14 December 1998
Source: http://www.ibm.com/Press/prnews.nsf/f2c9dfb4f2374775852565d2000eb728/f5f689efafab1ca3852566da0054821d?OpenDocument

IBM Releases Open Software to Improve Security, Performance & Reliability of Internet E-mail Systems

Free Secure Mailer Code Could Ensure Security of Systems Transferring Billions of E-mails Daily

Yorktown Heights, NY, December 14, 1998: IBM today announced it is making available open source software designed to improve the security, reliability and performance of e-mail delivery services, a crucial component of the Internet's infrastructure. Called Secure Mailer, the new software could replace e-mail delivery software that processes more than three-quarters of the Internet's e-mail traffic today.

Developed by IBM researcher Wietse Venema, Secure Mailer is far more robust and flexible than similar messaging components, called Mail Transfer Agents (MTA). According to Venema, the majority of e-mail -- more than a billion messages sent daily worldwide -- is processed by MTA technology that originated in the early eighties and was not designed with today's Internet traffic and security needs in mind.

Secure Mailer is available for download beginning today from IBM's alphaWorks Web site at www.ibm.com/alphaworks. Secure Mailer is open-source software, so anyone can freely copy, use, modify and distribute it.

"By offering Secure Mailer free without licensing restrictions, IBM is helping build a stronger base for secure e-business," said Jeff Jaffe, general manager for IBM's IT Security. "This is an important step because MTAs with poor security are one of the most common ways for intruders to invade a company's network."

Secure Mailer Offers Security, Reliability, Speed

Messaging systems are comprised of Mail User Agents (MUAs), which send and request mail from users to their designated mail server, and Mail Transfer Agents (MTAs), which deliver mail to and from the various servers on a network. These mail systems are some of the most heavily used pieces of software on the Internet and form the basic plumbing for direct information exchange. Historically, e-mail systems have been a security risk because they must maintain some degree of openness to accept and distribute information.

Secure Mailer is built to be an industrial-strength, general purpose MTA. It is specifically designed to keep up with the daily delivery of millions of messages, while maintaining a performance level nearly three times that of existing MTAs. IBM Research employed "defensive programming" techniques when developing Secure Mailer so it avoids operations and assumptions that could make it vulnerable to intruders, system errors, and malformed or suspicious e-mail. If any irregularities occur, safety nets in the various Secure Mailer components prevent them from adversely affecting the system.

"We designed Secure Mailer so it proactively combats possible threats by assuming there will be attacks and fortifying those potential points of entry," said Venema. "It also protects against inadvertent user or administration errors that could lead to service interruptions."

Secure Mailer was also designed to behave rationally under stress. For example, most mail systems can be dramatically slowed and even frozen by heavy traffic or resource requests, making mission-critical business communications difficult. A malicious attack such as a mail bomb -- when huge amounts of mail are sent to one user or host -- are intended to cripple mail systems. Because these systems cannot differentiate between a mail bomb and legitimate mass mailings on company servers and ISPs, these types of ill-intentioned deeds are difficult to defend against. With Secure Mailer, extremely heavy e-mail traffic will gracefully degrade performance, rather than crash the system.

Modular Structure Enhances Customization and Security

Secure Mailer has a modular architecture, so that each component can focus on its task alone and any problems or irregularities remain isolated to that piece of the application. Most other MTAs are built as singular monolithic programs, making the entire system potentially vulnerable to any problems.

"E-mail systems are like people -- if you gave one person too many responsibilities and too little time, they could suffer burnout," Venema explained. "But Secure Mailer's sturdy components do one task each and do it well."

The modular structure of Secure Mailer makes it much easier to port, configure, maintain and test, as well. Available from IBM for the UNIX/AIX platform, this modular design allows for easy configuration, letting system administrators pick and choose which MTA capabilities they need. It is standards-compliant and is built to be interoperable with the more common standards-compliant MTAs in use today. Migration to this new system is seamless from a user's perspective since the user interface is similar to other MTAs.

"Secure Mailer is intended to be a building block that will evolve under the control of its users working as a team," Venema said. "With widespread input and continued development from the Internet community, Secure Mailer will raise the bar for mail system security and reliability."

IBM has been a leader in system security research and development for several decades. Other contributions this year include:

• IBM 4758 PCI Cryptographic Coprocessor: Earlier this month, IBM Research announced that the IBM 4758 Cryptographic Coprocessor achieved Federal Information Processing Standard 140-1 Level 4 validation. No company or product had ever achieved such high validation for this standard, which is recognized and supported by the U.S. National Institute of Standards and Technology (NIST) and the Canadian Communications Security Establishment (CSE).

• CDSA encryption code: In November IBM and Intel announced that they will work together to develop and promote standards-based security to help customers make their computing environments more secure and interoperable. IBM will use Common Data Security Architecture encryption code on major operating systems (AIX, OS/390, OS/400), plus products such as Vault Registry and IBM eNetwork Firewall for AIX and NT. Intel will license IBM KeyWorks software for use on some Intel chips and by its customers and independent software vendors.

• Cramer-Shoup cryptosystem: In August mathematicians at IBM Research and the Swiss Federal Institute of Technology co-developed a new public-key cryptosystem that provides the first mathematically-proven way to secure information from even the most aggressive Internet hacking attempts.

About IBM

IBM creates, develops and manufactures the industry's most advanced information technologies, including computer systems, software, networking systems, storage devices and microelectronics. With headquarters in Armonk, New York, IBM maintains operations in more than 160 countries. IBM Research is staffed by about 2,800 researchers working at laboratories in the United States, Switzerland, Japan, Israel and China. Major areas of research include computer systems, applications and solutions, systems technology, physical sciences, mathematical sciences, storage and communications.

About alphaWorks

The alphaWorks team, situated in the heart of Silicon Valley, scans IBM's eight research labs located around the world and identifies promising software for distribution to developers via its Web site. By providing direct access to early versions of potential products, IBM is able to engage the broader developer community and harness their energy to refine these cutting-edge technologies. The software is released cost-free on the alphaWorks Web site (www.alphaWorks.ibm.com), which also hosts a discussion forum.