The UISO is often asked the question "Is my email secure?". The answer is a complex, multi-faceted one. In fact a complete study of the question would likely fill a bookshelf rather than just an article. This particular article will cover security issues concerning IU's email systems, the path a message takes from sender to recipient and some closely related issues.
To begin with, a quick note on email protocols: We will be discussing three: SMTP, IMAP, and MAPI.
- SMTP (Simple Mail Transfer Protocol) is the protocol used for sending email over the Internet. Unless you are using Outlook (discussed below) you will use SMTP to send outgoing email messages. SMTP is also used to transfer email between servers.
- IMAP (Internet Message Access Protocol) is a protocol used for accessing email on a server from a client. IMAP is used for receiving email messages, as well as other actions like moving email messages between folders on the server.
- MAPI (Messaging Application Programming Interface) is a proprietary Microsoft protocol for accessing email. Outlook users use MAPI both for accessing their email as well as sending outgoing email messages through the Exchange server.
Sending email off-campus
Standalone IMAP Clients
Starting with the example of Alice, an IU employee, sending an email message to Bob who works at an outside organization, let's examine where the message actually goes if Alice is using a standalone email client like Pine, Outlook Express, Netscape/Mozilla/Thunderbird, Eudora or Mac OS X Mail App, among others.
Alice <alice@iu.edu> composes a message to Bob <bob@foo.org>, and clicks send. Alice's email client has mail-relay.iu.edu configured as her SMTP server (Simple Mail Transport Protocol). mail-relay.iu.edu requires authentication (SMTP-AUTH), so she has to type in her network id and password to send the message. mail-relay.iu.edu checks with kerberos.iu.edu, IU's KDC (Key Distribution Center), to make sure Alice is who she says she is, then accepts the message for delivery. mail-relay.iu.edu discovers that smtp.foo.org accepts mail for delivery to the foo.org domain, and sends the message there. In this scenario, Alice's computer does not need to be on IU's network. She could be anywhere.
There are security-related issues at every stage of the transaction. From most sources, mail-relay.iu.edu requires kerberos authentication to be done over SSL (Secure Socket Layer). SMTP-AUTH ensures that only authorized IU personnel can send mail through our mail relay. The SSL requirement ensures that the data communication -- the network transport -- is encrypted. Everything that is transmitted during that session, including Alice's network id and password as well as the content of her message is encrypted, but only between her email client and mail-relay.iu.edu. From other email services like Webmail and Exchange, both described below, mail-relay.iu.edu accepts un-encrypted un-authenticated SMTP. This is because users have already authenticated securely to access those services.
mail-relay.iu.edu is the email message's exit point from IU's network. After that, IU has no control or influence over the security of the networks and systems the email travels through. Unless the content of the message is encrypted (see the "Email encryption" section below), it will leave IU's network as plain text making it trivially easy for others to eavesdrop on it. Beyond the exit point, IU has no definitive knowledge of its delivery either, although error messages are usually returned if there is a problem.
Webmail
Webmail users would complete the above example email transaction essentially the same way. The only difference being that instead of using a standalone email client, they are using their web browser as a client of the webmail server, which is in turn acting as their email client.
IU webmail is available only over https (Secure Hypertext Transfer Protocol). This is an SSL-ized network transport, so again, everything during the session is encrypted including the network id and password as well as the content of every message, but only between the web browser and the webmail server.
Exchange/Outlook
IU offers Microsoft Exchange accounts for faculty, staff, sponsored hourly employees and graduate students. Exchange includes an e-mail service, along with other services and features, such as calendaring, that have security issues of their own going beyond the scope of this article. Exchange is the name of the service, but Outlook, not to be confused with Outlook Express, is the name of the client application.
An exchange user would complete the previous email transaction a little differently. The exchange system authenticates Alice to ads.iu.edu rather than kerberos.iu.edu. Additionally, Alice sends her outgoing message to exchange.iu.edu which then sends the message through mail-relay.iu.edu before it leaves IU's network.
Exchange users have the option to enable encrypted communication between their Outlook clients and the Exchange system. It is definitely advisable to enable this option which is disabled by default. To enable it, click:
Tools -> E-mail Accounts... -> select View or change an account -> click Next -> select your Exchange account -> click More Settings... -> choose the Security tab -> check the Encrypt check box.
Outlook Web Access (OWA)
The IU Exchange system also has a web front end called OWA. https://www.exchange.iu.edu. This works in much the same way as IU webmail. Instead of using the standalone Outlook client, users' web browsers act as clients of the OWA server, which in turn acts as their Exchange client. OWA is also only available over https.
Sending email within IU
Standalone IMAP Clients
When Alice sends an email message to Jane, also an IU employee, the message is delivered within IU's network, although neither Alice nor Jane's IMAP clients need to be on the IU network. They could be anywhere.
Alice <alice@iu.edu> composes a message to Jane <jane@iu.edu> and clicks send. mail-relay.iu.edu requires the same authentication as when she was sending to an external address. mail-relay.iu.edu discovers that Jane's mailbox is on imap.iu.edu, so the message is delivered there.
The message is eventually delivered to Jane when her email client checks for new messages in her inbox.
Exchange/Outlook
If both the sender and the recipient have their mailboxes on the Exchange server, the message is delivered internally and never leaves the Exchange environment.
Forwarding Email
IU offers the option of forwarding email to an outside provider like hotmail.com, yahoo.com, gmail.com or whomever. If a user sets this up, all email sent to them at their IU address is then redirected to the outside provider with mail-relay.iu.edu as the email message's exit point from IU's network. It should be noted again that IU can't control the security of these email messages after they leave the IU network. Its important to keep this in mind when sending email to IU recipients. The email could literally end up going anywhere.
Receiving email
Standalone IMAP Clients
Alice sends her email through mail-relay.iu.edu, but receives her email from imap.iu.edu, IU's IMAP server (Internet Message Access Protocol). imap.iu.edu requires kerberos authentication, and is only available over IMAPS (Secure IMAP). IMAPS uses an SSL-ized network transport so everything during the session is encrypted including the network id and password as well as the content of the messages, but only between the email client and the IMAP server. imap.iu.edu does however allow plain IMAP from webmail.iu.edu, since the user must have already authenticated securely over an encrypted connection to get to webmail.
Exchange/Outlook
Exchange allows both encrypted and unencrypted connections from Outlook clients. As mentioned above, it is best to enable the encryption option.
Due to the propensity of attacks against the Exchange servers themselves, not just Exchange users' email, IU's Exchange environment is accessible only from IU IP addresses. This means that if you are off-campus, you have three options: VPN, OWA or RPC over HTTPS.
You can establish a VPN connection (Virtual Private Networking) before connecting to Exchange. This has the added benefit of encrypting all of your network communication, not just your Exchange traffic, to the VPN server which acts as a secure network proxy. For more information about VPN, please refer to the related KB articles listed below.
If for some reason VPN is not an option, OWA is accessible from anywhere on the Internet as is RPC over HTTPS. For more information about configuring your Outlook client to use RPC over HTTPS, please refer to the related KB article listed below.
Email encryption
So far, our treatment of encryption has been exclusively related to the data communication on the network. Email messages hop through several hosts before being delivered to their final destination. Even requiring IMAP and SMTP over SSL/TLS on IU's email servers only guarantees an encrypted transport over part of the path taken by the message.
There is nothing inherently secure about the SMTP protocol. The only way to ensure end-to-end security is to encrypt the content of the message so that the intended recipient is the only person capable of opening and reading the message. There are two standards used for this: PGP (Pretty Good Privacy) and S/MIME (Secure Multipurpose Internet Mail Extensions). Please refer to the related KB articles listed below for more information regarding these techniques.
Spam, viruses, worms, phishing, etc.
Regardless of great lengths taken to secure networks and services, the content of email messages often contain Spam, viruses, worms, phishing attempts or other mechanisms to attack your security and privacy.
IU offers several remedies: an optional spam quarantine service, as well as licenses for anti-virus software available from IUware. Please refer to the related KB articles listed below for more information regarding these services.
Spammers continually work to improve their tactics in order to get their messages through spam filters. Don't be surprised when this happens. Certain types of spam appears legitimate, and will request personal information from you like your username and password, your bank account or social security number. You should never, under any circumstances, divulge personal identity information unless you are certain that the recipient of that information, be it through email or a web page, is indeed legitimate. This particular type of email attack has been termed phishing.
Local attacks
Not only can email be vulnerable to attack during transport, but also while it is stored on your workstation's hard disk and memory. All standalone email clients store files and configuration settings on your workstation's hard disk and memory. This may or may not include email messages, but usually contains metadata on mailboxes and messages, as well as information about your email accounts. For this reason, among many others, it is critically important to ensure that your local workstation and accounts are secured from other users locally as well as other computers on the network. This topic goes far beyond the scope of this article, but there is a lot of good information on the UISO website as well as the IU Knowledge Base.
Conclusion
Email is one of the oldest and most widely utilized Internet services. If it is to remain a trusted form of communication, it needs to be kept secure and private. IU goes to great lengths to ensure the security of its networks and IT services, but there are many possible attack vectors. The UISO is available to respond and investigate incidents related to misuse or abuse of IU IT resources including email. If you feel like your email account may have been compromised or is being abused, don't hesitate to contact the UISO. Information on reporting incidents as well as general contact information can be found here: Report an Incident.
In conclusion, your email should be reasonably secure if you show due diligence by taking a few measures that are mentioned in this article, including:
- Utilize IU's spam quarantine service.
- Install anti-virus software and keep your virus definitions updated.
- Enable optional security settings whenever available.
- Keep your local workstations and accounts secure.
- If you must send email that contains sensitive information, do so only within PGP or S/MIME encrypted messages to trusted parties.
Further Reading: Related KB Articles:
- Instructions for changing mail settings to meet UITS requirements
- What does IU do to protect users from spam and virus-infected email?
- At IU, what is the spam quarantine service, and how do I sign up?
- What can I do to avoid receiving spam email?
- What should I do when I get spam email?
- At IU, how can I obtain Norton/Symantec AntiVirus?
- What is PGP?
- At IU, how do I configure Outlook to connect to Exchange using RPC over HTTP?
- How do I obtain an S/MIME certificate for my email client?
- The basics of VPN at IU
- What is email fraud, and what should I do about it?
- What can I do to make my BlackBerry more secure?
