Educause Security Discussion mailing list archives

Re: Email policy question

From: "Rizzo, Jim" <JRIZZO () PROVIDENCE EDU>
Date: Mon, 20 Oct 2008 21:48:03 -0400

While I don't know much about the technical side of this (only on this list for security information from a support 
standpoint), I am pretty sure Gmail requires you to verify that you are the account holder before it will allow you to 
send out messages as another address... meaning it sends you a message to which you must reply before you can send a 
message out as someone.  I have done this with some of my personal email accounts.
 
Jim
 
--
Jim Rizzo
Helpdesk Manager
Providence College
(401) 865-1277
jrizzo () providence edu
AIM: JRizzoPC
http://itweb.providence.edu/helpdesk
http://selfhelp.providence.edu

________________________________

From: The EDUCAUSE Security Constituent Group Listserv on behalf of Andres Holguin Coral
Sent: Mon 10/20/2008 4:33 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Email policy question



Here, at "Los Andes" university we have a problem with our email policy, I don't know if any can help me or know who 
can help me with the procedure that is doing for this kind of issues:

One or two years ago when gmail allowed from the google interface to read an external email account (any account from 
uniandes.edu.co using pop/imap) and also allowed to reply using @uniandes.edu.co (for example jhondoe () uniandes edu 
co),  we decided to block in our MX servers the mails with the headers containing in the FROM field the string 
@uniandes.edu.co. This was because we considered that without authentication, anyone in the world could be able to 
spoof uniandes accounts.

Additionally,  we also configured separated SMTP servers with TLS authentication for allowing our users to send valid 
e-mails from outside our campus. However, now our users are requesting to cancel this policy because:

- Many research groups are using mailing-lists from outside the University which modify the headers in such way that 
they appear to be originated from an account with the @uniandes.edu.co domain.

- Many users are using gmail and they would like to use it with their @uniandes.edu.co account.

Our questions is if you have a similar policy and what measures are taking to deal with this kind of problems.



________________________________________________
Atentamente,
Andres Holguin Coral, GSEC
Coordinador de Investigaciones Tecnológicas
Dirección de Tecnologías de Información
Universidad de Los Andes
andres.holguin () uniandes edu co
Tel: +5713324480
Bogotá, Colombia

Current thread:

Email policy question Andres Holguin Coral (Oct 20)
- <Possible follow-ups>
- Re: Email policy question HALL, NATHANIEL D. (Oct 20)
- Re: Email policy question Valdis Kletnieks (Oct 20)
- Re: Email policy question Rizzo, Jim (Oct 20)
- Re: Email policy question Gary Flynn (Oct 21)