S 5.57 Secure configuration of mail clients

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator, IT users

E-mail programmes used by staff members should be pre-configured by the administrator so as to automatically achieve the maximum possible degree of operational security. Users should be instructed not to modify this configuration of their own accord.

The following items are of particular importance when configuring e-mail clients:

• E-mail passwords must never be stored permanently by the e-mail programme. Passwords are stored on the client's hard disk, sometimes using very simple encryption techniques, or even in the form of plain text. Everyone who has access to the mail client is thus able to impersonate e-mail senders and read e-mail passwords.

• The reply address should consist of the user's e-mail address, to ensure that no internal e-mail addresses are passed on.

• To minimise the load on the network, mail clients should not check the mail server too frequently for new messages. Automatic fetching every 30 minutes (= 1800 seconds) is recommended as a standard value and proves sufficient in most cases. If an urgent message awaits a user, the e-mail programme should be triggered manually to check the mailbox.

• Messages fetched from the mail server should also be deleted there subsequently. This precludes repeated fetching of the same message and prevents the occurrence of memory shortages on the mail server