0

I am working with a new partner who has provided an 'internal' messaging service using an email server. It is designed to provide secure communications between geographically widespread individuals all working under a common domain for messaging (email). I am using Thunderbird as the mail client.

The MTA is set up for sending through port 587 using SSL and using a plain text password, which I believe to be adequate as the whole session is encrypted, but incoming email is on port 143 without a tunnel, but with an encrypted password. Can someone more security literate than I please confirm whether this is as insecure in terms of message receipt as I believe it to be.

There is no external routing - all within direct connection to the MTA so I don't have to worry about the security of other MTAs, but my concern is that the user name and indeed entire message may be in plain text - and even more concerning a 'man in the middle' may be able to copy the encrypted password and use it to log in - even if they cannot decrypt it back to plain text.

Are my concerns over the top?

The data being moved this way is reasonably serious personal financial data for various third party individuals who have given permission for secure processing of their data.

Improve this question
1

1 Answer 1

Reset to default
1

If I am understanding your situation and concerns correctly, No, it is not secure by standard terms, because data in transit can be read. I would not worry about the password itself, since you say it is encrypted in transit.

Email has often been reffered to as a "Post Card" because without encryption on the message itself, the letter has no "envolope", and is easily read by anyone who passes it along. That exposes the content of the message to any network operator between source and destination.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .