Securing Mail Services
In its default state, email is one of the least secure forms of Internet communication. Most email clients exchange username and password information as clear text when communicating with an email server, and the actual contents of mail messages are also sent unencrypted between the client and the server. You can, however, change this behavior to provide additional security of both your server and your user’s email messages. To do so, select the Advanced tab of the Mail Service Setting pane and then select the Security tab within that (if it is not displayed automatically) as shown in Figure 2.
Figure 2 Security tab in the Mail Server Advanced Settings pane
The Security tab enables you to configure the authentication methods that the server will allow when users attempt to connect to send messages via SMTP (provided they are not sending from a computer whose IP address is in the allowed relay range set in the Relay Settings pane—as discussed in part 1 of this series) or when connecting to receive messages via IMAP or POP. It also enables you to configure the secure transmission of message data using SSL for incoming and/or outgoing mail.
The Authentication section of the tab lists the three email protocols supported by Mac OS X Server and the varying authentication methods that each uses. Selecting each checkbox enables that form of authentication for that particular protocol. Clear, login, and plain are all considered to be unsecured authentication methods because they either send passwords as clear text or with minimal encryption that can be easily broken.
CRAM-MD5 and APOP are standard authentication methods supported by most email clients that include secure password-encryption schemes. As a rule, you should always allow only encrypted authentication using CRAM-MD5 and APOP. The only exception might be if you have email clients that do not support them, which you are absolutely required to support.
Kerberos is an advanced suite of security and authentication tools that allows user information to be transmitted only when they first log in to the computer. Typically, Kerberos is available only to computers that are bound to your directory services infrastructure, be it Open Directory, Active Directory, or some other form. If Kerberos is available and the email clients used by your users support it (which might be a big "if"), it is the most secure authentication methods supported.
The Secure Sockets Layer (SSL) section of the Security tab enables you to designate whether SSL connection will be either used or required for SMTP and/or IMAP and POP communication. SSL securely encrypts data for transmission. Generally speaking, you’ll opt to enable SSL for a mail server that handles a lot of information that must be kept confidential, either by company policy or for legal reasons. Keep in mind that SSL secures the communication only between your mail server and the email clients of your users. Any mail sent to or received from an outside server is generally not encrypted.
For each connection type, you can choose not to use SSL (send without encryption); require SSL (refuse to communicate with an email client unless it supports and uses SSL); or use SSL if available, but allow communication if it is not. The use of SSL requires you to configure a security certificate (either by purchasing a public certificate from a company such as Verisign or by creating an internal self-signed certificate). When you enable SSL for each type of email service, you need to select the appropriately configured certificate from the pop-up menu or choose custom configuration and enter the certificate information. Security certificates under Mac OS X Server are beyond the scope of this article, but more information can be found at the Apple Developer Connection and in Apple’s Mac OS X Server documentation.