Web Messaging Security

---

Web Messaging offers several means of protecting your e-mail communications from being altered in transit or being read by someone other than the intended recipient.

• Secure Mode. Enables Secure Sockets Layer connection and encryption. The SSL capabilities offer the most secure method of safeguarding e-mail messages, however they may increase processing time on your server.
• Logon User ID and password. Users must log on with their user ID and password. This provides the basic level of security that protects the user's mail.
• Logoff. After reading mail in the browser and then logging off, a user cannot click the browser's Back button to return to a mail message. However, clicking in the History list may re-display the message, though the user cannot activate any of the mail functions. As a precaution, users can clear the browser's history if the browser is in a common use area.

When logging on to Web Messaging, users can choose either or both of the following options (on the Logon page):

• Expire page views. If you are logging on to mail from a public terminal or from someone else's computer, you can select this option to prevent the browser from saving (caching) the pages you view. Note that Microsoft's Internet Explorer can be set to ignore this "expire page views" command, so it is still possible your pages will be saved.
• Remember Userid and Password (not recommended if you share this computer). This option will save your User ID and password in a file, so you do not have to enter them each time you log on to Web Messaging. When you log on, the browser automatically enters your User ID and Password. Note that if you select this option, anyone who has access to the machine could connect to your e-mail through Web Messaging without having to enter your User ID and password. Do not use it on a public terminal.

Using Secure Sockets Layer (SSL)

You can set up the Web Messaging server to use Secure Sockets Layer (SSL) for communications between a browser and the server. SSL encrypts your mail communications so they can be read only by the intended recipients.

SSL is a protocol that uses "certificates" to authenticate the client and server, and uses a public/private key "pair" to encrypt and decrypt communications. All of the major browsers are SSL enabled.

Certificates. Certificates are used to establish the identity of the client (browser) and the server.

You can run SSL for Web Messaging with:

• A self-signed SSL certificate. The server identifies itself to the client, but its certificate has not been issued by one of the third-party Certificate Authorities. Clients who log on to IMail Server using Netscape and Internet Explorer will receive a warning message ("This site is not secured..."). These users can continue logging on after acknowledging the warning. Their communications are encrypted.
• An SSL certificate issued by a Certificate Authority. The certificate verifies to the client that the identity claimed on the certificate is accurate. You can purchase a third-party certificate from Thawte Consulting (www.thawte.com) or Verisign (www.verisign.com).

IMail Server comes with an SSL Utility that generates both an IMail Server self-signed SSL certificate as well as a certificate request you can send to a Certificate Authority.

Note: IMail uses an Apache compatible SSL certificate.

Public/private key encryption. When a browser connects to the Web Messaging server, the server sends its certificate and public key to the browser. The browser can now use the public key to encrypt communications. Only the web server has the private key, which is used to decrypt communications sent from the browser.

Ciphers. The server and client must agree on the algorithm, called a "cipher," used to encrypt data. You select the cipher when setting up SSL on the server.

For more information on how SSL works, visit:

home.netscape.com/security/techbriefs/ssl.html

Setting Up SSL on the Server

This section outlines the procedure for setting up SSL on the server.

• First, use the IMail SSL Configuration Utility to set up the SSL certificate and public/private key pair.
• Then, enable SSL in the IMail Administrator, on the Web Messaging Advanced tab.

For detailed information about the SSL options, see the online help in the IMail SSL Configuration Utility and help for the Web Messaging Server tab in IMail Administrator. The appropriate Help topics are listed beside each step below.

To enable SSL for the Web Messaging Server, you need to do the following:

1. Set the registry path for the SSL keys.

   From the Start menu, select Programs -> IMail -> IMail SSL Configuration Utility. Select Registry Path from the File menu. Enter the path: software\ipswitch\imail\ssl

2. Generate a certificate and public key. We recommend that you use the self-signed certificate for your server.

   In the IMail SSL Configuration Utility, click Certificate. For more information, select Help Topics from the Help menu, then go to the "Getting an SSL Certificate" topic.

3. Configure SSL and select the cipher to use for encryption.

   In the SSL Configuration Utility, click SSL Configuration, and then complete the wizard. For information, select Help Topics from the Help menu, then go to the "Configuring SSL" topic.

4. If you want the server to authenticate clients, configure how it will do it.

   In the SSL Configuration Utility, click Client Authentication. For more information, select Help Topics from the Help menu, then go to the "Dealing with Clients" topic.

   We recommend that you allow any client to connect to your server, thus you would not turn on the Client Authentication option.

5. Activate SSL for the Web Messaging server. In the IMail Administrator, expand the Services folder, then select Web Messaging and click on the Advanced tab to show the SSL options. Select Enable SSL. See "Configuring the Web Server" for information about the SSL options.

Starting an SSL Connection from a Browser

Users can open Web Messaging with an SSL connection as follows:

1. In the browser, enter the address for the Web Messaging server, for example: mail.domain1.com:8383.The IMail Web Messaging logon appears.
2. On the Logon page (or on any other Web Messaging page), select Enter Secure Mode.
3. The browser usually asks you to confirm that you want to use "secure mode." Click OK. If you used the self-signed certificate, the browser may also display a warning that the certificate is not "trusted." Click OK again to continue.

The browser is now in secure mode. You can click again at the bottom of any Web Messaging page to return to regular mode.

Enabling SSL from within the Web Address

When you enter the web server's address in a browser and use HTTPS (in place of HTTP) in the address, the browser attempts to connect to the server using SSL. For example, the address would look like:

https://mail.domain1.com:8383 

Using a Different Port for SSL

The standard port for SSL is 443. If you use a different port number, this port number must be specified in the web address that Web Messaging users log on to. For example, if you use port 8384 for SSL, and the web server is on port 8383 of mail1.domain.com, the web address would be:

mail1.domain.com:8384 

Users can bookmark the web address so they do not have to enter it each time they log on.

Troubleshooting SSL

You can check the following if you are having trouble getting SSL to work:

• IWebMsg.ini should have EnableSSL=1 (ForceSSL=1 may or may not be there).
• IWebMsg.ini is in proper windows directory (%WINDOWS% usually \Winnt).
• After changing IWebMsg.ini, stop the web messaging service and restart it again to have changes recognized by the application.
• Select Allow Service to interact with Desktop to see if there is any message from SSL.DLL, like initialization failure because certificate or key file is not found. If SSL.DLL initialization fails, then Web Messaging will not continue.
• If the application is running but SSL is not working, EnableSSL is the only problem.
• SSL2.CGI allows change from secure to non-secure mode. If SSL is disabled, then changeover from secure to non-secure is not allowed; hence SSL2.CGI is not parsed.
• The private key file is protected using a password specified in SSL Configuration Utility. This password is required for decoding the key file while loading the SSL server. This password is stored in the registry and automatically retrieved during the loading process of SSL Server. The registry path for IMail Server is usually SOFTWARE\Ipswitch\imail\ssl. The registry path must be correct; otherwise, an error message is generated and the files will not be created.

Ipswitch, Inc. http://www.ipswitch.com

©Ipswitch 2001