Most of us don’t wake up thinking about email, but without it, business communications would be set back at least 20 years. We rely on email for many basic business functions, so we want email management features that simplify communications & make collaboration easier and more efficient.
With MDaemon Webmail, users can perform a variety of tasks via the Options menu. But, following the theme of making things easier, did you know you can perform many of these same tasks with the click of the right mouse button without leaving your Inbox?
Many businesses are responsible for maintaining large amounts of confidential data, including customer records, medical records, financial reports, legal documents, and much more. It’s very common for these types of information to be transmitted via email. So how can you ensure confidential data transmitted via email is kept private? How can you ensure the integrity of transmitted data?
Businesses need to ensure confidentiality, data integrity, message authentication (proof of origin), and non-repudiation (proof of content and its origin). These goals can be accomplished using MDaemon’s OpenPGP message encryption and signing services. Read on to learn more about the differences between encrypting and signing, and when each is used.
The Need for Encryption
Businesses need to protect sensitive data and preserve confidentiality and privacy. Whether you work in healthcare, finance, legal, HR or education, chances are you’re familiar with the terms GDPR, HIPAA or FERPA (among others). Businesses that fail to meet these regulations risk data breaches that can lead to lost revenue or legal action, as well as steep fines. To address these issues, businesses can use encryption to make their sensitive data unreadable to unauthorized parties.
The Need for Signing
In addition to data privacy, businesses may need to verify a message’s authenticity. This can be accomplished with message signing (adding a digital signature) using OpenPGP.
Signing a message helps ensure the following:
Data Integrity – That the message was not altered from its original form.
Message Authentication (Proof of Origin) – That the message actually came from the purported sender (if the sender is the signer of the message).
Non-repudiation – That the signer cannot deny the authenticity of the message they signed with OpenPGP.
Encrypting vs. Signing – What’s the Difference?
So what are the differences between encrypting & signing? Let’s discuss each.
What is Encryption?
Encryption is the act of converting plain text to cipher text. Cipher text is basically text that has been scrambled into non-readable format using an algorithm – called a cipher. MDaemon’s implementation of OpenPGP encryption uses public key encryption (also known as asymmetric key encryption) to encrypt email messages and attachments.
So How Does Public Key Encryption Work?
Public key encryption uses public/private key pairs. If you want me to send you an encrypted message, you send me your public key, which I import into my encryption software (using the OpenPGP configuration screen in MDaemon, in this case). I encrypt the message with your public key. When you receive the message, you decrypt it with your private key. Even though your public key can be freely distributed and used to encrypt messages addressed to you, these encrypted messages can only be decrypted with your own private key. This private key must always be kept secret. Data encrypted with the public key can only be decrypted with its corresponding private key.
In our latest release of MDaemon, we’ve added the ability for MDaemon Webmail users to encrypt messages from within the message compose window. This procedure is explained in this blog post.
Check out the following video to see this process in action!
Encrypting a message helps ensure that the message is kept confidential. The message remains in its encrypted format until it is decrypted with the recipient’s private key.
What is Message Signing with OpenPGP?
As I mentioned above, messages are encrypted with the message recipient’s public key and decrypted with the corresponding private key. Message signing, on the other hand, uses the sender’s private key to sign the message, and his public key is used to read the signature. Message signing helps ensure data integrity, message authentication, and non-repudiation.
For example, if John wants to digitally sign a message to Michelle, he uses his private key to sign the message, and sends it (along with his public key if it hasn’t already been sent) to Michelle. John’s public key is the only key that can verify the message signature.
More information on using MDaemon’s PGP encryption & signing features can be found in the following knowledge base article:
How to enable MDaemon PGP, configure who can use MDPGP, and create keys for specific users
Whether you work in healthcare, finance, education, or another highly regulated industry, it’s likely that you’re required to meet increasingly stringent regulations on email security and privacy, such as the General Data Protection Regulation (GDPR). But even if these strict requirements do not apply to your industry, you still want to maintain customer trust by ensuring their confidential data is safe.
To address these concerns, MDaemon offers email encryption using OpenPGP.
In the past, implementations of OpenPGP have been cumbersome, requiring users to manually exchange encryption keys or to take complex steps to send encrypted messages. With MDaemon, in addition to providing various ways to automate the encryption key exchange and server-side encryption processes, MDaemon Webmail users can easily enable per-message encryption right from within the message compose window.
Here’s a quick video to demonstrate how easy it is to encrypt messages in MDaemon Webmail.
MDaemon’s webmail client is loaded with a variety of features for organization, collaboration and security. As a daily user of MDaemon Webmail (I use it almost exclusively instead of my desktop email client), I like to keep important messages organized so I can find them later. This is made easy with message categories (in addition to follow-up flags). Within the MDaemon webmail client, you’ll find a variety of built-in categories, or you can create your own custom categories. Multiple categories can be assigned to a message, and messages can be arranged by category, keeping all of your important messages in one, easy-to-find place.
If you’re like me, you like shortcuts that make life easier when performing common tasks. For example, if you work in finance or accounting, wouldn’t it be nice to be able to pull up all emails with the word “invoice” with a single mouse click? Well now you can. With the latest release of MDaemon, we introduced search folders in MDaemon Webmail. This week’s 30-Second Email Tips video will walk you through the setup process.
Search folders were added in MDaemon 17.5.1. If you’re running an older version of MDaemon, you could be missing out on some great new features!
If you’re what most would call a “power user,” then you may be used to using keyboard shortcuts. If you’re used to the keyboard shortcuts of another client, such as Outlook, Thunderbird or Eudora, MDaemon’s webmail client has a feature that allows you to continue using those shortcuts. So if you’re used to using Shift+P to print (which is an Outlook shortcut), then all you need to do in MDaemon’s web-based email client is go to the Options menu & select Personalize. Then select your preferred option in the Keyboard Shortcuts drop-down menu, as shown here:
More information on this feature can be found in the following page from our online manual:
If you have questions or comments about this feature, let us know! If you’re not an MDaemon user, but would like to learn more about its features, visit the MDaemon product page and have a look around!
You’ve probably heard that the vast majority of all email traffic is spam, but did you know the volume of spam as a percentage of all email traffic has gone down over the years? In April of 2014, spam made up almost 70% of all email traffic. The most recent records show spam at about 59% of all email traffic. While these numbers are down slightly, they are still quite significant, and thus email providers need to be armed with a variety of tools to combat spam.
For email administrators, one of the challenges of fighting spam is balancing tasks performed by the administrator with tasks that users can perform to take some of the workload from administrators. With SecurityGateway’s quarantine management features, users can be granted permissions to manage their own quarantines.
SecurityGateway can be configured to handle spam in various ways. Messages can be refused, quarantined, or accepted, and their spam scores can be adjusted accordingly. When messages are quarantined and held on the server, the administrator can determine whether, and how often, to send the user an emailed quarantine summary report. The administrator can also grant users permissions to view and manage their own quarantine folders in the SecurityGateway interface. The quarantine summary email allows users to release the message from quarantine, and whitelist or blacklist the sender. When the quarantine is viewed in the SecurityGateway interface, users have additional options, such as the ability to feed messages to SecurityGateway’s Bayesian spam learning engine. Giving users the ability to manage their own quarantines allows administrators to focus on other tasks.
We generally recommend using the Bayesian feature to mark a message as spam, rather than blacklisting the sender. Thus, to avoid any confusion, we’ve put together the following best practices guide on quarantine management in SecurityGateway.
We live in an era where the amount of valuable data businesses must store is increasing at an unprecedented pace. Consequently, the number of “bad guys” trying to gain access to that data is also increasing, and hackers have some pretty sophisticated tools at their disposal to try to force their way into your data. They use a variety of tactics, including social engineering, brute force attacks and dictionary attacks, among others.
Passwords are not just vulnerable to external threats. They must be protected from internal threats as well. Have you ever written down a password on a piece of paper, and then thrown it in the garbage? Have you ever discarded an old hard drive without destroying it? If this information gets in the wrong hands, it can lead to severe financial loss for a company, and damage to its reputation.
Passwords and usernames belong to one of three types of identification data:
Something you know
Something you own
Something you are or do (such as a fingerprint or other biometric element)
Passwords and usernames fall within the category of “something you know.” The three items listed above are considered factors of authentication, so when only one type of data is used to log into a system (such as a username and password), you are using a single factor of authentication.
Passwords alone are often not enough to protect your data against increasingly sophisticated attacks. Requiring a second factor of authentication can drastically reduce data theft.
Two-factor authentication is not a new concept. In fact, most of us already use it in other ways besides accessing our email. Here are some examples of two-factor authentication that many of us already use daily:
An ATM card (something you own) and a PIN (something you know)
A credit card (something you own) and a zip code (something you know)
A phone (something you own) and a fingerprint (something you are)
MDaemon includes two-factor authentication for WorldClient, MDaemon’s webmail client. With two-factor authentication, users must provide two forms of authentication – a password and a unique verification code that is obtained via any client that supports Google Authenticator (available in the Google Play store).
Two-factor authentication has many benefits:
It provides an extra layer of defense when a password isn’t strong enough.
It reduces online identity theft, phishing, and other techniques because a victim’s password isn’t enough to gain access to his or her data.
It helps companies in finance, health care, and other industries comply with PCI, HIPAA and other regulations.
It makes working remotely safer.
In this video, we demonstrate how to enable and use two-factor authentication in MDaemon and WorldClient.
If you’re concerned about privacy and security, two-factor authentication provides extra protection for your data. Download the latest version of MDaemon to take advantage of this extra security!
If you have an email account (and in 2017, you probably have more than one), you are a target. More specifically, your email password is a target and a coveted prize for hackers. And let’s face it – hackers are not going away anytime soon. Because the barriers to entry are so low and the potential payoffs so large, hackers are more motivated than ever to try to steal your login credentials. As an MDaemon administrator, you are tasked with making sure your users use strong passwords, but here are a few things to consider when evaluating your password & security policies:
People often reuse passwords.
People tend to use the same password across multiple sites.
Hackers have access to a variety of password-generating tools that are freely available on the Internet.
Automated systems installed in botnets can crack complex passwords in a matter of minutes.
Password dictionaries reduce the effectiveness of password complexity policies.
To address these threats, MDaemon’s new Dynamic Screening features can be configured to track authentication failures for all protocols, including SMTP, POP, IMAP, WorldClient, and ActiveSync (among others). When a specified number of authentication attempts from a given IP address fail in a designated period of time, subsequent connections from the IP are blocked for a specified period of time. The affected email account can also be frozen – meaning the mailbox can collect mail, but the user cannot login to check email or send out email messages.
Watch our latest tutorial video to learn more!
In the event that a hacker or spammer still manages to guess an account’s password, MDaemon’s Account Hijack Detection feature will disable or freeze the account after a specific number of messages have been sent from an authenticated session in a given timeframe.
Do you have questions or comments? Let us know via the Comments section!
As I announced recently in this post, MDaemon 17.5 has been released, with new security and collaboration features. One feature that our users will find particularly useful is the new Location Screening feature, which allows administrators to block incoming connections from specific countries. When you consider the scale and widespread distribution of global threats, blocking connections by country can provide the following benefits:
It can reduce the amount of email traffic on the server, freeing up system resources.
It has the added benefit of reducing the amount of spam received.
New spam domains, email zombies & phishing sites pop up all over the world every day. In fact, Cyren’s World Threat Map displays a handy visual representation of newly-discovered threats in real-time.
So if you know your company does not do business with certain countries, you can add these locations to MDaemon’s Location Screening feature and stop all traffic from these countries.
In previous versions of MDaemon, the best way to block connections by country was to use the DNS-BL feature, but with MDaemon 17.5, a new, intuitive check-box screen was added. In this tutorial video, I show you how easy it is to configure Location Screening in MDaemon.
Do you have questions or feedback? If so, click on the “Leave a Comment” link under the title of this post & let us know!