IMail Web Calendaring Security

---

IMail Web Calendaring offers several means of protecting your communications from being altered in transit or being read by someone other than the intended recipient.

• Secure Mode. Enables Secure Sockets Layer encryption. The SSL capabilities offer the most secure method of safeguarding schedule information. SSL will increase processing time on your server.
• Logon User ID and password. Users must log on with their user ID and password. This provides the basic level of security that protects the user's calendar.
• Logoff. After accessing their calendar from the browser and then logging off, users cannot click the browser's Back button to return to a calendar. However, clicking in the History list may re-display the calendar, though the user could not activate any of the calendar functions. As a precaution, users can clear the browser's history if the browser is in a commonly used area.

When logging on to IMail Web Calendaring, users can choose either or both of the following options (on the Login page):

• Expire page views. If you are logging on to your calendar from a public terminal or from someone else's computer, you can select this option to prevent the browser from saving (caching) the pages you view. Note that Microsoft's Internet Explorer can be set to ignore this "expire page views" command, so it is still possible your pages will be saved.
• Remember Userid and Password. This option will save your password in a file (called a cookie), so you do not have to enter it each time you log on to Web Calendaring. When you log on, the browser enters the User ID and password. Note that if you select this option, anyone who has access to the machine could connect to your calendar through IMail Web Calendaring without having to enter your User ID and password. Do not select this option if you are using a public terminal.

Using Secure Sockets Layer (SSL)

You can set up the Web Calendaring server to use Secure Sockets Layer (SSL) for communications between a browser and the server. SSL encrypts your communications so they can be read only by the intended recipient.

SSL is a protocol that uses "certificates" to authenticate the client and server and uses a public/private key "pair" to encrypt and decrypt communications. All of the major browsers are SSL enabled.

Certificates. Certificates are used to establish the identity of the client (browser) and the server.

You can run SSL for Web Calendaring with:

• A self-signed SSL certificate. The server identifies itself to the client, but its certificate has not been issued by one of the third-party Certificate Authorities. Clients who log on to IMail Web Calendaring using Netscape and Internet Explorer will receive a warning message ("This site is not secured..."). These users can continue logging on after acknowledging the warning.
• An SSL certificate issued by a Certificate Authority. The certificate verifies to the client that the identity claimed on the certificate is accurate. You can purchase a third-party certificate from Thawte consulting (www.thawte.com) or Verisign (www.verisign.com).

IMail Server comes with an SSL Utility that generates both an IMail Server self-signed SSL certificate as well as a certificate request you can send to a Certificate Authority.

Note: IMail uses an Apache compatible SSL certificate.

Public/private key encryption. When a browser connects to the Web Calendaring server, the server sends its certificate and public key to the browser. The browser can now use the public key to encrypt communications. Only the web server has the private key, which is used to decrypt communications sent from the browser.

Ciphers. The server and client must agree on the algorithm, called a "cipher," used to encrypt data. You select the cipher when setting up SSL on the server.

For more information on how SSL works, visit:

home.netscape.com/security/techbriefs/ssl.html

Setting Up SSL on the Server

This section outlines the procedure for setting up SSL on the server.

• First, use the IMail SSL Configuration Utility to set up the SSL certificate and public/private key pair.
• Then, enable SSL in the IMail Administrator. Expand the Services folder and select Web Calendaring. The Web Calendaring Server tab appears in the right panel.

For detailed information about the SSL options, see the online help in the IMail SSL Configuration Utility and help for the Web Calendaring Server tab in IMail Administrator.

To enable SSL for the Web Calendaring Server, you need to complete the following steps:

1. Set the registry path for the SSL keys.

   From the Start menu, select Programs -> IMail -> IMail SSL Configuration Utility. Select Registry Path from the File menu. Enter the path: software\ipswitch\imail\ssl

2. Generate a certificate and public key. We recommend that you use the self-signed certificate for your server.

   In the IMail SSL Configuration Utility, click Certificate. For more information, select Help Topics from the Help menu, then go to the "Getting an SSL Certificate" topic.

3. Configure SSL and select the cipher to use for encryption.

   In the SSL Configuration Utility, click SSL Configuration, and then complete the wizard. For information, select Help Topics from the Help menu, then go to the "Configuring SSL" topic.

4. If you want the server to authenticate clients, configure how it will do it.

   In the SSL Configuration Utility, click Client Authentication. For more information, select Help Topics from the Help menu, then go to the "Dealing with Clients" topic.

   We recommend that you allow any client to connect to your server, thus you would not turn on the Client Authentication option.

5. Activate SSL for the Web Calendaring server. In the IMail Administrator, expand the "Services" folder and click on Web Calendaring, then select the Web Calendaring Server tab to show the SSL options. Turn on Enable SSL.

Starting an SSL Connection from a Browser

Users can open Web Calendaring with an SSL connection as follows:

1. In the browser, enter the address for the Web Calendaring server, for example: mail.domain1.com:8484.The Web Calendaring Logon appears.
2. On the Logon page (or on any other Web Calendaring page), select Enter Secure Mode.
3. The browser usually asks you to confirm that you want to use "secure mode." Click OK. If you used the self-signed certificate, the browser may also display a warning that the certificate is not "trusted." Click OK again to continue.

The browser is now in secure mode. You can click again at the bottom of any Web Calendaring page to return to regular mode.

Enabling SSL from within the Web Address

When you enter the web server's address in a browser and use HTTPS (in place of HTTP) in the address, the browser attempts to connect to the server using SSL. For example, the address would look like:

https://mail.domain1.com:8484 

Using a Different Port for SSL

The standard port for IMail Web Calendaring SSL is 8485. If you use a different port number, this port number must be specified in the web address that Web Calendaring users log on to. For example, if you use port 8485 for SSL, and the web server is on port 8484 of mail1.domain.com, the web address would be:

http://mail.domain1.com:8585 

Users can bookmark the web address so they do not have to enter it each time they log on.

Ipswitch, Inc. http://www.ipswitch.com

©Ipswitch 2001