76 Chapter 3 • Securing Outlook Express 5.0 and Eudora 4.3 Introduction As the popularity and availability of the Internet have increased over the last few years, the use of e-mail has become equally widespread. No longer is it sufficient to have an e-mail address to share with friends. Now there are hundreds of e-mail services that provide vanity addresses based on hobbies, interests, political alignment, and even family names. In addition to choosing a reliable e-mail service provider from the hundreds (actually, thousands!) of choices on the Internet, you can also choose from a variety of e-mail clients. Some are good, some are bad, some have a limited fea- ture set with a small price tag, some are feature-rich and costly. Two of the most popular and reliable e-mail clients are Microsoft’s Outlook Express and Qualcomm’s Eudora. In addition to being solid mail clients with a long list of desirable e-mail features, these clients are avail- able in similar offerings for both PC and Macintosh computers. Outlook Express is a free e-mail client that comes bundled with Microsoft’s Internet Explorer, although it can be installed as a separate tool. Eudora comes in both free and pay versions, with the pay version adding some advanced features not available in the free version (the average e-mail user does not even necessarily need those features). One other added benefit to using these two programs for e-mail is that both programs have Pretty Good Privacy (PGP) plug-ins available that inte- grate PGP security functions directly into the application interface. By inte- grating PGP functions into the application, users of these clients can more easily and reliably take advantage of the extra security that PGP provides. Fortunately, both programs offer mail security options with their basic configurations. This chapter will examine these two products on both plat- forms, showing how to configure the applications to help keep your mail system clean and secure. At the end of the chapter, we will demonstrate how to incorporate PGP with these applications and provide a list of fre- quently asked questions related to the material presented in the chapter. Outlook Express for Windows Outlook Express is a scaled-down version of Microsoft’s Outlook e-mail program, which is an update to their Exchange mail system. Outlook Express is designed solely for Simple Mail Transfer Protocol (SMTP)-based mail systems and cannot interact with an Exchange mail server unless Post Office Protocol (POP) or Internet Message Access Protocol (IMAP) ser- vices are enabled on that server. Information about securing e-mail ser- vices using an Exchange mail system was covered in Chapter 2. www.syngress.com 119_email_03 10/4/00 9:27 PM Page 76 www.syngress.com Outlook Express also relies heavily on other applications for some of its configuration settings. As described in the next few sections, you will see that Internet Explorer plays a large role in determining how Outlook Express will handle some content that it receives via e-mail. Security Settings The security settings for Outlook Express can be found by selecting Options under the Tools menu in the application and clicking on the Security tab of the Options dialog (see Figure 3.1). This tab is divided into two sections: Security Zones and Secure Mail. The Security Zones section is based on Internet Explorer security zone settings and will be described in the next section of the chapter. The Secure Mail section deals with dig- ital IDs and is described next. A digital ID, or security certificate, is a special file that uniquely and securely identifies an individual. When a security certificate is incorporated into Outlook Express, the person using the certificate can sign outgoing messages with the signature from the certificate. This allows the recipient of the signed message to verify that the message did come from the sender and that the message was not altered after it was sent. When two individ- uals have digital IDs incorporated into their Outlook Express mail clients, one person can encrypt an outgoing message to the other person so that only the recipient can decrypt the message and view the contents. Securing Outlook Express 5.0 and Eudora 4.3 • Chapter 3 77 Figure 3.1 Security settings in the Outlook Express Options dialog. 119_email_03 10/4/00 9:27 PM Page 77 78 Chapter 3 • Securing Outlook Express 5.0 and Eudora 4.3 Because the digital ID security supported in Outlook Express will fully interact only with Windows-based Outlook Express and Outlook e-mail clients, a complete discussion on this topic will not be included in this chapter (details on securing Outlook 2000 with digital IDs can be found in Chapter 2). If you want to support secure e-mail with a wider range of potential recipients, you will need to use a broader-based security package such as PGP, which is described later in this chapter. If you plan to imple- ment e-mail security using other security tools, you may skip to the next section of this chapter. Secure Mail There are two areas in Outlook Express dealing with secure mail settings using digital IDs. The first is in the Security tab of the Outlook Express Options dialog, shown in Figure 3.1. In the Secure Mail section of this dialog, there are three buttons dealing with digital IDs. The Tell me more… button in the Secure Mail section of the Security Options dialog will open the Outlook Express help system to the digital ID topics, allowing you to read more about digital IDs and how to use them in Outlook Express. The Get Digital ID… button opens your Web browser to Microsoft’s Web site where you can sign up for a trial security certificate or purchase a full cer- tificate. The Digital IDs… button will open the Certificate Manager, where you can manage the digital certificates you have received from other indi- viduals or companies. The Encrypt Contents and Attachments for All Outgoing Messages checkbox will encrypt all outgoing content by default when a recipient’s e-mail address matches a certificate stored in the Certificate Manager. If a matching certificate is not on file for a destination address, the message and any attachments will be sent in clear text. Likewise, the Digitally Sign All Outgoing Messages checkbox will sign every outgoing message with the sender’s digital signature by default. This signature can be interpreted and authenticated by mail systems supporting the digital ID, and other mail systems will simply display the text representation of the digital signature. Unlike encrypting a message, applying a digital signature to a message does not require a matching security certificate for the recipient. Clicking on the Advanced… button in the Security dialog will open the Advanced Security Settings dialog, shown in Figure 3.2. These options are self-descriptive and can be left in their default state unless a specific situa- tion requires a setting to be modified. The other location for setting secure mail options is in the Account Profile dialog box, shown in Figure 3.3. These settings are in the Security tab of the Account Properties dialog box, which can be opened by selecting the Accounts item from the Tools menu. Clicking the Select… button in the www.syngress.com 119_email_03 10/4/00 9:27 PM Page 78 Securing Outlook Express 5.0 and Eudora 4.3 • Chapter 3 79 Signing Certificate section allows you to locate the security certificate to be used for outgoing messages for that account. Specifying the digital certifi- cate and encryption algorithm in the Encrypting preferences section will transmit this information to others when digitally signing outgoing e-mail. With this information, others will be able to correctly encrypt messages destined for this account. www.syngress.com Figure 3.2 Advanced Security Settings dialog box. Figure 3.3 Security settings for the mail account. 119_email_03 10/4/00 9:27 PM Page 79 80 Chapter 3 • Securing Outlook Express 5.0 and Eudora 4.3 Security Zones As mentioned earlier, Outlook Express does not manage its own settings for security zones. Instead, it imports this information from the Internet Options for the system, which are usually configured through Internet Explorer. In Internet Explorer, the Internet Options dialog can be opened under the Tools menu. Opening the Internet Options Control Panel will also open this interface. Though it may not make much sense to handle e-mail security issues through the Web browser’s security settings, there is a good reason for it. Much of the e-mail that is transmitted today includes HTML formatting for font styles, text colors, and including images in the message body rather than as attachments. Outlook Express, along with other mail clients, can receive HTML files as e-mail messages and display them correctly within the mail browser. This means that much of the media content that goes into Web page presentation can now be sent in e-mail, including scripts, applets, and Java and ActiveX content. Therefore, the same security that you want to apply to your Web browser should also apply to your e-mail client. Figure 3.1 shows that Internet Explorer offers only two settings for security zones from Internet Options. The choice of which zone’s settings to use will depend on how the zone is configured on the computer. The Internet zone is intended to be fairly unrestricted, so that most Web con- tent can be viewed with the browser. The Restricted sites zone is intended to identify sites with known bad or suspicious content and limit what the browser will do with content received from that site. Figure 3.4 shows the Internet Options dialog with the Internet zone selected. Internet Options has four pre-defined security settings for the zones: High, Medium, Medium-Low, and Low. One of these four default settings can be selected for each zone, or a custom security set can be assigned. The High security setting is the most restrictive, limiting the automatic activation of most media content. The Low setting is the least restrictive, allowing content to be activated with very few prompts or warn- ings. The Internet zone is for all Web sites that haven’t been explicitly assigned to another zone. The only other zone used by Outlook Express is the Restricted sites zone, whose settings are shown in Figure 3.5. As with the Internet zone, one of the four default security settings can be applied to this zone, or custom settings can be created. Most Outlook Express users will choose to use the Internet zone for the e-mail security settings. However, as more and more interactive content finds its way into e-mail messages, system administrators and others who are using Outlook Express as the e-mail client may choose to implement more secure settings on incoming mail messages. www.syngress.com 119_email_03 10/4/00 9:27 PM Page 80 Securing Outlook Express 5.0 and Eudora 4.3 • Chapter 3 81 www.syngress.com Figure 3.4 Internet Security Options settings for the Internet zone. Figure 3.5 Internet Security Options for the Restricted sites zone. 119_email_03 10/4/00 9:27 PM Page 81 82 Chapter 3 • Securing Outlook Express 5.0 and Eudora 4.3 Attachments Although interactive content within e-mail messages is becoming more prevalent, the main security concern of system administrators and end- users alike is e-mail attachments. Many people don’t think twice about double-clicking an attachment in a mail message, especially if the message is from someone they know. It is this blind trust that has increased the www.syngress.com Using Technology to Solve Management Problems Although great advances have been made in developing tech- nology solutions to prevent the spread of e-mail viruses, technology solutions will always be one step behind the virus writers. Just as soon as a bulletproof solution is developed and implemented on a system, someone will take it as a challenge to find a way around the solution. More often than not, a way will be found around the fix, and the cycle will start all over again. One of the best ways to prevent the spread of e-mail viruses within your company is to mandate that employees not open e-mail attach- ments received from outside the company. Even the most up-to-date virus scanner sitting on a mail server is going to miss the latest version of an e-mail virus that is making its way around the world. But if an employee receives the virus in e-mail and does not open the attachment, the spread of the virus is stopped there. In order for this approach to be successful, employees must be made aware of why they cannot open attachments. Another essential policy is that all outgoing attachments must be scanned and verified virus-free before being sent. While you don’t want employees spreading viruses within the office, you also don’t want your company to be the source of an infection in another company. Having protection technology in place to defend against virus attacks is insufficient on its own. People must understand how to use the technology, why they should use the technology, and what will happen if they fail to use it. Implementing a technology solution without user education makes a company almost as vulnerable as not taking any precautions in the first place. For Managers 119_email_03 10/4/00 9:27 PM Page 82 Securing Outlook Express 5.0 and Eudora 4.3 • Chapter 3 83 spread of traditional and macro viruses over the last few years. In fact, many new viruses specifically prey on this blind trust and are written to interact with the mail system as soon as they are activated. Most mail clients have responded to this issue by making it more diffi- cult to blindly open mail attachments. For example, Outlook Express has added several warning messages that are activated when attachments are opened. All these warnings do is add a few extra mouse clicks to the pro- cess of opening an attachment, but in some cases the display of the warn- ings has been enough to make people think twice about opening an attachment. When a user receives a message with an attachment and tries to open it, Outlook Express will present the user with the warning message shown in Figure 3.6. The warning message is clear: opening the attachment could unleash a virus on the computer. The attachment should be saved to disk and scanned for viruses before being opened. Unfortunately many people will ignore this message and go ahead and choose to open the attachment, allowing any potentially harmful code to be executed on their system. If the attachment is an executable file, not a document, and the user chooses to open the file without saving it first, Outlook Express will pre- sent a second warning message, shown in Figure 3.7. The contents of the dialog box will change depending on the source of the file. Figure 3.8 shows the Security Warning dialog box when Outlook Express has recog- nized that a vendor has signed the attachment. The vendor information is displayed in the message, along with the expected contents of the applica- tion. When a signed file is damaged or altered before it is received, attempting to open the file will generate the Security Warning message shown in Figure 3.9. This warning indicates that something is wrong with the attachment, and that the file should be deleted without being opened. www.syngress.com Figure 3.6 Open Attachment Warning message. 119_email_03 10/4/00 9:27 PM Page 83 84 Chapter 3 • Securing Outlook Express 5.0 and Eudora 4.3 Some anti-virus software programs, such as Norton AntiVirus, now offer direct security integration with Outlook Express. When installed and configured correctly, the anti-virus software sits between Outlook Express and the e-mail server and scans file attachments as they are downloaded from the mail server. The anti-virus software can then alert you if there are problems detected with a file attachment before you try to open the file from within Outlook Express. Of course this added protection is only as good as the updates. Adding automatic scanning of file attachments does little good if the virus scanner definitions are months out of date. www.syngress.com Figure 3.7 Attachment Security Warning dialog box for unsigned executable files. Figure 3.8 Attachment Security Warning dialog box for signed executable files. 119_email_03 10/4/00 9:27 PM Page 84 Securing Outlook Express 5.0 and Eudora 4.3 • Chapter 3 85 Outlook Express for Macintosh Outlook Express 5 for Macintosh is the latest release in the series of Macintosh-based POP and IMAP mail clients from Microsoft. Outlook Express has become increasingly popular in the Macintosh community over the last few years because of its rich feature set and ease of use. Anyone who has used Outlook Express on both platforms will tell you that the two programs are very different. The differences are more than just user interface design and program operation. There are key differences in the way the two programs approach e-mail security. For starters, Outlook Express for Macintosh does not make use of Security Zones like its Windows counterpart. Outlook Express for Macintosh also does not support digital IDs. This does not mean that Outlook Express is an inse- cure mail client, but users of the mail program must perform more secu- rity steps for themselves, rather than relying on tools within the program. The remainder of this section will focus on message filtering tools, which can be used to help avoid unwanted or potentially dangerous mes- sages, and handling file attachments. Information on sending and receiving secure e-mail with Outlook Express for Macintosh will be covered in the PGP section at the end of this chapter. Junk Mail Filter Outlook Express for Macintosh includes a junk mail filter, which helps you identify incoming junk mail messages. When enabled, the filter watches messages for signs of spam, such as potentially forged or obviously invalid sender e-mail addresses. When the filter identifies a message as potential www.syngress.com Figure 3.9 Security Warning message indicating a problem with the authenticity of the file. 119_email_03 10/4/00 9:27 PM Page 85 [...]... the message window is closed When the option is enabled, the decrypted message contents are displayed in the PGP viewer When an encrypted message is opened in the secure viewer by Eudora, the entire contents of the message, message headers and all, are displayed in the viewer window When opened by Outlook Express, only the message contents are displayed in the viewer window In both cases, when the... readable by anyone but the recipient, and then only after the recipient has decrypted the message In order to send an encrypted message, the sender and recipient must have each other’s PGP keys The sender uses the recipient’s PGP key to encrypt the contents of the message, and the recipient must have the sender’s key to correctly decrypt the message Although encrypted messages can also be PGP signed,... encrypted If PGP cannot identify the PGP key for the recipient based on the destination e- mail address specified in the message editor, it will prompt the user to select the PGP key for the recipient If the wrong recipient PGP key is selected, the recipient will not be able to decrypt the message received Receiving PGP-Secured Messages Admittedly, PGP-signed and encrypted messages aren’t very pretty when... which means that the contents of the message are sent in clear text, but the message is signed by the sender’s PGP key The PGP signature is based on the contents of the message as well as the sender’s key, so that when the message is received and the recipient verifies the message, the verification will fail if the contents of the message were altered during transmission The sender and receiver know... the PGP preferences and not the e- mail client preferences Figure 3. 33 shows the e- mail options in the PGP Preferences window Figure 3. 33 PGP E- mail Settings window The option Use PGP/MIME When Sending E- Mail specifies whether e- mail is sent using PGP/MIME encryption This option is usually disabled by default, as PGP/MIME is not recognized by every e- mail application The Encrypt New Messages By Default... that the contents of the message are intact when the signature is verified by the recipient, even though the contents of the message were readable by anyone during transmission When signing a message the sender does not need a PGP key for the recipient, but the recipient must have the sender’s PGP key to verify the message Messages can also be encrypted by PGP, so that the contents of the message are not... a message WARNING Be sure not to change the contents of a message once it has been signed or encrypted, or the recipient will not be able to verify or decrypt the message upon receipt Receiving PGP-Secured Messages When a PGP-secured mail message is received in Outlook Express for Macintosh, the message must be opened in a Message window before any of the PGP functions can be applied to the message... selecting the Make Filter… item under the Special menu with a message selected The filter template is opened and pre-completed with key information from the selected message (see Figure 3. 18) The filter can then be triggered on information in the From:, To:, or Subject: fields of the message If there is a match, the message can be transferred to a new or existing mailbox (including the Trash mailbox) If the basic... in the new message window, PGP does not sign or encrypt the message until the message is being packaged for delivery The user will only briefly see the message contents modified right before the message window is closed when the message is sent When the outgoing message is signed or encrypted, PGP will prompt the user to enter the passphrase for the signing key Subsequent signed/encrypted messages may... encrypt the file using the PGP key of the intended recipient When doing this, the sender must have the recipient’s PGP key to encode the file, and only the recipient can decrypt the file If the file is to be transmitted to several recipients, the sender would have to encode the file individually for each recipient of the file This is the most secure method for transmitting secure file contents The second option . the pay version adding some advanced features not available in the free version (the average e- mail user does not even necessarily need those features). One other added benefit to using these. configure its responses, open the Filter window by selecting the Junk Mail Filter… item from the Tools menu (see Figure 3. 10). To enable the filter and accept the default settings, select the Enable. Outlook Express 5.0 and Eudora 4 .3 Setting up a message filter is as simple as selecting the Make Filter… item under the Special menu with a message selected. The filter template is opened and pre-completed