Are you taking the security of your email account seriously?

WEmail Securitye begin a series of posts on the importance of email security and why it should be a top priority for organizations. In this post, we share some insights from the founder of Alt-N Technologies, Arvel Hathcock, to get his perspective on security tips for email users.

Most everyone has an email account. Many have more than one. Email is really at the core of online life because it is tied to so many of our online services. Look at your phone. Many of the service apps you see connect with you via your email account. This is why I believe the wide-spread practice of “password reset via email message” or “Forgotten Password” has crowned the email account password the most significant and important of all passwords.

Password Controls in MDaemon

Password Settings in MDaemon

That’s not to say that password management for services like online banking are not critical. They are. But having a strong password for banking and not your email can expose you to some real dangers, as well.   Imagine if a hacker or other bad actor can figure out your email password. One of the first actions they could take is to login and change your password. This locks you out. Next, they check through your inbox and folders looking for anything interesting, such as popular online services or banking portals. Now, they login with your email address and use the “Forgotten Password” feature. Soon an email will show up in your inbox (which is no longer controlled by you) allowing them to verify the change and now another important service is not controlled by you. This email and others like it will allow a hacker to change all of your online passwords – all because they found your email password.

This is not good and it leads me to security tip #1: Put effort into the security of your email account password.

It can be the key to all your other passwords. Also, do not use your email account password with any other online account or service because you do not know and cannot control when it will be that service’s turn to get hacked.

Because of the risk mentioned earlier, I would also recommend users disable “Forgotten Password” features where possible and use an alternative method. As bad as “Forgotten Password” can be to reset access, the Question and Answer options can be risky, too. I was horrified years ago to discover that an online app for a banking chain reset my password using only the “Question and Answer” method – no email at all! You know – the questions some services ask like “What’s your mom’s name?” or “Where did you grow up?” etc. If someone can get the answers right, they can change the password.

This idea assumes that would-be hackers will always be outsiders without access to even basic information about their targets. You should use caution before completely trusting these methods. One trick I recommend is to select the question (it’s usually in a drop-down list) and enter a totally random and completely unpredictable answer (but one that you can remember, of course).

I realize these features exist for convenience but remember that security can be reduced and new attack options exposed by these methods if not managed properly.

 

 

MDaemon 16.5 – with Automatic Updates, WorldClient Categories & More!

Earlier this year, we introduced several new security and convenience features for MDaemon, including contact synchronization via CardDAV, two-factor authentication in WorldClient, spambot detection, and an ActiveSync migration client for migrating from any mail platform that supports ActiveSync protocol version 14.1. If you’re running an older version of MDaemon and would like to see what you may be missing, check out our MDaemon Features by Version page for all features by release version.

For MDaemon 16.5, we continue the trend of packing in new features for both administrators and end users.

Administrators will Benefit From these New Features:

Centralized Management of Outlook Users

Outlook Connector Client Settings

Outlook Connector allows Outlook users to share their email, calendars, contacts, tasks and notes. In previous versions of MDaemon and Outlook Connector, users would configure all settings on the Outlook Connector client, including host names, SSL and port settings, and other preferences. Beginning with MDaemon 16.5 and Outlook Connector 4.0 (also released today), these settings can now be stored centrally in MDaemon and pushed out to clients. When a new Outlook Connector profile is created, only the username and password are needed. All other settings are retrieved from MDaemon with the click of a button.

Unique Public Key Management for Encryption Security Control

OpenPGP Encryption Settings

OpenPGP uses public/private key pairs to encrypt and decrypt messages. If I want to send you an encrypted message, I would need to obtain your public key, which is used to encrypt the message, and you would decrypt it with your private key. WorldClient, MDaemon’s webmail client, can now be used as a basic public key server for exchanging public encryption keys. This allows WorldClient to honor requests for your users’ public keys using a specially formatted URL. Additionally, MDaemon’s OpenPGP feature now supports collection of public keys over DNS. This helps to automate the process of exchanging encryption keys.

Automatic Product Updates

Automatic Updates

Automatic Updates

It’s easier to ensure that you’re running the latest version of MDaemon, Outlook Connector, and SecurityPlus with the new Automatic Updates feature. Updates can be automatically downloaded and installed at a designated time.

For end users, we’ve added these new features:

Easily Identify Trusted Email & Confirm Message Authenticity to Prevent Spearphishing

 

DKIM Verified Sender

DKIM Verified Sender

MDaemon’s OpenPGP features can now verify embedded signatures found within messages. This helps the recipient ensure that the message is authentic. WorldClient will display an icon or text label for verified messages. WorldClient will also display labels for messages with valid DKIM signatures, messages decrypted by OpenPGP, and messages signed with an OpenPGP key.

WorldClient Categories for Easier Inbox Management

WorldClient Message Categories

WorldClient Message Categories

When using the LookOut and WorldClient themes, WorldClient has new category selections for easy sorting and identification of email messages. Messages can be sorted by category, and multiple categories can be assigned to a message. Authorized users can also create their own custom categories in addition to using the built-in categories.

Connect with most IM Clients

XMPP Chat Server

XMPP Chat Server

MDaemon 16.5 includes two separate chat systems. In addition to WorldClient Instant Messenger, users can now chat with each other using their favorite third-party chat (XMPP) client. With the addition of this feature, users now have the flexibility to chat from any device with a compatible XMPP client, including mobile devices.

There are many XMPP clients to choose from, including Trillian (Windows), Adium (Mac OSX), and Mozilla Thunderbird (Linux, OSX, Windows). A list of XMPP clients can be found here: http://xmpp.org/software/clients.htm.

Features may vary depending on which XMPP client is used. WorldClient Instant Messenger’s features can be found here:

http://www.altn.com/Products/MDaemon-Email-Server-Windows/WorldClient-Instant-Messenger/

Other improvements include:

Additional SMTP authentication settings

SMTP Authentication from Local IPs

SMTP Authentication from Local IPs

The SMTP Authentication screen has a new option which, when enabled, will require all incoming messages from local IP addresses to use SMTP authentication. When this setting is enabled, if a message that is not authenticated arrives from a local IP address, it will be rejected. We recommend enabling this setting for added security.

Modification of “From” header as additional protection from spoofing

Sometimes users are fooled into thinking an email comes from one person when it is actually from an attacker. This happens because email clients often display only the sender’s name and not his email address. This new option defeats such an attack  by altering the From: header value. If enabled, when a message arrives for a local user, its From: header is modified. For example: From: “Spartacus” <crixus@capua.com> would become From: “crixus@capua.com — Spartacus” <crixus@capua.com>.

WorldClient can check for attachments if they are mentioned in the subject/body.

WorldClient Attachment Notification

WorldClient Attachment Notification

When an attachment is mentioned in the subject or body of a message, yet no file is attached, WorldClient can be configured to remind the sender of a possibly missing attachment when clicking the Send button.

These are just the major new features for MDaemon 16.5. For a complete list of all new features & enhancements, view the MDaemon release notes. Or if you’re ready to try MDaemon for free, click here to download your free trial!