Re: ND Status of SMTPAuth and SSL'ed e-mail

[Karen Eft <kareneft () BERKELEY EDU>]

DeWitt:
See info re UC Berkeley "CalMail" system's new security
requirements due to our impending enforcement of "Minimum
Standards for Security of Networked Devices":

http://istpub.berkeley.edu:4201/bcc/Spring2005/calmailsecurity.html
("Secure connections to CalMail required beginning March 1")

Not all our email users are on this central system, but it is
attracting more small "satellite" systems to convert, rather than
continue maintaining their local services.

The implementation was very work intensive, including the
user assistance, but it seems to be going well now.
-Karen

At 7:48 AM -0500 4/13/05, Dewitt Latimer wrote:
> Thread-Index: AcVAJx2HV8T4FFFRQE+/OXphdVr+Ow==
> X-ND-MTA-Date: Wed, 13 Apr 2005 07:48:32 -0500 (EST)
> X-ND-Virus-Scan: engine v4.3.20; dat v4467
> Date:         Wed, 13 Apr 2005 07:48:39 -0500
> Reply-To:     The EDUCAUSE Security Discussion 
> Group Listserv 
> <SECURITY () LISTSERV EDUCAUSE EDU>
> Sender:       The EDUCAUSE Security Discussion 
> Group Listserv 
> <SECURITY () LISTSERV EDUCAUSE EDU>
> From:         Dewitt Latimer <dewitt () ND EDU>
> Subject: [SECURITY] ND Status of SMTPAuth and SSL'ed e-mail
> Comments: To: The EDUCAUSE CIO Constituent Group Listserv
>           <CIO () LISTSERV EDUCAUSE EDU>
> To:           SECURITY () LISTSERV EDUCAUSE EDU
>
> (Apologies for the cross post)
>
> Colleagues - Approximately a year ago, Notre 
> Dame started an initiative to stop sending 
> passwords in the clear by our largest offender 
> (e-mail) as well as cut down on the amount of 
> spam sent from hijacked campus machines.  This 
> e-mail is nothing more than a status update for 
> those attempting similar feats or curious how 
> things are going.
>
> In August 04, we made SMTPAuth mandatory for all 
> users in our ResNet and blocked in/out traffic 
> on port 25 except for smtp.nd.edu and other 
> registered departmental MTAs.  SMTPAuth was also 
> made mandatory for everyone using smtp.nd.edu 
> from off-campus.  Moreover, we started a 
> communications program to strongly encourage 
> SMTPAuth for all on-campus (non ResNet) users of 
> smtp.nd.edu and the configuration of SSL/IMAP or 
> SSL/POP.  The SMTPAuth & SSL requirement will be 
> come mandatory for on-campus (non ResNet) users 
> very shortly.  As a side note, we turned off 
> non-SSL Webmail.
>
> Without passing commentary as to whether we are 
> where we want to be, for a typical day (April 
> 11, 2005):
>
> SMTPAuth
>
>
> Messages submitted from local systems via SMTPAuth, excluding Webmail
> 41642
> 49%
> Messages submitted via SSL-Webmail
> 32622
> 38%
>
>
>
> Messages submitted WITHOUT SMTPAuth including 
> messages from white-listed systems
> 10997
> 13%
>
>
>
>
>
>
> SSL-enabled clients (excluding Webmail logins)
>
>
> Number of systems using secure POP/IMAP logins
> 2,493
> 57%
> Number of systems using insecure POP/IMAP logins
> 1,867
> 43%
>
>
>
> Number of SSL-enabled POP/IMAP connections
> 206,356
> 53%
> Number of insecure POP/IMAP connections
> 182,324
> 47%
>
>
>
> So we're doing pretty well on the SMTPAuth (87%) 
> which, when coupled with Port 25 blocks has 
> helped immensely on the amount of SPAM 
> originating from nd.edu.  The normal summer 
> upgrade of desktops & images will put a large 
> dent in the 1900 machines not yet configured for 
> SSL IMAP/POP.  Kudos to our Messaging, InfoSec, 
> and desktop support teams for their diligence.
>
> Thus the path to any long journey begins with a first stepŠ
>
> -d
>
> -----------------------------------------
> Dewitt Latimer, Ph.D.
> Deputy CIO and Chief Technology Officer
> The University of Notre Dame
> dewitt () nd edu
>
> ********** Participation and subscription 
> information for this EDUCAUSE Discussion Group 
> discussion list can be found at 
> http://www.educause.edu/groups/.


--
=========================================================
 Karen E. Eft   Information Technology Policy Manager
 UC Berkeley (510)642-4095 http://itpolicy.berkeley.edu
=========================================================

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.