A queued message delivery system that allows users to transmit relatively short text messages to other users over the Internet. The messages wait in a mail queue until they are downloaded and read by the ultimate recipient. As with all public services, running an SMTP service entails the risk that the service itself could be exploited to run arbitrary code on the mail server. In fact, this has occurred with every major e-mail server system, including Sendmail, Exchange, and Lotus Notes. The only solution to this problem is to keep e-mail servers in your DMZ or outside your firewall so that if they’re exploited, they don’t allow further access to the interior of your network. E-mail servers must stay up-to-date on server software and security patches to prevent exploits related to bugs. Simple Mail Transfer Protocol SMTP The Internet protocol that controls the transmission of e-mail between servers. SMTP is also used to transmit e-mail from clients to servers but usually not to receive it, because SMTP requires recipient machines to be online at all times. Sendmail The most popular e-mail service, Sendmail is open-source and was originally part of the BSD. Many commercial e-mail services are based on Sendmail. Exchange Microsoft’s e-mail and messaging server. Exchange was originally designed for private interoffice messaging, with Internet functionality provided as an add-on. It uses the proprietary Microsoft MAPI protocol for exchanging mail between Exchange servers and clients, SMTP for transmitting e-mail on the public Internet, and can be configured to allow POP3, IMAP, and WebMail access as well. E-mail Encryption and Authentication The only way to make e-mail truly secure is to encrypt it. Encryption protects against sniffing, accidental misdirection, loss of attached document security, and even forgery. Warning E-mail encryption foils all attempts to strip attachments or scan for viruses, because the e-mail server cannot decrypt the mail to check it. Be certain that you only receive encrypted mail from trusted sources. All e-mail encryption methods use public key encryption to secure messages. To establish secure e-mail, your e-mail encryption package will create a private key for you and a public key that you can send to those who need to receive secure e-mail from you. Note This chapter discusses public e-mail security methods. Numerous methods exist to secure private e-mail services within a single organization, but these proprietary systems cannot be effectively used on the public Internet because they only work with e-mail servers of the exact same type. Private mail system security is rarely important since purely private e-mail systems cannot be attacked from the Internet, so server-to-server encryption systems have little real value.