Educause Security Discussion
mailing list archives
Re: Email policy question
From: "HALL, NATHANIEL D." <halln () OTC EDU>
Date: Mon, 20 Oct 2008 15:50:18 -0500
We do not allow e-mail messages that use a FROM address of OTC.edu to enter our mail system unless they come from an
authenticated session. The only problems we have experienced are related to the "E-mail this link to a friend"
systems. We end up telling people to use a fake address, their personal address, or to just e-mail them the link.
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
Network Security System Administrator
OTC Computer Networking
Office: (417) 447-7535
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Andres
Sent: Monday, October 20, 2008 3:34 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Email policy question
Here, at "Los Andes" university we have a problem with our email policy, I don't know if any can help me or know who
can help me with the procedure that is doing for this kind of issues:
One or two years ago when gmail allowed from the google interface to read an external email account (any account from
uniandes.edu.co using pop/imap) and also allowed to reply using @uniandes.edu.co (for example jhondoe () uniandes edu
co), we decided to block in our MX servers the mails with the headers containing in the FROM field the string
@uniandes.edu.co. This was because we considered that without authentication, anyone in the world could be able to
spoof uniandes accounts.
Additionally, we also configured separated SMTP servers with TLS authentication for allowing our users to send valid
e-mails from outside our campus. However, now our users are requesting to cancel this policy because:
- Many research groups are using mailing-lists from outside the University which modify the headers in such way that
they appear to be originated from an account with the @uniandes.edu.co domain.
- Many users are using gmail and they would like to use it with their @uniandes.edu.co account.
Our questions is if you have a similar policy and what measures are taking to deal with this kind of problems.
Andres Holguin Coral, GSEC
Coordinador de Investigaciones Tecnológicas
Dirección de Tecnologías de Información
Universidad de Los Andes
andres.holguin () uniandes edu co