Are you taking the security of your email account seriously?

WEmail Securitye begin a series of posts on the importance of email security and why it should be a top priority for organizations. In this post, we share some insights from the founder of Alt-N Technologies, Arvel Hathcock, to get his perspective on security tips for email users.

Most everyone has an email account. Many have more than one. Email is really at the core of online life because it is tied to so many of our online services. Look at your phone. Many of the service apps you see connect with you via your email account. This is why I believe the wide-spread practice of “password reset via email message” or “Forgotten Password” has crowned the email account password the most significant and important of all passwords.

Password Controls in MDaemon
Password Settings in MDaemon

That’s not to say that password management for services like online banking are not critical. They are. But having a strong password for banking and not your email can expose you to some real dangers, as well.   Imagine if a hacker or other bad actor can figure out your email password. One of the first actions they could take is to login and change your password. This locks you out. Next, they check through your inbox and folders looking for anything interesting, such as popular online services or banking portals. Now, they login with your email address and use the “Forgotten Password” feature. Soon an email will show up in your inbox (which is no longer controlled by you) allowing them to verify the change and now another important service is not controlled by you. This email and others like it will allow a hacker to change all of your online passwords – all because they found your email password.

This is not good and it leads me to security tip #1: Put effort into the security of your email account password.

It can be the key to all your other passwords. Also, do not use your email account password with any other online account or service because you do not know and cannot control when it will be that service’s turn to get hacked.

Because of the risk mentioned earlier, I would also recommend users disable “Forgotten Password” features where possible and use an alternative method. As bad as “Forgotten Password” can be to reset access, the Question and Answer options can be risky, too. I was horrified years ago to discover that an online app for a banking chain reset my password using only the “Question and Answer” method – no email at all! You know – the questions some services ask like “What’s your mom’s name?” or “Where did you grow up?” etc. If someone can get the answers right, they can change the password.

This idea assumes that would-be hackers will always be outsiders without access to even basic information about their targets. You should use caution before completely trusting these methods. One trick I recommend is to select the question (it’s usually in a drop-down list) and enter a totally random and completely unpredictable answer (but one that you can remember, of course).

I realize these features exist for convenience but remember that security can be reduced and new attack options exposed by these methods if not managed properly.

 

 

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

MDaemon 16.5 – with Automatic Updates, WorldClient Categories & More!

Earlier this year, we introduced several new security and convenience features for MDaemon, including contact synchronization via CardDAV, two-factor authentication in WorldClient, spambot detection, and an ActiveSync migration client for migrating from any mail platform that supports ActiveSync protocol version 14.1. If you’re running an older version of MDaemon and would like to see what you may be missing, check out our MDaemon Features by Version page for all features by release version.

For MDaemon 16.5, we continue the trend of packing in new features for both administrators and end users.

Administrators will Benefit From these New Features:

Centralized Management of Outlook Users

Outlook Connector Client Settings

Outlook Connector allows Outlook users to share their email, calendars, contacts, tasks and notes. In previous versions of MDaemon and Outlook Connector, users would configure all settings on the Outlook Connector client, including host names, SSL and port settings, and other preferences. Beginning with MDaemon 16.5 and Outlook Connector 4.0 (also released today), these settings can now be stored centrally in MDaemon and pushed out to clients. When a new Outlook Connector profile is created, only the username and password are needed. All other settings are retrieved from MDaemon with the click of a button.

Unique Public Key Management for Encryption Security Control

OpenPGP Encryption Settings

OpenPGP uses public/private key pairs to encrypt and decrypt messages. If I want to send you an encrypted message, I would need to obtain your public key, which is used to encrypt the message, and you would decrypt it with your private key. WorldClient, MDaemon’s webmail client, can now be used as a basic public key server for exchanging public encryption keys. This allows WorldClient to honor requests for your users’ public keys using a specially formatted URL. Additionally, MDaemon’s OpenPGP feature now supports collection of public keys over DNS. This helps to automate the process of exchanging encryption keys.

Automatic Product Updates

Automatic Updates
Automatic Updates

It’s easier to ensure that you’re running the latest version of MDaemon, Outlook Connector, and SecurityPlus with the new Automatic Updates feature. Updates can be automatically downloaded and installed at a designated time.

For end users, we’ve added these new features:

Easily Identify Trusted Email & Confirm Message Authenticity to Prevent Spearphishing

 

DKIM Verified Sender
DKIM Verified Sender

MDaemon’s OpenPGP features can now verify embedded signatures found within messages. This helps the recipient ensure that the message is authentic. WorldClient will display an icon or text label for verified messages. WorldClient will also display labels for messages with valid DKIM signatures, messages decrypted by OpenPGP, and messages signed with an OpenPGP key.

WorldClient Categories for Easier Inbox Management

WorldClient Message Categories
WorldClient Message Categories

When using the LookOut and WorldClient themes, WorldClient has new category selections for easy sorting and identification of email messages. Messages can be sorted by category, and multiple categories can be assigned to a message. Authorized users can also create their own custom categories in addition to using the built-in categories.

Connect with most IM Clients

XMPP Chat Server
XMPP Chat Server

MDaemon 16.5 includes two separate chat systems. In addition to WorldClient Instant Messenger, users can now chat with each other using their favorite third-party chat (XMPP) client. With the addition of this feature, users now have the flexibility to chat from any device with a compatible XMPP client, including mobile devices.

There are many XMPP clients to choose from, including Trillian (Windows), Adium (Mac OSX), and Mozilla Thunderbird (Linux, OSX, Windows). A list of XMPP clients can be found here: http://xmpp.org/software/clients.htm.

Features may vary depending on which XMPP client is used. WorldClient Instant Messenger’s features can be found here:

http://www.altn.com/Products/MDaemon-Email-Server-Windows/WorldClient-Instant-Messenger/

Other improvements include:

Additional SMTP authentication settings

SMTP Authentication from Local IPs
SMTP Authentication from Local IPs

The SMTP Authentication screen has a new option which, when enabled, will require all incoming messages from local IP addresses to use SMTP authentication. When this setting is enabled, if a message that is not authenticated arrives from a local IP address, it will be rejected. We recommend enabling this setting for added security.

Modification of “From” header as additional protection from spoofing

Sometimes users are fooled into thinking an email comes from one person when it is actually from an attacker. This happens because email clients often display only the sender’s name and not his email address. This new option defeats such an attack  by altering the From: header value. If enabled, when a message arrives for a local user, its From: header is modified. For example: From: “Spartacus” <crixus@capua.com> would become From: “crixus@capua.com — Spartacus” <crixus@capua.com>.

WorldClient can check for attachments if they are mentioned in the subject/body.

WorldClient Attachment Notification
WorldClient Attachment Notification

When an attachment is mentioned in the subject or body of a message, yet no file is attached, WorldClient can be configured to remind the sender of a possibly missing attachment when clicking the Send button.

These are just the major new features for MDaemon 16.5. For a complete list of all new features & enhancements, view the MDaemon release notes. Or if you’re ready to try MDaemon for free, click here to download your free trial!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

A Fresh New Look & New Features for SecurityGateway 4.0!

SecurityGateway_logo_transparentA company’s greatest asset is its customers, and here at Alt-N, we strive to listen to our customers’ needs. A direct result of that effort was the creation of the Alt-N Idea Engine, which allows customers to submit feature requests and other ideas to improve our products. Many of these ideas have made their way into our products, and many more are being considered for future versions.

Recently, we introduced some exciting new features to MDaemon, including a flexible Remote Administration interface and enhanced security via DMARC (Domain-Based Message Authentication, Reporting, and Conformance). I’m pleased to announce that these and other great new features have now been added to SecurityGateway!

A brief overview of key new features is outlined below. For a complete overview of all new features and enhancements, click here to view the SecurityGateway Release Notes.

Flexible, Mobile-Optimized Web Interface

With the proliferation of handheld devices and an increasingly mobile workforce, users will benefit from an updated, responsive web interface that is optimized for mobile devices. The format of the information displayed is dependent on the size of the browser window, so whether you’re on a desktop PC, a tablet, or a mobile phone, the interface adjusts for a more user-friendly experience regardless of what type of device is used.

Enhanced Anti-Spoofing Support with DMARC

DMARC (Domain-Based Message Authentication, Reporting and Conformance), enables domain owners to direct the actions to take when handling messages purporting to be from their domain(s) but were not actually sent by them.

Bind Domain to Its Own IP address

For servers that have multiple IP addresses and multiple domains, each domain in SecurityGateway can now be bound to its own IP address. This allows messages from a specific domain to be sent only from its assigned IP address.

For more information on pricing for new purchases, upgrades or renewals, please visit the Purchase, Renew or Upgrade page!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

MDaemon 16.0.2 Available – with “Remember Me” for Two-Factor Authentication

MDaemon 16.0.2 has been released. This update includes a “remember me” feature for two-factor authentication in WorldClient. With this feature enabled, users will not have to re-enter a verification code for a designated period of time.

Other new features and enhancements include:

  •  Global administrators can now set the Mail Archive path in Remote Administration.
  • The Remote Administration group editor now supports Do Not Disturb scheduling. This allows administrators to schedule a period of time during which email cannot be accessed for all accounts that have been assigned to a group.
  • Administrators can now sort the Active Sessions list in Remote Administration – for an improved view of server activity.
  • Global administrators can now disable two-factor authentication for selected users in Remote Administration.

These are just the highlights for MDaemon 16.0.2. For a complete list of new features and fixes, view the MDaemon release notes. If you’d like to update to MDaemon 16.0.2, you can download MDaemon here.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

MDaemon 15.5.3 is Now Available

MDaemon mail server software update available

MDaemon 15.5.3 has been released. With this latest release, we’ve added support for one of the most popularly-requested features – the ability for the content filter to check for restricted files inside of RAR and ZIP attachments.

Click here to read the complete release notes.

Click here to download the latest MDaemon.

If you are upgrading from an older version of MDaemon, here are some helpful tips to ensure that your upgrade goes smoothly.

If you need assistance, please feel free to leave us a comment, or click here to contact our support staff.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

SecurityGateway 3.0.3 Has Been Released

Today, we released SecurityGateway 3.0.3. Here are some highlights on what’s new for this latest release.

  • Compressed archive files, such as .zip and .rar, can now be scanned for restricted attachments.
  • An option has been added which allows a global administrator to export all whitelists and blacklists to a CSV file.
  • Adobe Flash is no longer required to display traffic and mailbox charts.
  • Global administrators can now be automatically alerted when a new user is created.

There are many more new features and enhancements. For a complete list, click here to read the SecurityGateway release notes.

Want to learn more? Check out our recorded webinar for an overview of SecurityGateway.

Click here to download your free trial of SecurityGateway.

 

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

MDaemon Update Available

MDaemon 15.5.2 is now available. This is a minor update that includes the following two changes:

  • Updates to MDaemon’s server-side encryption using Open PGP: –pgpx mode will now bounce if no key on key-ring found for encryption and log a failure message if encryption cannot be performed.
  • Info about ActiveSync port requirements has been moved from a popup to the ActiveSync server configuration dialog.

There are also various other fixes & improvements. These updates & improvements are listed in the latest MDaemon release notes, which you can read here.

Click here to download the latest release of MDaemon.

If you have questions, feel free to leave a comment, or email training@altn.com.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Email Privacy and More in MDaemon 15.5

MDaemon_logo_transparent

Today we’ve launched the newest version of the MDaemon email server with some exciting new features. Staying true to the company’s focus on email security and end user ease of use, we believe these new features will be welcomed by many of our users across industries.

I’ve outlined some of the features below, but if you’d like a more extensive list, the MDaemon Features by Version page can provide additional detail.

Encryption Layers for Extended Email Privacy

With a growing emphasis in the market on email privacy, MDaemon 15.5 introduces additional encryption features using Vitru and Open PGP to make it easy for users and administrators to keep email communications private.

On the client side, WorldClient users can enable Virtru for end-to-end encryption. Basic encryption for emails and attachments is included for free within the WorldClient settings menu. Virtru encrypts the user’s email and attachments and does not have access to the encryption keys. For organizations that need to comply with HIPAA or need additional security controls, Virtru Pro is available for an annual subscription of only $24 per user. Virtru Pro allows users and administrators to revoke messages at anytime, see and control forwarding, as well as add expiration data to email messages. For Microsoft Outlook users, the same features (free and Pro) are available using the Virtru for Outlook add-on.

On the server side, Open PGP for MDaemon has been added to give administrators the ability to use encryption, decryption, and basic key management capabilities through OpenPGP support. This additional layer helps administrators who want to ensure user compliance by managing encryption settings at the server versus the user implemented client level. Also, MDaemon’s Content Filter now contains actions to encrypt and decrypt messages. And finally, server-side encryption capabilities are beneficial when using email archiving with MDaemon.

Managing Employee Workload and Overtime with Email Do Not Disturb

Companies in many countries are being challenged by the need to manage email access “after hours” to prevent overtime pay and promote a stronger work/life balance. To date, most companies can only implement Human Resource policies to address the issue. To help IT Administrators deliver another layer of compliance to the organization, MDaemon 15.5 introduces its “Email Do Not Disturb” feature.

Located within the Accounts | Groups & Templates settings, Do Not Disturb allows the MDaemon administrator to set a time frame during which email may not be accessed by its users. Accounts in this state will receive incoming mail but users may not be able to login to their MDaemon account or send/reply to messages until the Do Not Disturb period has lapsed.

New Calendar Synchronization Options with CalDAV Support

Support for synchronizing calendars via the CalDAV protocol has been added. Notable CalDAV clients are Apple iCal (Included with Mac OS X), Apple iOS (iPhone), and Mozilla Thunderbird via the Lightning calendar plugin.

Adding Public Contacts Support in ActiveSync

The ActiveSync server has an option to include and merge a user’s public contacts with their default contacts. This allows users of clients such as Outlook 2013, which does not support multiple contacts folders or global address list searching, to access public contacts. The public contacts are read-only and tagged with “Public” and “Read-Only” categories.

Productivity Improvements for WorldClient Users (MDaemon’s Web-based Email)

Browser* Desktop Notifications – When launching WorldClient using the LookOut or WorldClient theme, the browser will prompt the user to allow desktop notifications. If accepted, the user will receive notifications of new email messages, new Instant Messages (in the case that the corresponding chat is not in focus), and any change in status of a chat buddy.
*Desktop notifications are not supported by Internet Explorer.

Password Recovery – If enabled, users who have permission to edit their password will be able to enter an alternate email address to reset their password in case they forget it. Once set, if the user attempts to log in with an incorrect password a “forgot password?” link will appear and direct them to a page that asks them to confirm their password recovery email address. If entered correctly, a message containing a link to a page that allows them to change their password is sent. This feature is disabled by default.

Creating a New Event, Task, or Note via Email – Users can easily convert an email message to an event, task or note. This enables users to more easily follow-up on emails that contain information relevant to projects, meetings or other time sensitive activities.

For pricing to purchase, upgrade or renew your MDaemon license to the newest version, please visit the Purchase, Renew or Upgrade page!

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Malwarebytes False Positive Causing MDaemon DKIM Issues

Our friends at Zen Software posted about an issue with Malwarebytes false positives causing some DKIM issues for MDaemon. What may happen is that MDaemon may start blocking all inbound email because it’s seeing false results that a DKIM message check has failed. This is not an MDaemon problem. What’s happening is that the libdkim.dll file that MDaemon uses as part of the DKIM check is being blocked by Malwarebytes. The solution is simple. Simply exclude the MDaemon directory from real-time or scheduled antivirus checks.

You can read the original post here on Zen Software’s blog.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •  

Critical MDaemon Update Available

Recently Alt-N discovered a vulnerability in the content filter of MDaemon and MDaemon Private Cloud that could potentially expose the server to malicious attack. The Alt-N development team has built and tested a patch to correct the potential vulnerability.

Click here for more information, and to download the patch to fix this vulnerability.

Spread the love
  •  
  •  
  •  
  •  
  •  
  •  
  •