IT Baseline Protection Manual - Chapter 7.4 E-Mail
7.4 E-Mail
Description
Electronic mail service (e-mail in short) allows the world-wide
transmission and reception of electronic messages
within very brief periods of time. An e-mail usually
consists of an address (from/to), subject (title or
reference), text body and, occasionally, one or more
attachments. E-mail not only allows information to be
exchanged quickly, conveniently and informally, but also
makes it possible to forward business transactions to other
parties for the purpose of further processing. Depending
on the context in which e-mail is used, different requirements apply to the confidentiality, availability,
integrity and mandatory nature of the transmitted data as well as the e-mail software in use.
Threat Scenario
The following typical threats are assumed as regards IT baseline protection of files exchanged via e-mail:
For the implementation of IT baseline protection, selection of the required packages of
safeguards ("modules") as described in chapters 2.3 and 2.4, is recommended.
As regards e-mail systems, the following essential aspects need to be investigated:
E-mail software is used to transmit, receive and process e-mail.
This e-mail software transmits and receives e-mail to/from a mail server. The mail server maintains
a mailbox for every user. For the further exchange of information, the mail server communicates
with gateways which forward the messages to other mail systems.
A comprehensive security policy (refer to S 2.118Determination of a security policy for the use of e-mail)
needs to be prepared for the implementation of security measures for the exchange of electronic
mail. The operation of e-mail systems entails the implementation of security measures for the mail
server as well as the clients in use. The security precautions and instructions to be observed by users are
of particular importance.
The package of measures for the area of e-mail is listed in the following:
Organisation:
S 2.30 (2) Provisions governing the designation of users and of user groups
S 2.42 (2) Determination of potential communications partners