Security Considerations When Using SMTP/POP3

Windows NT provides built-in security that controls:

Windows NT security provides a high level of security both for stand-alone computers and for Windows NT–based networks. However, the MailSrv tool uses only the clear-text password authentication of POP3. Passwords are sent over the network in readable (clear) format and are not encrypted. Administrators must plan for security on networks that use the MailSrv tool. They must consider the potential for unauthorized users acquiring passwords and subsequent malicious tampering with Internet communications.

You can use the classification of Internet communications in Table 7.2 to identify your enterprise security requirements when using SMTP/POP3. For additional information on security, see Chapter 3, "Server Security on the Internet."

Table 7.2 Enterprise Security Guidelines

Type of communication

Description

General communications

Include private mail or limited access to public-domain data published on a Web server. Communication authentication and integrity are based on password systems.

Business communications

Include intra-organization business mail, correspondence, data, and public correspondence (such as product advertising) and information (such as customer support service). Authentication and message integrity, as well as privacy, can be critically important and require more sophisticated control than for general communications.

Financial transactions

Are not suitable for mail communication because of the need for high security control. Additionally, financial data is often partitioned. Each party to the communication needs some of the data, but not all of the parties need (or should have) all the data.