Modular Messaging with the S3400 Message Server uses the second Ethernet port on the MSS for standard e-mail clients and Avaya provided access clients to access user mailboxes using standard protocols over the LAN. Modular Messaging supports SSL versions of POP3, IMAP4 and SMTP protocols. Users can enable SSL encryption while setting up their e-mail accounts in standard e-mail clients. Without a secure connection, passwords are transmitted as plain text across the corporate LAN. Hackers can gain access to subscriber account passwords and use them to commit toll fraud. For maximum protection of passwords, follow the recommendations on using SSL encryption.

SSL Accelerators

Users should consider using e-mail clients that support password encrypting login sequences for both the protocols: APOP for POP3 and both CRAM- MD5 and DIGEST-MD5 AUTH for IMAP4. For enhancing the level of security and for customers who want messages to be encrypted and then transported across their internal network, Avaya Modular Messaging supports the SSL versions of these protocols. You can control the use of SSL versions of these protocols by setting a property in the e-mail account setup. Customers can also purchase or leverage inline SSL accelerators, such as the Avaya SSL100 solution or other commercially available SSL accelerators. These accelerators will encrypt both login information and message content in transit. For more information, see Avaya’s VPN & Security product portfolios at http://www.avaya.com.

Subscriber Options

Avaya also provides the Subscriber Options desktop utility. This program allows client users to self-administer changes in their password and general mailbox options over the LAN. When setting a password with Subscriber Options, the new password is transmitted to the MAS in encrypted format. The MAS then decrypts this and encrypts it using the Data Encryption Standard (3DES) before sending it to the MSS. The MSS decrypts it and encrypts it using 3DES with a different key before storing it. For clients connected to Modular Messaging with the S3400 Message Server, the MSS requires SMTP user authentication to verify that the sender of a message is from within the domain. This feature assures that spammers cannot send messages from the system.

LDAP access

Modular Messaging MSS provides an LDAP interface that can be used for accessing directory data. The LDAP version is the Simple Authentication and Security Layer (SASL) version that allows authenticated and anonymous access to adjuncts and end users respectively. Adjuncts using LDAP transmit encrypted login credentials using the SASL mechanism.

Dial-up Modem Access

Modular Messaging servers provide dial-up modem access, which is used by Avaya services personnel for troubleshooting and maintenance. An MAS provides a modem for Remote Access Server (RAS) connectivity. This modem can be accessed by only those users who are added to the Avaya services group. These access restrictions are regulated by Avaya. The MSS supports Secure Shell (SSH) for remote login access and sftp file transfer over a LAN. Telnet and FTP inbound and outbound on the MSS are disabled. All transmissions through this channel are encrypted using Secure Shell or Secure Socket Shell (SSH).

The MSS also includes an onboard Remote Maintenance Board (RMB) that provides dial-up modem access to the Avaya services personnel. Access to this modem is controlled by the Access Security Gateway (ASG) that employs a challenge and response mechanism for authentication. ASG reduces the possibility of unauthorized remote access to the MSS. See Adjuncts for more information on ASG.

It is strongly recommended that customers invest in security adjuncts, that typically use one-time passcode algorithms. These security adjuncts discourage hackers. For more information on Remote Maintenance Board (RMB), see Remote Maintenance Board (RMB) CYN23AP and CYN24AP PCI Version Release 1.0 Reference (585-310-263, pdf). This document is available to certified personnel through the Avaya Web site.

You can also set up a Point-to-Point (PPP) server for remote access to the MSS. PPP service can be configured to enable remote access for local and remote machines. It is necessary for administrators to administer point-to-point protocol logins and passwords for the system. PPP logins are mainly used for maintenance. See the Installation Guide (pdf) for more information on how to administer PPP logins.

Top of page

Home | Search the Help | Print | Back | Fwd | Close

©2003 Avaya Inc. All rights reserved. Last modified 24 November, 2003