The Web Mail Migration Project

April 6, 2009

I. Overview

This project presents a procedure for migrating my email from a local Microsoft Outlook PST/POP3 configuration to a web-based IMAP solution using Mozilla Thunderbird and Enigmail for PGP encryption. Although this is my personal project, it can be extended to companies interested in reducing their IT costs by outsourcing their enterprise email administration and spam / malware protection to a cloud-based provider like Google Gmail.
I hope that you will benefit from this resource in your own projects.

Security

Email security has always been an important concern of mine. Over the past several years, I have stored my email locally in password-protected Outlook PST files, which are then encrypted within a PGPdisk on top of an encrypting file system in a portable USB key. I found this to be a reasonable precaution short of stopping all email use altogether (“Knuth versus Email” – Don Knuth).

Like most web mail providers, Gmail provides security in terms of TLS/SSL, which encrypts network communication between my computer and Gmail’s servers. However, the email messages themselves are not encrypted, so anyone who can crack my password can simply log into gmail.com and view all my mail. To prevent this, I configured Gmail to allow POP3 access so that my local Outlook could retrieve my email, store it in a local password-protected PST file, and delete GmailÃ¢â‚¬â„¢s copy from the server. This approach is far from foolproof, since my computer itself can be hacked by malware, botnets, and GhostNet crackers recently discovered by UofT’s Citizen Lab (“Vast Spy System Loots Computers in 103 Countries” – The New York Times).

Security is also a top concern for businesses and individuals considering cloud-based services such as Amazon EC2 or web-based storage like Microsoft SkyDrive. The network traffic may be encrypted, but the data itself is usually not, or is easily accessible after getting past a single username and password. It is often a good idea to encrypt all private data using PGP before storing it anywhere on the web. PGP adds another layer of security so that a cracker who obtains your username and password will not be able to read your encrypted data without your private key, or other employees’ encrypted data without their private keys, even when they are stored together in a common WebDAV disk. In my case, I am comfortable storing my PGP-encrypted email on Google’s Gmail servers.

Multi-Access Capability

The proliferation of netbooks and wireless devices also complicates access to locally secure email. My three servers (Vista x64, Mac OS X, Ubuntu Linux), laptop (XP), Blackberry, and iPhone cannot all access my local PST file at the same time. Even worse, each device had its own email storage containing unsecure copies of my email. A recent USB-related data corruption event also highlighted the vulnerability of my PST file itself as a single point of failure. Therefore, the Outlook PST/POP3 solution was no longer viable with regard to security and multi-access capability.

Several technologies are ideal replacements for Microsoft Outlook and POP3. Internet Message Access Protocol, or IMAP, allows synchronized access to a web mailbox from multiple devices simultaneously. Mozilla Thunderbird and Lightning are excellent open-source email and calendars clients for Windows, Mac OS X, and Linux. GnuPG is a free implementation of the OpenPGP encryption standard, and Enigmail is an OpenPGP extension for Thunderbird.

II. Consulting

I do my best to explain the concepts and techniques behind my projects. If you like my work and can use my expertise in your projects, I am available for consulting at a competitive rate.

III. Procedure

< Click here to view the detailed procedure for this project >

IV. Future Enhancements

1. PGP Encryption in Social Networks

Social networking sites are increasingly used as alternatives to traditional email, but are notorious for lax or non-existent security measures. If a cracker gets into your Facebook or LinkedIn account, they will have full access to all of your private messages. With PGP encryption, the messages in those Inbox and InMail accounts will appear as gibberish to crackers since only you possess the private key/s to decrypt them.

2. PGP Encryption in the Enterprise

Some firms have corporate policies against the use of email encryption, with the rationale that managers and executives need access to their employees’ email in certain situations. However, this policy also leaves employees’ email vulnerable to malicious administrators or crackers with the ability to intercept these messages. A better approach would be to enforce encryption on all intercompany email, with the employees’ private keys accessible to managers and executives who are authorized to decrypt and read their email under strict corporate guidelines.

3. Gmail in the Enterprise

Due to Google’s high-performance cloud network, Gmail can provide a more robust and reliable email service than many in-house corporate environments. However, Gmail still lacks some features required by enterprise users, such as LDAP authentication, private global address lists, auto-encryption via GPG/PGP keys, DNS redirection, and cloud-based antivirus. Google can consider providing its own LDAP servers or integrate into a firm’s existing LDAP servers in order to securely process email authentication for corporate users. Gmail could also partition corporate email from general-public email to create global address lists that are private to each company. Auto-encryption is a highly desirable feature because it ensures email encryption not only between intercompany users within Gmail, but also between all Gmail users. DNS redirection will enable Gmail to process incoming and outgoing messages transparently as if they were from/to user@mycompany.com instead of user@gmail.com. Finally, Google can consider bundling a cloud-based antivirus solution such as Symantec to provide enhanced virus and malware protection for email attachments at all endpoints of the Gmail cloud network.