The first thing to look at in the realm of email protection is what's available in your email clientthe program you use to read your email. Filtering Junk MailIf your client has built-in junk mail detection and filtering, turn it on. In the case of the Apple Mail application, choose Mail > Preferences, and look at the options available on the Junk Mail tab.
First check that "Enable junk mail filtering" is selected. Then, for a period of time (which will vary depending on the amount of mail, and spam, you receive), train your junk mail filter by having it leave all mail in your inbox, but indicate any messages it considers junk mail. You can then verify that a message is junk mail, or you can mark it as acceptable. Eventually, the junk mail filter will become more accurate. Tip To reduce the amount of spam you receive, create two email addresses. Give one email address to only people you know, and use the other email address as a "throwaway" address given to companies when you make online orders, postings to message boards, and other less direct communication. Protecting Your Company EmailThe Apple Mail application also provides a unique layer of security that can protect you from sending confidential information outside of your company.
In the Composing tab, by selecting "Mark addresses not in this domain," any time you're composing a message with a recipient outside of your company's domain name, the recipient's address will be flagged with a different color. Using Parental ControlsApple also includes a feature geared toward protecting children by providing a list of approved email addresses with which the child can exchange messages. To access this feature, open System Preferences, click the Accounts pane, and select a user. Inside the Parental Controls tab for that user, click Configure, which brings up a window containing a list of approved email addresses, along with a permissions email address where unapproved email is sent first.
Although this feature is intended for parents managing their children's activities, a small company may also utilize this feature for limiting email communications to a small group of individuals necessary for those people to fulfill the duties of their jobs. Protecting Email From Prying EyesWhen it comes to the security provided by your mail client, there are many different options you can set. Each option increases the security of your email communications through different means of password hashing and encryption. This is especially important if you are reading and sending email over a wireless or any other unsecure link. Email Internet traffic, like most Internet traffic, is, by default, unencrypted and easily monitored by anyone on the same wireless or insecure network. Keep in mind that there are two separate communication channels used by email: one for retrieving messages, and one for sending messages. These two channels are configured separately, and also offer differing levels of security. One thing that is often confused with respect to mail client security is what you're actually trying to protect. It's important to draw the distinction between protecting your password and protecting the content of the email message body. Ideally, you'd want everything encrypted, but some email service providers don't offer a fully encrypted service. When you're setting up a new email account in Apple's Mail application, you're given the option to set your incoming mail security. The best thing you can do is to use Secure Sockets Layer (SSL) if your email service provider supports it. This is the same strong encryption used by secure websites for protecting your credit card information during an online purchase. The use of SSL for your incoming mail will encrypt both the password you send when logging into your email and the email messages themselves as they are downloaded from the mail server.
The Apple Mail application also provides alternative ways to authenticate to the email service. Although Mail supports many different types, your email service provider may not. These options range from simple password authentication where your password is sent directly to the email server, to various forms of hashed passwords, to Kerberos authentication, which uses a number of two-way ticket exchanges to authenticate you without ever sending your password to the server. As mentioned before, this protects only one side of your email communicationretrieving messages from the server. You'll also want to protect the email being sent from your computer. Unfortunately, many email providers don't support using SSL encryption for your outgoing mail, but if it is available, use it. The Apple Mail application doesn't offer you the option to enable SSL for outgoing mail when creating your account, but you can get to it by choosing Mail > Preferences and looking at the Accounts tab. Select your account in the left frame and click the Server Settings button. After the new window appears, select the Use Secure Sockets Layer (SSL) checkbox, assuming your email provider supports it. Some email providers also require you to authenticate yourself when sending messages through their servers. If this is required, your account information is entered in the same window. Tip Not all email providers support SSL. Often, however, an email provider supports SSL but doesn't tell you about it in fear of increased support costs. If you're not already using SSL, try turning it on. If you're still able to connect to your inbox, your email and account information will be much safer now that they're encrypted. If you can no longer connect to your inbox, then your email provider probably doesn't support SSL, so simply deselect the Use Secure Sockets Layer (SSL) box and everything will be working again. Using Mail CertificatesMany computer viruses spread because people generally trust that an email is from the person it says it's from. In reality, it's incredibly easy to forge the From line of an email through a practice known as spoofing. There is, however, a nearly fail-safe method for you to prove to others that your email actually came from you: by using certificates. In order to use certificates, you create what is known as a certificate-key pair, comprised of private and public keys and a public certificate. Next, you send your certificate to all of your friends, coworkers, your website, online directory entries, and so on. When you create an email message with The Apple Mail application, it will be digitally signed using your certificate key pair. When the recipient opens your message, his or her computer will use the certificate you sent earlier to verify the integrity of the digital signature, which not only proves that you sent the message, but that the message has not been modified by a third party. Certificate transactions involve at least two piecesa public part, which everyone sees, and a private part, which you should keep very secure. A matching public certificate and private key are created at the same time. They are created using a complex mathematical method that yields a product with very unique properties. Something encrypted with the private key can be decrypted only using the corresponding public certificate. Likewise, and much more common, something encrypted with the public certificate can be decrypted only using the private key. This one-way encryption/decryption is what makes certificates, and SSL in general, very secure. Anyone can encrypt something for you with your public certificate, but only you can decrypt it since only you have the matching private key. Since you must be in possession of the private key to decrypt it, and since that private key is often encrypted itself by a password, certificate-based encryption is one of the best methods for highly secure transactions. Using SSL Certificates With Mac OS X ServerMac OS X Server can use certificates to send and receive mail. The mail services look for the certificates in the following locations:
Further SSL configuration is possible through the config files for Cyrus and Postfix, /etc/ imap.conf and /etc/postfix/main.cf, respectively. Note Postfix requires that the key and the certificate are both in the same file. Additionally, Cyrus requires that the server certificate be accessible to the mail user. Permissions have to be modified to allow user mail access to the file. Both Cyrus and Postfix require passphrase free certificates. SSL allows you to encrypt your data so that it's passed securely. Keep in mind, though, that if you encrypt everything, SSL adds a performance hit to your server and client. The server will have to encrypt the data and the client will have to decrypt. Depending on the size of the encryption key, that process can add to your server and client load. Whether to use SSL with IMAP vs. POP is a performance consideration. POP downloads all of the user's email at once and thus will require heavy usage of the CPU for a short period. IMAP, on the other hand, maintains a constant connection to the server and will thus place a steady load on the server. It's best to analyze the server load using log analysis tools combined with CPU usage to understand the implications of enabling SSL for POP and IMAP on your server. Certificate RenewalIf you choose to obtain a certificate from VeriSign and use that certificate for your email server, you will go through the following steps:
Create a CertificateIn order for a certificate to be valid, it must be signed. Normally this is done by generating a certificate signing request (CSR) after you've created your key pair and sending it to a recognized certificate authority (CA). The certificate backing that CA is present on every computer, and once your certificate is signed by that CA, it will be recognized as valid on everyone's computer as well. Getting an officially signed certificate often costs money, but because the market is constantly changing, visit the websites of popular certificate authoritiesthey may offer personal email certificates for free or at a very low cost for noncommercial uses. For the purposes of this exercise, we'll show you how to create and sign a certificate that, although it won't be officially signed, will demonstrate the processes involved.
Now that you've created your certificate authority for the computer, you'll use it to sign a certificate that's associated with you directly.
Now, to see if it all worked:
Encrypting EmailAfter someone has your certificate, he or she can use Apple Mail to encrypt future email to you. This is a secure method of passing email because when the sender uses your certificate (which he or she received previously via a signed message or other technique) to encrypt email to you, that message can then be decrypted only using the corresponding private key stored on your computer. This ensures that nobody else can see the body of the message (or its attachments), regardless of the security settings of any email server. This level of security is achieved because the email body is encrypted before leaving the sender's computer, and it isn't decrypted until it's opened on your computer. It's important to note that the message header is not encrypted (necessary for the servers to deliver the message), so don't include any confidential information in the subject of the message. Encrypting email is as simple as signing it. You'll know this very quickly when composing a new message. If the lock icon is not present or is disabled, you don't have a certificate for that person and can't send encrypted email to him or her.
However, if you do have a certificate for the recipient of the email, as well as a certificate for yourself, the lock icon will be enabled. Just click it (so the lock is closed) to encrypt the message. Tip Using self-signed certificates is OK for situations where you may not need that level of authenticity, or if you can guarantee the authenticity of the certificate by physically handing it to someone on CD or other similar media. |