|
Using Email (Internet Messaging) and desktop
email clients with Modular Messaging (or any
other email server) presents certain security issues. Your company
is responsible for any damages that could arise as a result of the
use of Email (Internet Messaging) or desktop email clients. However,
you can administer your server to minimize these risks.
To minimize security risks, consider the following:
Warning!
Toll fraud is the theft of long distance service. When toll
fraud occurs, your company is responsible for charges. Call
the Avaya's Customer Care Center at 1-800-643-2353 for more
information about how to prevent toll fraud.
Disabling POP3 and IMAP4 access
If you enable POP3 and IMAP4 on the system, hackers could possibly
determine a subscriber's login name and password, and then access
the subscriber's messages or commit toll fraud through the subscriber's
mailbox. Use Internet Messaging only behind a corporate firewall
and restrict external Internet access to the POP3 and IMAP4 designated
ports.
If your company is concerned about subscriber
login security, consider the following alternatives:
- Use SSL versions of the POP3, IMAP4, and SMTP interfaces by
administering the appropriate ports on the Administer System Attributes and Ports page. Administrators must instruct subscribers
to configure their e-mail clients to use SSL.
- Exclusively use email clients that support the POP3 APOP or IMAP4 CRAM-MD5 (encrypted password)
login mechanisms.
- Deploy secure socket layer (SSL) for POP3 and IMAP 4 by using
an external SSL accelerator.
Protecting against viruses
The ease with which messages can be broadcast
and transmitted over the Internet simplifies the distribution of
computer viruses. Enact a policy to ensure that subscribers check
incoming messages and files for viruses.
Another precaution, especially important if this is your company's
first email deployment, is a system-wide virus scanning application.
The applications scan all incoming mail for viruses and intercept
infected mail and files before they get to the subscriber.
Spoofing or sending email under a false
name
Although the originator of messages received
from Modular Messaging subscribers is authenticated, Internet email addresses
are not typically validated for identity. As a result, the identity
of the message sender is not guaranteed. Warn your subscribers not
to respond to messages from unverified sources, especially if the
message contains requests for private information or any form of
payment. The name of the machine that delivered a message to the
local server can be checked by reading the message's header information.
Note: A subscriber using a POP3 or IMAP4
email client in conjunction with their Modular Messaging mailbox may or
may not use this mailbox as their 'from' identity when sending
messages. If the subscriber does use this mailbox and uses
Modular Messaging as their outgoing email gateway, they must also
configure their client to provide authentication when sending
messages. Messages from subscribers are also accepted (without
authentication) from mail servers administered as trusted
servers. This configuration allows use of external email list
servers, which generally do not relay authentication information,
as well as centralized corporate email gateways.
Disabling LDAP access
if you enable a non-SSL LDAP port on the Administer System Attributes and Ports page, it might be possible for someone to obtain each
subscriber's email address and then either directly send spam to
your subscribers or sell these address to other spammers. Allow
non-SSL LDAP access only if your subscribers will be using it in conjunction
with email client applications for "by name" addressing
or if you are using subscriber management products such as Mailbox
Manager or Avaya's ProVision software. If LDAP access is enabled, use SSL or
restrict external access to the LDAP port. For more information
about enabling LDAP access, see Administering LDAP.
See Modular Messaging and security for more
information.
Top of page
|
