Ok, so I have to write up the security document on the path of a message from the post office, to the device and back again. From looking at tech white papers and my own observations and all that, I think I've got it. This is for GroupWise specifically, so ignore the post office section, but the rest should apply. So I figured while doing all this work I'd share it with you guys (in a much more condensed format). So here goes...
Post office receives an email labeled TEST to . BES will check the post office every 10 seconds for new emails or email updates to send to the device. BES finds the TEST email and retrieves it from the post office. BES encrypts the email, attaches the BES SRP and device PIN and RefID of the TEST message to the encrypted TEST message. The encrypted TEST message is sent through the firewall and outside router via port 3101. The email arrives at its destination, a RIM relay server in Waterloo, Ontario. The RIM relay server read the headers from the encrypted TEST. The RIM relay server verifies the SRP information is correct and active, and then compares the device PIN to those associated with the SRP identifier included. If this information checks out, the RIM relay server routes the encrypted TEST message through the appropriate carrier’s servers and cell towers directly to the device. The device receives the TEST message, unencrypts it and displays it on the user’s device for viewing. |
Outgoing messages go in reverse. The user prepares TESTREPLY on the BlackBerry device. Once marked to send, the device encrypts the TESTREPLY message, attaches SRP identifier, device PIN and TESTREPLY message RefID, and directs the message to the RIM relay server via the carrier’s cell towers and servers. Once arrived at the RIM relay server, the relay server detaches the SRP identifier, device PIN and RefID, compares and verifies it as active. If approved, the RIM relay server then identifies the BES server based on the SRP identifier and sends the TESTREPLY message back through the Internet, through our router and firewall until it reaches the BES server. The BES server initiates this connection on port 3101 at a set interval checking for device updates to establish the return connection (This way no incoming ports need opened in the firewall). The TESTREPLY message arrives at the BES server, is identified by the BES server and routed to the mailbox on the post office via port 1677.
MDS requests are actually very similar in that they send an encrypted message packet (without the RefID) via the same transport method. The BES server then initiates a connection to the device on port 3106, with the BES server acting as a virtual router to move those packets through the server to the appropriate port externally.