cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Securing offline workflow approvals

Go to solution
Juwin
Active Contributor

on ‎10-20-2015 2:29 PM

0 Kudos

We are trying to implement offline workflow approvals by activating inbound emails to SAP. Since any email can be 'made to look' as if it came from another person these days, what are the measures that can be implemented to make sure that the email is legit?

Currently, the plan is to embed a key in the email while it is sent out, and to check if the key is present in the reply email.

I read through this document ( Sender authentication part 2: Reading email headers - Terry Zink: Security Talk - Site Home - MSDN ...), but the message header that I am getting in SOIN, isn't matching with the one in the document.

Example:

Thanks,

Juwin

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

pokrakam
Active Contributor
‎10-22-2015 10:02 AM
0 Kudos

Hi Juwin,

That still doesn't stop someone with SAP access from determining the key and spoofing the mail.

The most reliable way would be digitally signing mails. Your email infrastructure guys would have to ensure digital certificates/signatures are created and set up in all relevant email clients (this is not a bad thing anyway!), and digital signatures would then be verified on the inbound side.

I know SAP can be made to do that, but unfortunately have never done it myself so currently don't even know where to start.

Regards,

Mike

Show replies
Show replies
Juwin
Active Contributor
‎10-22-2015 2:12 PM
0 Kudos

Thanks Mike. Do you know if this would work, from a outlook web access webpage also?

Regards,

Juwin

pokrakam
Active Contributor
‎10-22-2015 2:54 PM
0 Kudos

Hi Juwin,

That's a good question which I'm not knowledgeable enough to answer.

I would speculate two scenarios:

1. It should be possible to digitally sign a web based mail using a private key stored on your computer. My reasoning is because other web-based authentication mechanisms are able to use local security.

2. The private key could be stored on the Exchange server side and used for signing, but that kills the idea of 'private' ... you'd really need to talk to your Exchange gurus for that.

I would se option 1 as the more likely one, but haven't dug into OWA deep enough to know if it's supported. It's a pretty sensible requirement and digital signing is also run of the mill stuff, so I would imagine it can work.

Regards,

Mike

Answers (0)

Ask a Question