There used to be a time when secure e-mail management was simple. "Managing" meant sorting through your e-mail messages and putting them into appropriate folders. Secure e-mail back then meant using a simple password for e-mail access. However, today, with e-mail being a business-critical application, more threats against e-mail than ever before, and government regulatory concerns, secure e-mail management takes on a whole different meaning. Viruses, spam, worms, and other malicious attacks and non-malicious events can bring e-mail infrastructures to their knees. With recent government legislation in countries such as the U.S., e-mail confidentiality has become a growing concern. One of the more common accesses to e-mail today is via Web browser and Web-based e-mail access. What security issues should be kept in mind when developing or designing Web mail systems? . . .
There used to be a time when secure e-mail management was simple. "Managing" meant sorting through your e-mail messages and putting them into appropriate folders. Secure e-mail back then meant using a simple password for e-mail access. However, today, with e-mail being a business-critical application, more threats against e-mail than ever before, and government regulatory concerns, secure e-mail management takes on a whole different meaning. Viruses, spam, worms, and other malicious attacks and non-malicious events can bring e-mail infrastructures to their knees. With recent government legislation in countries such as the U.S., e-mail confidentiality has become a growing concern. One of the more common accesses to e-mail today is via Web browser and Web-based e-mail access. What security issues should be kept in mind when developing or designing Web mail systems?

The Basics of Web Mail

Most Web mail systems are designed using a multi-tiered architecture. Usually, a Web server serves as a reverse proxy to a backend e-mail server that actually services the user's mail requests. Most Web mail systems use a separate database to store the mail, versus the user authentication information.

User Authentication can be done by using authentication protocols native to the mail server O/S or 3rd party authentication methods such RADIUS or SecureID.

By using a set of stored procedures and scripts, the Web server formats the user HTML requests so that the back end e-mail server can serve up mail. The usual backend mail server includes Microsoft Exchange, Netware Mail, or Lotus Notes. Each of these systems includes a Web mail service that uses default the ports of 80 for HTTP and 443 for HTTP/SSL. Most Web mail policies require the use of HTTP over an encrypted channel such as Secure Sockets Layer (SSL) or Secure Shell protocol (SSH). In rare cases, the IP security (IPSec) is used as the secure communication channel for Web mail systems.

The link for this article located at ebcvg.com is no longer available.