Protecting Your Email Client


The first thing to look at in the realm of email protection is what's available in your email clientthe program you use to read your email.

Filtering Junk Mail

If your client has built-in junk mail detection and filtering, turn it on. In the case of the Apple Mail application, choose Mail > Preferences, and look at the options available on the Junk Mail tab.

First check that "Enable junk mail filtering" is selected. Then, for a period of time (which will vary depending on the amount of mail, and spam, you receive), train your junk mail filter by having it leave all mail in your inbox, but indicate any messages it considers junk mail. You can then verify that a message is junk mail, or you can mark it as acceptable. Eventually, the junk mail filter will become more accurate.

Tip

To reduce the amount of spam you receive, create two email addresses. Give one email address to only people you know, and use the other email address as a "throwaway" address given to companies when you make online orders, postings to message boards, and other less direct communication.


Protecting Your Company Email

The Apple Mail application also provides a unique layer of security that can protect you from sending confidential information outside of your company.

In the Composing tab, by selecting "Mark addresses not in this domain," any time you're composing a message with a recipient outside of your company's domain name, the recipient's address will be flagged with a different color.

Using Parental Controls

Apple also includes a feature geared toward protecting children by providing a list of approved email addresses with which the child can exchange messages. To access this feature, open System Preferences, click the Accounts pane, and select a user. Inside the Parental Controls tab for that user, click Configure, which brings up a window containing a list of approved email addresses, along with a permissions email address where unapproved email is sent first.

Although this feature is intended for parents managing their children's activities, a small company may also utilize this feature for limiting email communications to a small group of individuals necessary for those people to fulfill the duties of their jobs.

Protecting Email From Prying Eyes

When it comes to the security provided by your mail client, there are many different options you can set. Each option increases the security of your email communications through different means of password hashing and encryption. This is especially important if you are reading and sending email over a wireless or any other unsecure link. Email Internet traffic, like most Internet traffic, is, by default, unencrypted and easily monitored by anyone on the same wireless or insecure network.

Keep in mind that there are two separate communication channels used by email: one for retrieving messages, and one for sending messages. These two channels are configured separately, and also offer differing levels of security. One thing that is often confused with respect to mail client security is what you're actually trying to protect. It's important to draw the distinction between protecting your password and protecting the content of the email message body. Ideally, you'd want everything encrypted, but some email service providers don't offer a fully encrypted service.

When you're setting up a new email account in Apple's Mail application, you're given the option to set your incoming mail security.

The best thing you can do is to use Secure Sockets Layer (SSL) if your email service provider supports it. This is the same strong encryption used by secure websites for protecting your credit card information during an online purchase. The use of SSL for your incoming mail will encrypt both the password you send when logging into your email and the email messages themselves as they are downloaded from the mail server.

The Apple Mail application also provides alternative ways to authenticate to the email service. Although Mail supports many different types, your email service provider may not. These options range from simple password authentication where your password is sent directly to the email server, to various forms of hashed passwords, to Kerberos authentication, which uses a number of two-way ticket exchanges to authenticate you without ever sending your password to the server.

As mentioned before, this protects only one side of your email communicationretrieving messages from the server. You'll also want to protect the email being sent from your computer. Unfortunately, many email providers don't support using SSL encryption for your outgoing mail, but if it is available, use it. The Apple Mail application doesn't offer you the option to enable SSL for outgoing mail when creating your account, but you can get to it by choosing Mail > Preferences and looking at the Accounts tab.

Select your account in the left frame and click the Server Settings button. After the new window appears, select the Use Secure Sockets Layer (SSL) checkbox, assuming your email provider supports it. Some email providers also require you to authenticate yourself when sending messages through their servers. If this is required, your account information is entered in the same window.

Tip

Not all email providers support SSL. Often, however, an email provider supports SSL but doesn't tell you about it in fear of increased support costs. If you're not already using SSL, try turning it on. If you're still able to connect to your inbox, your email and account information will be much safer now that they're encrypted. If you can no longer connect to your inbox, then your email provider probably doesn't support SSL, so simply deselect the Use Secure Sockets Layer (SSL) box and everything will be working again.


Using Mail Certificates

Many computer viruses spread because people generally trust that an email is from the person it says it's from. In reality, it's incredibly easy to forge the From line of an email through a practice known as spoofing. There is, however, a nearly fail-safe method for you to prove to others that your email actually came from you: by using certificates. In order to use certificates, you create what is known as a certificate-key pair, comprised of private and public keys and a public certificate. Next, you send your certificate to all of your friends, coworkers, your website, online directory entries, and so on. When you create an email message with The Apple Mail application, it will be digitally signed using your certificate key pair. When the recipient opens your message, his or her computer will use the certificate you sent earlier to verify the integrity of the digital signature, which not only proves that you sent the message, but that the message has not been modified by a third party.

Certificate transactions involve at least two piecesa public part, which everyone sees, and a private part, which you should keep very secure. A matching public certificate and private key are created at the same time. They are created using a complex mathematical method that yields a product with very unique properties. Something encrypted with the private key can be decrypted only using the corresponding public certificate. Likewise, and much more common, something encrypted with the public certificate can be decrypted only using the private key. This one-way encryption/decryption is what makes certificates, and SSL in general, very secure. Anyone can encrypt something for you with your public certificate, but only you can decrypt it since only you have the matching private key. Since you must be in possession of the private key to decrypt it, and since that private key is often encrypted itself by a password, certificate-based encryption is one of the best methods for highly secure transactions.

Using SSL Certificates With Mac OS X Server

Mac OS X Server can use certificates to send and receive mail. The mail services look for the certificates in the following locations:

  • Cyrus: /var/imap/server.pem

  • Postfix: /etc/postfix/server.pem

Further SSL configuration is possible through the config files for Cyrus and Postfix, /etc/ imap.conf and /etc/postfix/main.cf, respectively.

Note

Postfix requires that the key and the certificate are both in the same file. Additionally, Cyrus requires that the server certificate be accessible to the mail user. Permissions have to be modified to allow user mail access to the file. Both Cyrus and Postfix require passphrase free certificates.


SSL allows you to encrypt your data so that it's passed securely. Keep in mind, though, that if you encrypt everything, SSL adds a performance hit to your server and client. The server will have to encrypt the data and the client will have to decrypt. Depending on the size of the encryption key, that process can add to your server and client load.

Whether to use SSL with IMAP vs. POP is a performance consideration. POP downloads all of the user's email at once and thus will require heavy usage of the CPU for a short period. IMAP, on the other hand, maintains a constant connection to the server and will thus place a steady load on the server. It's best to analyze the server load using log analysis tools combined with CPU usage to understand the implications of enabling SSL for POP and IMAP on your server.

Certificate Renewal

If you choose to obtain a certificate from VeriSign and use that certificate for your email server, you will go through the following steps:

1.

Contact VeriSign an obtain a certificate.

2.

Create a Certificate Authority on your computer.

3.

Store the CA Certificate in your login keychain.

4.

Store your VeriSign certificate in your login keychain.

This allows users to benefit from a valid certificate when checking their email.

Note

Certificates are generally renewed on a yearly basis. If your users do not update their public key, they may be unable to read mail sent by users who have updated their public key. Conversely, if users delete their older public key, they may not be able to read older mail.

Create a Certificate

In order for a certificate to be valid, it must be signed. Normally this is done by generating a certificate signing request (CSR) after you've created your key pair and sending it to a recognized certificate authority (CA). The certificate backing that CA is present on every computer, and once your certificate is signed by that CA, it will be recognized as valid on everyone's computer as well. Getting an officially signed certificate often costs money, but because the market is constantly changing, visit the websites of popular certificate authoritiesthey may offer personal email certificates for free or at a very low cost for noncommercial uses.

For the purposes of this exercise, we'll show you how to create and sign a certificate that, although it won't be officially signed, will demonstrate the processes involved.

1.

Open /Applications/Utilities/Keychain Access.

2.

Choose Keychain Access > Certificate Assistant.

3.

Select Create a Certificate Authority (CA).

4.

Leave the box selected to indicate that the certificate will be self-signed (root). Enter your email address and in the Common Name field, type My Little CA. If you were doing this in a production environment, you'd also fill in the other fields.

5.

Leave the Key Size at its default of 2048 bits.

Larger keys are more secure than smaller keys, but require more computational power and are often not even supported by other computers. The algorithm shouldn't matter, although RSA tends to be more popular.

6.

The next pane looks similar to the previous one, but specifies the key pair information for others that use this CA. Again, just leave them at their defaults of 2048 bits / RSA.

7.

Leave the Key Usage Extension For This CA settings at their defaults.

8.

Leave the Key Usage Extension For Users Of This CA checkbox deselected.

9.

Leave the Miscellaneous Extensions For This CA settings at their defaults.

10.

Leave the Miscellaneous Extensions For Users Of This CA settings at their defaults (all deselected).

11.

Store this certificate in your login Keychain. In a tighter security environment, you may wish to save your certificate in another Keychain that automatically locks, or even in a Keychain on an external device for extra security.

12.

Leave the CA Configuration File Name at its default, and be sure that the "Make this CA the default" checkbox is checked.

13.

Quit Certificate Assistant.

Now that you've created your certificate authority for the computer, you'll use it to sign a certificate that's associated with you directly.

1.

In Keychain Access, choose Keychain Access > Certificate Assistant to open the assistant again.

2.

Select the option to create a certificate for yourself.

3.

Deselect "Certificate will be 'self-signed'" and fill out the Certificate Information form with your information. Be sure that the user email address matches the Apple Mail email address. The serial number will be 1 for the first certificate you create, but it will increment any time you create another certificate in the future.

4.

When you choose an issuer, you will see My Little CA, which you created in the first half of this exercise. Select it and click Continue.

5.

Leave the Key Pair Information at their defaults of 2048 bits / RSA.

6.

Leave the Use Key Usage Extension box deselected.

7.

Do not include basic constraints extension or subject alternate name extension.

8.

Store this certificate in your login Keychain. In a tighter security environment, you may wish to save your certificate in another Keychain that automatically locks, or even in a Keychain on an external device for extra security.

After your certificate has been created, it will be saved to your Keychain.

9.

Back in the Keychain Access application, you will see new entries: a private key, public key, and certificate for yourself and for your CA.

10.

Click the certificate bearing your name, and notice that it has a red X and a warning about it not being trusted.

You need to make your unofficial certificate authority into a CA your machine trusts.

11.

Select the My Little CA certificate in the list. At the top of the window, you will see a larger certificate icon. Drag that icon to your desktop where it'll be saved as My Little CA.cer. You'll be using it in a few moments.

12.

At the bottom of the window, click the Show Keychains button.

13.

Drag the My Little CA.cer file you just created onto the X509Anchors Keychain. You'll probably be prompted to enter an administrator username and password to unlock the X509Anchors Keychain.

14.

Select the X509Anchors Keychain on the left side, then find the My Little CA certificate in the main frame of the window amongst all of the other official certificate authorities.

15.

Double-click the My Little CA entry in the list, which will display the details of that certificate.

16.

At the bottom of the window, click the triangle to reveal the trust settings.

17.

Change the first option so that "When using this certificate: Always Trust" is selected.

18.

Close the window, then quit Keychain Access.

19.

Reopen Keychain Access. (You quit and restarted because Keychain Access caches its old trust settings.)

20.

Locate the certificate bearing your name in the login Keychain.

It should now bear a green checkmark indicating that the certificate is valid.

Now, to see if it all worked:

1.

Open Apple Mail.

2.

Compose a new message (File > New Message).

If everything went as planned, you will see a star icon with a checkmark inside indicating that the message you're about to send is signed.

3.

Send a message to someone else.

When the person receives the message, Mail will indicate that it is unable to verify the message signature. This is because you're using a self-signed certificate. The recipient can click the Show Details button, which will display your certificate. Clicking OK will add your certificate to their Keychain. Subsequent messages sent to that same person will indicate that the message is signed.

Encrypting Email

After someone has your certificate, he or she can use Apple Mail to encrypt future email to you. This is a secure method of passing email because when the sender uses your certificate (which he or she received previously via a signed message or other technique) to encrypt email to you, that message can then be decrypted only using the corresponding private key stored on your computer. This ensures that nobody else can see the body of the message (or its attachments), regardless of the security settings of any email server. This level of security is achieved because the email body is encrypted before leaving the sender's computer, and it isn't decrypted until it's opened on your computer. It's important to note that the message header is not encrypted (necessary for the servers to deliver the message), so don't include any confidential information in the subject of the message.

Encrypting email is as simple as signing it. You'll know this very quickly when composing a new message. If the lock icon is not present or is disabled, you don't have a certificate for that person and can't send encrypted email to him or her.

However, if you do have a certificate for the recipient of the email, as well as a certificate for yourself, the lock icon will be enabled. Just click it (so the lock is closed) to encrypt the message.

Tip

Using self-signed certificates is OK for situations where you may not need that level of authenticity, or if you can guarantee the authenticity of the certificate by physically handing it to someone on CD or other similar media.





Apple Training Series. Mac OS X System Administration Reference, Volume 1
Apple Training Series: Mac OS X System Administration Reference, Volume 1
ISBN: 032136984X
EAN: 2147483647
Year: 2005
Pages: 258
Authors: Schoun Regan

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net