Requirements¶
- On-premise:
- Lime CRM Server: upcoming release.
- Cloud:
- Exchange Online or Gmail mail service.
- Requires isolated application using lime-crm 2.935.0 or later.
- Lime CRM web client.
- Customers are responsible for the emails they receive.
General Security Practices¶
The email integration operates by intercepting emails sent to a monitored mailbox, processing them for import to Lime CRM. Further on, the emails will be displayed in a user's browser via an HTML feed. This process opens up for potential security risks. For instance, a malicious actor could send an email containing specially crafted HTML code designed to exploit weaknesses in the browser environment.
The email integration together with the web client implements several layers to prevent security incidents. For example, libraries are used to sanitize the HTML and the attachments, and remove dangerous scripts. However, this is a "best-effort" approach and it is entirely dependent on the reliability of these libraries.
The email integration can not take any responsibilites to prevent security incidents. It is up to the customer to have general security practices in place. Some practices to consider:
- Mail server should be secured and configured to scan incoming attachments and filter out spam.
- If Microsoft Exchange: Block emails with unsafe attachments.
- Antivirus protection.
- Secure authentication methods for Lime accounts. If they are compromised, they can be used to send emails from the monitored account inside Lime CRM.
Microsoft Safe Attachment Policies¶
As mentioned above we highly recommend to have scans for attachments in place. Microsoft has different strategies though on how to response to malware and when to deliver the email within the scanning process. You can find the Safe Attachment configuration here.
In order for the email integration to run smoothly, it's required to implement a block response (shown below) for all monitored accounts, which ensures that an email isn't delivered before the scan was successful and detected malware is quarantined before the delivery.
Of course, you can have other policies with different responses for all other accounts in your organisation.