On Thursday 27 June 2002 00:44, Marcus James wrote: > What I am trying to determine is what the best practices are in this > regard. My gut-feel says that this is not a good idea since email is > "inherently insecure" and may be intercepted and so on and so forth. But > on the other hand is this such a big deal? I'm not sure.
You should be aware of just one fact: if something happen to the e-mail sent to the outside world, it defintely isn't your problem. Sending sensitive data out is, and will allways be insecure. What you can do is (if you want to, of course) to propose some other method for users who are out of the office to read their e-mail. Using Remote Access Server for them to dial in to the company is quite nice, relatively easy to set up and much more secure than forwarding e-mails to some insecure server out in the wilderness. > A second question: Would forcing users to use a web interface to access > their email instead be "more secure"? ??? What is the network topology? Do they have to use remote service when they're out of office, do they have a LAN, do they have to dial out to the Internet to get some mail (for some unknown reason) or what? If you're talking about people in offices, they can use any e-mail reader they want (though, I'd prefer preventing them from using Outlook/OE)... If they're outside, I'd recommend making RAS for them to dial in, or exposing one dedicated server in DMZ as Webmail service (with encryption, of course), so users don't have to forward their e-mail to untrusted servers. -- Radoslav Dejanovic Senior Associate to Mayor's Office City of Zagreb, Croatia
