Although e-mail is an integral part of modern business, it still relies on insecure transport protocols that were designed before anyone could predict how important e-mail would become. However, network administrators can find some security and privacy assurance in the Transport Layer Security
TLS is a variation of the tried-and-true Secure Sockets Layer (SSL) protocol that we use to protect Web traffic. Using TLS to encrypt communications between two e-mail gateways has a number of security benefits. First, each mail server authenticates to the other, making it harder to send spoofed e-mail. Second, the contents of the e-mails sent between the two servers are encrypted, protecting them from prying eyes while in transit. Finally, the encryption of the conversation between the two hosts makes it exceedingly difficult for an attacker to tamper with the e-mail's contents. TLS is certainly no panacea, but it can add an additional layer of security to your e-mail infrastructure without too much fuss.
Here are five steps to help you get started:
- Understand the limits of TLS when compared to other forms of e-mail encryption (like PGP and S/MIME). TLS protects the connection from your gateway to the first destination gateway. If there are intermediate hops when mail is forwarded from one gateway to another, the protection afforded by TLS is lost after the first hop. For example, TLS is a good choice for two businesses that communicate frequently as long as both gateways communicate directly.
- Make sure the organization on the other end of the connection is able and willing to set up TLS. Like many things in life, encryption is no fun alone. If your gateway is configured to use TLS, but the recipient's is not, e-mail traffic to that destination will be transmitted without authentication or encryption.
- Get a digital certificate to identify your e-mail server. While you can create your own self-signed certificate, using a cert issued by a trusted organization will make it easier for e-mail partners to trust your server's identity.
- Configure your e-mail gateway to support TLS connections with hosts that are TLS capable. This will mean granting the gateway access to your new certificate. If you are using Sendmail, you can find a clear discussion on how to set up the gateway at http://www.sendmail.org/~ca/email/starttls.html. Postfix users can consult http://www.postfix.org/TLS_README.html and Microsoft Exchange users can find information at http://support.microsoft.com/default.aspx?scid=kb;en-us;829721.
- Educate your users to recognize the presence or absence of the e-mail header that tells them an e-mail came in over a TLS connection. The following is an example of the received header from a message sent via TLS:
Received: from mail.uexport.com (mail.uexport.com[192.168.1.1]) by mail.lint.com(8.12.9/8.12.9) with ESMTP id h0UGn9P7001230 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=OK) for
; Sun 17 Jul 2005 15:39:10 -0500.
The portion of the header in bold type indicates the message came in with 168 bit DES encryption from a server that presented a valid certificate.
Once you have implemented TLS on your mail server, you can also use it to address other mail-related issues, such as who has permission to relay mail through your server and which mail servers are allowed to connect to yours.
Although TLS is not perfect and it addresses only some of e-mail's security problems, it is a good e-mail security option that is based on non-bleeding edge technology. If your concerns about e-mail transfers fit the point-to-point model that TLS addresses, it can be an excellent way to add security to your e-mail.
About the Author
Al Berg, CISSP, CISM is the Director of Information Security for Liquidnet (www.liquidnet.com). Liquidnet is the leading electronic venue for institutional block equities trading. According to INC. magazine in 2004, Liquidnet was the fastest growing privately held financial services company in the US and the 4th fastest growing privately held company in the US across all industries.
This was first published in July 2005