Value-added resellers (VARs) and consultants can provide customers with email security and privacy assurance using the Transport Layer Security encryption and authentication protocol. This tip, reposted courtesy of SearchSecurity.com, explains
how to prepare customers for TLS.
Although email is an integral part of modern business, it still relies on insecure transport protocols that were designed before anyone could predict how important email would become. However, network administrators can find some security and privacy assurance in the Transport Layer Security (TLS) encryption and authentication protocol.
TLS is a variation of the tried-and-true Secure Sockets Layer (SSL) protocol that we use to protect Web traffic. Using TLS to encrypt communications between two email gateways has a number of security benefits. First, each mail server authenticates to the other, making it harder to send spoofed email. Second, the contents of the emails sent between the two servers are encrypted, protecting them from prying eyes while in transit. Finally, the encryption of the conversation between the two hosts makes it exceedingly difficult for an attacker to tamper with the email's contents. TLS is certainly no panacea, but it can add an additional layer of security to your email infrastructure without too much fuss.
Here are five steps to help you get started:
- Understand the limits of TLS when compared to other forms of email encryption (like PGP and S/MIME). TLS protects the connection from your gateway to the first destination gateway. If there are intermediate hops when mail is forwarded from one gateway to another, the protection afforded by TLS is lost after the first hop. For example, TLS is a good choice for two businesses that communicate frequently as long as both gateways communicate directly.
- Make sure the organization on the other end of the connection is able and willing to set up TLS. Like many things in life, encryption is no fun alone. If your gateway is configured to use TLS, but the recipient's is not, email traffic to that destination will be transmitted without authentication or encryption.
- Get a digital certificate to identify your email server. While you can create your own self-signed certificate, using a cert issued by a trusted organization will make it easier for email partners to trust your server's identity.
Configure your email gateway to support TLS connections with hosts that are TLS capable. This will mean granting the gateway access to your new certificate. If you are using Sendmail, you can find a clear discussion on how to set up the gateway at Sendmail.org. Postfix users can consult Postfix.org and Microsoft Exchange users can find information at Support.Microsoft.com.
- Educate your users to recognize the presence or absence of the email header that tells them an
email came in over a TLS connection. The following is an example of the received header from a
message sent via TLS:
Received: from mail.uexport.com (mail.uexport.com[192.168.1.1]) by mail.lint.com(8.12.9/8.12.9) with ESMTP id h0UGn9P7001230 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=OK) for
; Sun 17 Jul 2005 15:39:10 -0500.
The portion of the header in bold type indicates the message came in with 168 bit DES encryption from a server that presented a valid certificate.
Once you have implemented TLS on your mail server, you can also use it to address other mail-related issues, such as who has permission to relay mail through your server and which mail servers are allowed to connect to yours.
Although TLS is not perfect and it addresses only some of email's security problems, it is a good email security option that is based on non-bleeding edge technology. If your concerns about email transfers fit the point-to-point model that TLS addresses, it can be an excellent way to add security to your email.
About the Author
Al Berg, CISSP, CISM is the Director of Information Security for Liquidnet (Liquidnet.com). Liquidnet is the leading electronic venue for institutional block equities trading. According to INC. magazine in 2004, Liquidnet was the fastest growing privately held financial services company in the US and the 4th fastest growing privately held company in the US across all industries.
This tip originally appeared on SearchSecurity.com.
This was first published in November 2006