Page 879 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 879
organizations are using Secure SMTP over TLS nowadays; however,
it’s not as widespread as it should be because of a lack of awareness.
Opportunistic TLS for SMTP will attempt to set up an encrypted
connection with every other email server in the event that it is
supported. Otherwise, it will downgrade to plaintext. Using
opportunistic TLS for SMTP gateways reduces the opportunities for
casual sniffing of email.
Sender Policy Framework (SPF) To protect against spam and
email spoofing, an organization can also configure their SMTP servers
for Sender Policy Framework. SPF operates by checking that inbound
messages originate from a host authorized to send messages by the
owners of the SMTP origin domain. For example, if I receive a
message from mark.nugget@ abccorps.com, then SPF checks with the
administrators of smtp.abccorps.com that mark.nugget is authorized to
send messages through their system before the inbound message is
accepted and sent into a recipient inbox. There are pros and cons of
using it, so you’ll need to balance the needs of this extensive service
prior to including SPF.
Free PGP Solution
PGP started off as a free product for all to use, but it has since
splintered into various divergent products. PGP is a commercial
product, while OpenPGP is a developing standard that GnuPG is
compliant with and that was independently developed by the
Free Software Foundation. If you have not used PGP before, we
recommend downloading the appropriate GnuPG version for your
preferred email platform. This secure solution is sure to improve
your email privacy and integrity. You can learn more about GnuPG
at http://gnupg.org. You can learn more about PGP by visiting its
pages on Wikipedia.
By using these and other security mechanisms for email and
communication transmissions, you can reduce or eliminate many of
