Can you Have an Auto-Responder on a Frozen MDaemon Account?

I’ve heard various opinions on what to do with an MDaemon account belonging to someone who has left a company. In a recent post on our community forums, an MDaemon administrator had set a former employee’s account to Frozen, and then configured an auto-responder for the account. Frozen accounts cannot send outbound email, and the user of a frozen account cannot check for new email.

From this page of the MDaemon manual:

Account is FROZEN (can receive but cannot send or check email)

Select this option if you wish to allow the account to receive incoming messages but prevent it from being able to check or send messages. This is useful when, for example, you suspect the account has been hijacked. Freezing the account would prevent the malicious user from accessing its messages or using the account to send messages, but it would still be able to receive its incoming email.

The result of this is that auto-response messages from frozen accounts to external (non-local) addresses are sent to the Holding queue (more information on the Holding queue can be found here).

Let’s take a closer look at what happens.

Let’s say an employee has left the company. As the MDaemon administrator, I don’t want that employee’s account to be used, so I place it in Frozen status via the main Account Details screen of the account editor, as shown here.

MDaemon Account Editor Showinng Frozen Account
MDaemon Account Editor Showinng Frozen Account

Now let’s say I’ve enabled an auto-responder for the account, as shown here.

MDaemon Account Auto-Responder Enabled
MDaemon Account Auto-Responder Enabled

In the following example, I’ve created the account frozen@brad.ssllock.com, and have configured the auto-responder.

When I send a test to frozen@brad.ssllock.com from training@mdaemon.com, the MDaemon server hosting the @brad.ssllock.com domain places the message in the frozen account’s mailbox, but the user is unable to log into webmail or access the inbox via another email client.  When MDaemon then tries to send the auto-responder that we enabled for the frozen account, the message is moved to the  Holding queue and the following is written to the MDaemon logs:

Mon 2018-06-18 11:18:33.406: Session 042192; child 0001
Mon 2018-06-18 11:18:33.406: Parsing message <c:\mdaemon\queues\remote\pd50000000056.msg>
Mon 2018-06-18 11:18:33.406: *  From: frozen@brad.ssllock.com
Mon 2018-06-18 11:18:33.406: *  To: Training@mdaemon.com
Mon 2018-06-18 11:18:33.406: *  Subject: RE: Test to Frozen Account with Auto-Responder
Mon 2018-06-18 11:18:33.406: *  Size (bytes): 3822
Mon 2018-06-18 11:18:33.406: *  Message-ID: MDAEMON0005201806181118.AA1812640@mail.brad.ssllock.com
Mon 2018-06-18 11:18:33.421: Message moved to holding queue because sending account is disabled
Mon 2018-06-18 11:18:33.421: SMTP session terminated (Bytes in/out: 0/0)
Mon 2018-06-18 11:18:33.421: ———-

The result is that the auto-response never gets sent because the account is frozen.

The Solution

Rather than freezing the account, you could simply change the account’s password so that it can still accept mail and send auto-response messages. This can be done via the main Account Details screen, as shown here.

Account Details
Account Details

If you prefer to freeze the account instead of changing its password, another option would be to create a content filter rule that would send your desired response to the original message sender instead of using the auto-responder. That content filter rule would look something like this:

Content Filter Rule
Content Filter Rule

In this example, I created a rule that sends a reply to the sender of messages addressed to frozen.account@example.com using the “Send a NOTE 1” action. I then entered the $SENDER$ macro and the desired response. This message will be sent back to the message sender in response to a message originally sent to the frozen account.

You can get pretty creative with MDaemon’s content filter to perform a variety of tasks, so hopefully you found this helpful!

5 Right-Click Tricks That Will Make You an MDaemon Webmail Jedi

Most of us don’t wake up thinking about email, but without it, business communications would be set back at least 20 years. We rely on email for many basic business functions, so we want email management features that simplify communications & make collaboration easier and more efficient.

With MDaemon Webmail, users can perform a variety of tasks via the Options menu. But, following the theme of making things easier, did you know you can perform many of these same tasks with the click of the right mouse button without leaving your Inbox?

In our latest tutorial video, we show you how to:

  • Create and Share Folders
  • Convert an Email to a Task
  • Import and Export Calendar Events
  • Rearrange Columns
  • Add Categories and Attachments to Notes

Want to learn more about the many ways MDaemon Webmail helps users stay connected? Visit our Webmail Features page, or download your free trial of MDaemon!

Encrypting vs. Signing with OpenPGP. What’s the Difference?

Many businesses are responsible for maintaining large amounts of confidential data, including customer records, medical records, financial reports, legal documents, and much more. It’s very common for these types of information to be transmitted via email. So how can you ensure confidential data transmitted via email is kept private? How can you ensure the integrity of transmitted data and that a message actually came from its purported sender?

Businesses need to ensure confidentiality, data integrity, message authentication (proof of origin), and non-repudiation (proof of content and its origin). These goals can be accomplished using MDaemon’s OpenPGP message encryption and signing services. Read on to learn more about the differences between encrypting and signing, and when each is used.

The Need for Encryption

Businesses need to protect sensitive data and preserve confidentiality and privacy. Whether you work in healthcare, finance, legal, HR or education, chances are you’re familiar with the terms GDPR, HIPAA or FERPA (among others). Businesses that fail to meet these regulations risk data breaches that can lead to lost revenue or legal action, as well as steep fines. To address these issues, businesses can use encryption to make their sensitive data unreadable to unauthorized parties.

The Need for Signing

In addition to data privacy, businesses may need to ensure that a message was not altered during transit, and that it actually came from the purported sender. These tasks are accomplished with message signing (adding a digital signature) using OpenPGP. Much like your handwritten signature, a digital signature can be used for authentication purposes, but also cannot be forged.

Signing a message helps ensure the following:

  • Data Integrity – That the message was not altered from its original form.
  • Message Authentication (Proof of Origin) – That the message actually came from the purported sender.
  • Non-repudiation – That the sender cannot deny the authenticity of the message they sent and signed with OpenPGP.

Encrypting vs. Signing – What’s the Difference?

So what are the differences between encrypting & signing? Let’s discuss each.

What is Encryption?

Encryption is the act of converting plain text to cipher text. Cipher text is basically text that has been scrambled into non-readable format using an algorithm – called a cipher. MDaemon’s implementation of OpenPGP encryption uses public key encryption (also known as asymmetric key encryption) to encrypt email messages and attachments.

So How Does Public Key Encryption Work?

Public key encryption uses public/private key pairs. If you want me to send you an encrypted message, you send me your public key, which I import into my encryption software (using the OpenPGP configuration screen in MDaemon, in this case). I encrypt the message with your public key. When you receive the message, you decrypt it with your private key. Even though your public key can be freely distributed and used to encrypt messages addressed to you, these encrypted messages can only be decrypted with your own private key. This private key must always be kept secret. Data encrypted with the public key can only be decrypted with its corresponding private key; conversely, data encrypted with the private key can only be decrypted with its corresponding public key. We’ll talk about why you would encrypt a message with your own private key in the next section when we discuss message signing.

Encrypting email with OpenPGP
Encrypting email with OpenPGP

In our latest release of MDaemon, we’ve added the ability for MDaemon Webmail users to encrypt messages from within the message compose window. This procedure is explained in this blog post.

Check out the following video to see this process in action!

Encrypting a message helps ensure that the message is kept confidential. The message remains in its encrypted format until it is decrypted with the recipient’s private key.

What is Message Signing with OpenPGP?

As I mentioned above, messages are encrypted with the message recipient’s public key and decrypted with the corresponding private key. Message signing, on the other hand, uses the sender’s private key to sign (encrypt) the message, and his public key is used to read the signature (decrypt). Message signing binds the identity of the message source to the message. This helps ensure data integrity, message authentication, and non-repudiation.

For example, if John wants to digitally sign a message to Michelle, he uses his private key to encrypt the message, and sends it (along with his public key if it hasn’t already been sent) to Michelle. Since John’s public key is the only key that can decrypt the message, the digital signature is verified by simply decrypting the message with John’s public key.

Signing with OpenPGP
Signing an Email Message with OpenPGP

Signing a message with OpenPGP ensures that the message was not altered in transit, that it did in fact come from the purported sender, and that the sender cannot deny the authenticity of the message they sent and signed with OpenPGP.

More information on using MDaemon’s PGP encryption & signing features can be found in the following knowledge base article:

How to enable MDaemon PGP, configure who can use MDPGP, and create keys for specific users

http://www.altn.com/Support/KnowledgeBase/KnowledgeBaseResults/?Number=1087

Do you have questions? Let us know in the Comments section below!

The Recent Concerns with OpenPGP and S/MIME Encryption

On Monday, May 14th, the Electronic Frontier Foundation (EFF) reported that European researchers had discovered core problems and commonplace implementation flaws in the S/MIME and OpenPGP protocol specifications. The vulnerability, which the researchers have described as EFAIL, can reportedly expose the content of encrypted emails (even messages sent in the past) to be viewed. The EFAIL vulnerability affects many email clients that use S/MIME and OpenPGP. There is a list of email clients with vulnerabilities by protocol in an article posted at thehackernews.com.

It’s very important to understand that to be at risk for this vulnerability, attackers would need access to your emails. This means that your email system has been compromised by an attacker who has access to the encrypted emails through tactics such as eavesdropping on network traffic (also known as a man-in-the-middle (MITM) attack), compromised email accounts, access to email servers, backup systems or client computers, usually achieved through social engineering attacks, such as Phishing and other tactics.

We have checked our own web-based email client (MDaemon Webmail) and our MDaemon OpenPGP-based encryption feature. Our results show that MDaemon Webmail is not vulnerable. However, the MDaemon email server OpenPGP feature is partially vulnerable to one implementation flaw. We have released a patch for affected versions of MDaemon email software, which can be found here. The current version of the MDaemon email server, v18.0.1, includes this fix.

A Reminder on the Best Email Security Practices

This latest issue should remind us all about the importance of email security practices as a whole.  Implementing strong passwords, two-factor authentication, location screening, SSL/TLS, SMTP AUTH, IP Shielding, dynamic screening, freezing accounts after failed authentication attempts, all play a role in helping to keep your accounts and your email safe. You can review a list of email security features in MDaemon here.

If you’ve implemented security to help protect malicious people from accessing your email accounts, then you are less likely to have an account compromised and you will be better protected against these types of attacks and vulnerabilities.

Ongoing Monitoring

While the researchers go into some depth to expose issues deep within the S/MIME and OpenPGP specification documents, these encryption protocols may need specification changes to address the longer-term issues mentioned in the initial report. MDaemon Technologies will continue to monitor this issue.

Additional Resources

We have provided links to past blog posts that cover a number of email security topics to provide additional information:

Thwart Hackers with Strong Password Policies

Are You Taking the Security of Your Email Account Seriously?

Why Passwords May Not Keep Your Email Safe

Block Incoming Connections by Country with MDaemon’s New Location Screening Feature

SSL & TLS Best Practices

Block Hackers from Guessing Passwords with MDaemon’s Improved Dynamic Screening

Are You Doing Enough to Protect Your Email Privacy?

Follow These 13 Tips to Avoid Being Blacklisted

New Security & Collaboration Features for MDaemon 17.5!

Introducing SecurityGateway 5.0, with New Location Screening, Terms of Service Agreements, and More!

How to Encrypt your Email Messages from MDaemon Webmail in Three Easy Steps!

Whether you work in healthcare, finance, education, or another highly regulated industry, it’s likely that you’re required to meet increasingly stringent regulations on email security and privacy, such as the General Data Protection Regulation (GDPR). But even if these strict requirements do not apply to your industry, you still want to maintain customer trust by ensuring their confidential data is safe.

To address these concerns, MDaemon offers email encryption using OpenPGP.

In the past, implementations of OpenPGP have been cumbersome, requiring users to manually exchange encryption keys or to take complex steps to send encrypted messages. With MDaemon, in addition to providing various ways to automate the encryption key exchange and server-side encryption processes, MDaemon Webmail users can easily enable per-message encryption right from within the message compose window.

Here’s a quick video to demonstrate how easy it is to encrypt messages in MDaemon Webmail.

A more comprehensive overview of MDaemon’s OpenPGP settings and how to configure them can be found in this knowledge base article.

Upgrade MDaemon to Take Advantage of the Latest Features!

Are you running an older version of MDaemon? Check out our Features by Version chart to see what you may be missing out on! Server-side email encryption with OpenPGP was introduced in MDaemon 15.5. Click here for upgrade & renewal instructions.

If you’re not currently using MDaemon and would like to see how an affordable, easy-to-use mail server can benefit your business, click here to download your free trial!

Introducing MDaemon 18: Single Installer for All Licensed Features, AntiVirus Mailbox Scanning, and Much More!

I’ve got some exciting news. Our latest & greatest MDaemon release is now available for download! With MDaemon 18, we introduce new features that benefit administrators and end-users alike. Let’s go over the top new features. You can view a more comprehensive list of all new features and enhancements in the MDaemon release notes.

New Features for Administrators

Single Installer for All Licensed Features

The MDaemon download/install file now includes all former plug-ins which are now “licensed features” of MDaemon that require a separate license key.

When you enable each feature for the first time, a 30-day trial is activated. You can purchase a full license for these features on our website or through your local MDaemon reseller. Purchase options can also be found under the Help menu in MDaemon.

Enhanced Security to Avoid DNS Attacks

DNSSEC is a technology that digitally signs DNS data so that you can be assured that it’s valid. It was created to combat man-in-the-middle attacks that are possible in the DNS system. These types of attacks can lead to users being directed to a hijacker’s own deceptive website in an attempt to collect personal data. To help ensure MDaemon does not become a victim of these attacks, it is now capable of requesting DNSSEC be used when available.

DNSSEC - Enhanced Protection Against DNS Attacks
DNSSEC – Enhanced Protection Against DNS Attacks

Remote Administration – Set Security Features to their Recommended Settings

If you have adjusted MDaemon’s security settings over time and are unsure of the best settings for optimal security, you can now set each security feature to its recommended setting with a single mouse click in MDaemon Remote Administration.

MDaemon Remote Administration - Set Security Settings to Recommended Values
MDaemon Remote Administration – Set Security Settings to Recommended Values

Antivirus – Mailbox Scanning

When MDaemon Antivirus is enabled, administrators can now configure a schedule to scan all mailboxes. This allows the detection of any infected messages that may have passed through before any new virus definitions were created to detect the latest threats.

MDaemon Antivirus Mailbox Scan
MDaemon Antivirus Mailbox Scan

ActiveSync – Exempt Known Devices from Location Screening

An option has been added to allow a previously known device to bypass location screening when connecting via MDaemon ActiveSync. Administrators can enable this option to allow users to continue to access their account from locations that are configured to have their authentication attempts blocked. This is useful if you have users who are traveling and need access to their email.

Exempt Mobile ActiveSync Devices from Location Screening
Exempt Mobile ActiveSync Devices from Location Screening

New Features for End Users

Remote Administration  & Webmail – Remember Me for Easier Access

MDaemon Webmail and Remote Administration users can enable the Remember Me feature to automatically login without having to enter a username and password. The Remember Me duration can be configured by the administrator for up to 365 days.

Remember Me for MDaemon Webmail and Remote Administration
Remember Me for MDaemon Webmail and Remote Administration

Webmail – Simplified Email Encryption

When composing a message, MDaemon Webmail users can use the Advanced Options screen to instruct MDaemon to encrypt the message, retrieve their public key, or retrieve the public key of another user (if available). This greatly simplifies the process of sending secure, encrypted email using MDaemon PGP.

MDaemon Webmail Encryption using OpenPGP
MDaemon Webmail Encryption using OpenPGP

Webmail  – Message Snooze

MDaemon Webmail users can snooze emails to temporarily remove them from their inbox until they need them. The user’s email will reappear in the inbox at the configured time, whether it’s tomorrow, next week, or when you get home.  Snoozed messages can be displayed at any time using the View Snoozed Messages options.

MDaemon Webmail - Message Snooze
MDaemon Webmail – Message Snooze

Webmail  – Collaboration & Security for Public Calendars

MDaemon Webmail users can publish a calendar to a publicly accessible URL for easy sharing and collaboration. For added security, these public calendars can be password protected. To publish a calendar, click the Share Folder icon for your calendar under the Options|Folders menu in MDaemon Webmail, enter an optional display name and password under the Public Access tab, and then click on Publish Calendar. Anyone who has the calendar’s URL and optional password can view it in their browser. More information on how to enable this feature globally or on a per-user basis can be found in the MDaemon release notes.

MDaemon Webmail - Publish Calendar to Public URL
MDaemon Webmail – Publish Calendar to Public URL

Webmail – Text-to-Speech

When viewing a message in MDaemon Webmail using the WorldClient, LookOut, or Mobile theme, users can click on a button to listen to the message.

MDaemon Webmail - Text-to-Speech
MDaemon Webmail – Text-to-Speech

Note: This feature is currently only supported in Chrome or Firefox.

Are you running an older version of MDaemon or using a different email platform? Download the latest MDaemon & see what you’ve been missing!

If you’d like to learn more about MDaemon & what’s new with version 18, or if you’re considering changing platforms for a simpler and more cost-effective email solution, here are a few links you may find helpful.

As always, I’ll be happy to answer any questions via the Comments section, or if you need further assistance, you can click here to contact our Support staff.

And one more thing while we’re on the topic of product updates. Is there a feature you’d like us to add to a future version of MDaemon? Click here & let us know!

Is Your Email Down Again?

According to Microsoft, Office 365 users in Europe, Asia and some US states were left without email access for as long as 14 hours (per some users) on Friday, April 6th. And a quick search of historical outages show that the outages happen with more frequency than many realize, such as reported on sites like currentlydown.com/office365.com.

Can businesses really afford to be without what is arguably the most important business tool? Or are we seeing a slow erosion in accepted availability of email as more and more companies move to the cloud?

When I talk to many customers and resellers who are deciding to take their email to the cloud, the primary reason seems to be that they don’t want the hassle of dealing with SPAM, phishing, ransomware, etc. and users’ complaints. As some put it, “I’d rather put that burden on someone else.” Sure there is the argument of moving the cost to monthly operational costs, which for some can appear to be a savings. Even over at SpiceWorks, a one stop shop for IT Pros, discussions are always ongoing about O365 versus on-premise. And we’ve posted our own email platform price comparisons with some help from Osterman Research.

Now I recognize that for many companies the cloud ship has sailed. They’ve committed to putting their software into the hands of a third party provider, trusting that the provider will be as responsive and careful with their information as their own IT professional. And for many small businesses with limited resources, it does make sense.

But if you’re a business that still has trust issues when it comes to your company’s email, and believe me that’s not a bad thing, then there is still a very affordable alternative. The MDaemon email server has been trusted for over 20 years by companies around the globe. And if you have over 100 email users and you’re using Microsoft Exchange, you will save both in cost and time. It’s just one reason we see weekly migrations to the MDaemon platform.

Using the cloud for email is not inherently a bad thing depending on your company’s needs. But if privacy and control are important and you’re curious about an email alternative, you can learn how MDaemon’s email server features compare to what you are currently using. Or, simply ask Brad to give you a personal demo of the software by sending a message to training@mdaemon.com.

Better yet, just take MDaemon for a free, 30-day test drive and find out what other IT pros know.

Three Ways MailStore Makes Your Job Easier

MailStore Logo

Unless your business is stuck in the pen & paper generation, chances are you deal with lots…and LOTS of email on a daily basis, to the point where your Inbox is bloated and out of control, causing your email client, and even your mail server, to run frustratingly slow.

The solution is to implement an archiving solution such as MailStore.With MailStore, all those emails that pile up on the server from users wanting to keep every email sent and received can be safely tucked away in an archive and  removed from the server after a period of time, freeing up space on the server and improving performance.

But the benefits of an archiving solution don’t stop at performance improvements. MailStore can help make your life easier by providing tools for easy searching of messages and attachments, storage efficiency with compression and de-duplication (meaning if multiple copies of the same message exist on the server, only one copy needs to be stored in MailStore), and status reports to keep administrators informed of the status of their archives.

Learn more about these three ways MailStore can help make your  job easier from our latest video!

Start archiving your email today. Click here to download your 30-day free trial of MailStore!

Never lose an important message. Organize your Inbox with message Categories!

MDaemon’s webmail client is loaded with a variety of features for organization, collaboration and security. As a daily user of MDaemon Webmail (I use it almost exclusively instead of my desktop email client), I like to keep important messages organized so I can find them later. This is made easy with message categories (in addition to follow-up flags). Within the MDaemon webmail client, you’ll find a variety of built-in categories, or you can create your own custom categories. Multiple categories can be assigned to a message, and messages can be arranged by category, keeping all of your important messages in one, easy-to-find place.

Check out our latest tutorial video to learn more, or if you’re not yet an MDaemon user, click here to download your free trial!

 

Save Time by Saving Frequently-Performed Searches as Folders

If you’re like me, you like shortcuts that make life easier when performing common tasks. For example, if you work in finance or accounting, wouldn’t it be nice to be able to pull up all emails with the word “invoice” with a single mouse click? Well now you can. With the latest release of MDaemon, we introduced search folders in MDaemon Webmail. This week’s 30-Second Email Tips video will walk you through the setup process.

Search folders were added in MDaemon 17.5.1. If you’re running an older version of MDaemon, you could be missing out on some great new features!

If you’re not currently using MDaemon, but would like to try it out, click here to download your free 30-day trial!