Authentication via email

Currently, I'm working on a program that is to be accessed through email. However, I need an easy (or not so easy, if needed) way to authenticate whether or not the sender is authorized to use it. This is for corporate servers, so security is a must. I thought of a list of authorized addresses on the server side, but that doesnt cover spoofing of the address. Also, any password or some such in the subject or message body ought to be easily picked up by anyone who gets inside the email and looks through it. Use of a seperate agent to send the email isnt a big problem, but that isnt as preferable. Also, I don't want to have to enforce any changes to the mail server. I don't know too much about security, so any help would be greatly appreciated.

A few priliminary questions:

1. What OS are you running on the server?

2. What language are you using for your program?

3. What is the MTA?

4. What is the mail client?

5. How many users do you have?

6. Is it for LAN or WAN?

7. Will users be accessing it from home?

- also -


How do you mean 'accessed through email'? Is it a link they click that takes them to a script? Or a shell extension for the mail client?


Not if it's encrypted. Or, if it's web-based, you could issue certificates to all of your users and authenticate the sender that way. I need to know more about the server, the MTA and the mail client first!

I say this in the spirit of helping you out, so I hope you don't take offence, but you MUST be more specific when posting on these forum pages. The easier you make it for people to help you, the faster you'll get help!

Anyway...

Best,

nao

Thanks for the reply!

1. Windows NT 4/2000/2003. It'll be running on a variety of Windows platforms.

2. Visual C++.

3. Exchange.

4. Could be anything.

5. Not sure. Only admin will be using it though.

6. LAN & WAN. I plan to set it up with its own email account so it can be used from anywhere.

7. Yes, it'll be potentially accessed from anywhere in the world.


Basically, the program would watch the email account for new messages, and when one is found it would parse the email, and do certain actions based on what is contained in the body.

About the encryption, someone mentioned an encryption standard for email to me once, I forget what it was called, but I think it was M somthing. I'm still only learning c++, so I want to preferably to keep it from being too complicated. By certificates, do you mean somthing like personal keys?

No offense taken. I'm new to forums, so I'm still learning. Thanks for the pointer

Hi again,

I see. OK, let me make sure I get it right -

You want to write a program that monitors incoming email and parses any email message that contains administrative instructions.

I'm assuming you know how to write your C++ app., to work with Exchange (OLE or DDE?) I don't know a lot about Exchange (I use sendmail), but I assume you could schedule your VC application run every 5 minutes and process any emails addressed to the account you want to use for the parsing. Can you get Exchange to create an 'Action' that calls your appliation every time it receives an email for parsing? That would be a more efficient solution.

You can use MD5 encryption with VC++. I would create an MD5 signature for all of your senders that's incuded in the email:


You could, of course, encrypt the whole email, but if you have a large volume of email to parse, you might find issues with performance degredation on the server (depends what kind of volume the server can handle). If this is the case, I'd send the Instruction portion in cleartext (unencrypted) and just include the Authentication signature in encrypted form.

So, you have two layers of security/authentication:

1. Only process emails sent to your 'parser' email address
2. Of those emails, only process the ones that have the correct MD5 checksum in the Authentication

You could add another layer of security/authentication by telling Exchange to only accept emails from a list of receipants - but that would involving maintaining some kind of list (god knows how Exchange would do that).

Here is a good tutorial on implementing MD5 for VC++: http://www.codeguru.com/algorithms/MD5.html

How are you going to generate the instructions to send in the email in the first place?


Nao

Ok, that makes sense. I've never used MD5 before, so thanks for that link! I'll probably be back with more questions, but thanks for pointing me in the right direction