Category Archives: Security

All Secure, Only Secure

Posted by on May 4, 2014 Comments Off on All Secure, Only Secure

A little later than planned, and after a month of hectic changes, reviews and audits we have finally flipped the switch and disabled all insecure login methods.

If you were previously fetching your email successfully and it no longer appears to be working then this will be the reason.  You need to adjust the configuration of your email client to connect securely for both send and receive.

Details of the hostnames/ports that should be connected to are available on the Tidymail Services and Port Numbers page. But the summary is that any existing insecure configuration should be adjusted to require SSL or TLS.

Most of our client configuration guides contain details on how to configure securely and we can advise for other client software not listed; just email us at helpdesk@tidymail.co.uk

As we noted in our original announcement back in December the security landscape has changed over the past 18 months, not only in its visibility and public awareness but also in regards to the importance of vigilance and good security practice.

 Security is a process not a checkbox.

Security Changes for 2014

Posted by on December 29, 2013 Comments Off on Security Changes for 2014

2013 has been one of the most “interesting” and volatile for computing security for many years. The technical revelations regarding protocol issues with secure handshakes and the designed-in weaknesses in Elliptic Curve Random Number Generator, and Edward Snowden’s exposure of the NSA and other nations’ intelligence services behaviour in massive data gathering of anything they could tap into will have technical, social and political repercussions for many years to come.

The most immediate effect is the realisation that we should all be encrypting whatever we can.

At Tidymail we have always encouraged the use of secured connections. When we started the service more than 10 years ago we offered and encouraged the use of secured connections. Our web interface has only ever been offered via a secure connection and whilst for traditional email clients there were valid reasons at the time to allow insecure connections we no longer feel it is appropriate to allow these anymore.  A year ago we added the facility to specify that an email client should only be allowed to connect securely. Now we feel it is appropriate to improve matters further.

From 1st April 2014 we will no longer permit insecure access for sending or receiving mail.  All email clients will need to be configured to connect either via an SSL connection, or via a STARTTLS negotiated connection.

Details of the hostnames/ports that should be connected to are available on the Tidymail Services and Port Numbers page. But the summary is that any existing insecure configuration should be adjusted to require SSL or TLS.

Most of our client configuration guides contain details on how to configure securely and we can advise for other client software not listed; just email us at helpdesk@tidymail.co.uk

This is not the only measure we are taking to improve the security of your email but it is the most visible to you.  We continue to work on improving the parts of the system that are not immediately visible and we expect to improve the security of various aspects, both visible and not, over the next year and onwards.

Securing your account from prying eyes

Posted by on January 15, 2012 Comments Off on Securing your account from prying eyes

We have always provided and encouraged the use of secure, encrypted communications to our servers but there have been recent events that have highlighted not only the importance of using encrypted links, but also ensuring that only trusted links are used.

As you may have read in various tech-press articles like this one configuring your email client to default to secure connections may not be enough to ensure the link was really secure since many clients when faced with blocked secure link silently fell back to insecure mode, allowing anyone in the path to read the id, password and email content.

We are pleased to announce that you can configure your account to ensure that even if your client falls back to insecure mode we will reject any connection attempt like an invalid account/password.

You can set these controls on your account by visiting the Email Security Controls page and setting the options to Yes.

You may also need to ensure your email client is set to use either “TLS” or “SSL” or “Encrypted” links and that it is connecting to the correct port.  Details of the preferred ports can be found here and configuration guides for various email clients can be found here

Please note that the third option on the page “Send from Authenticated Connections Only” is currently only of use for those remaining customers who are sending from permitted relay-ip address. This was the old mechanism for sending email where we simply trusted the IP address and is being phased out over the next few months.

 

Imminent Downtime

Posted by on May 31, 2010 Comments Off on Imminent Downtime

Due to the release of security related package updates we’ve decided to accelerate our updating of the master machines that host the virtual machines that run our services.

We are currently updating the machine that hosts the secondary access. The backup receiving machines and the primaries for the Beta service.  We hope to have the machine back up and running, along with all its virtual machines within a couple of hours.

On completion we will evaluate whether the remaining time available allows for the immediate upgrading of the primary services. We will post again once we have completed the first stage.

WARNING – Phishing attempts

Posted by on November 11, 2009 Comments Off on WARNING – Phishing attempts

We have noted that some of our customers are receiving email purporting to be from ourselves claiming they are over their storage limit and that they need to reply with their account details including password to resolve the storage issue.

These emails are not from us and should be deleted.

We will not ask for your email passwords, ever.

Subject: Your mailbox has exceeded the storage limit.
Date: Tue, 10 Nov 2009 08:43:42 -0800
From: ServiceHelp Desk <admin@webmail.org>
Reply-To: adminwebct@tmail.tv
To: undisclosed-recipients:;

Dear Webmail Account User,

This message was sent automatically by a program on Webmail admin center
which periodically checks the size of inbox, The program is run
automatically to ensure no user inbox grows too large. If your inbox
becomes too large, you will be unable to receive new emails. Just before
this message was sent, you are currently running on 20.9 GB, You have has
exceeded the storage limit which is 20GB.

To help us re-set your Account SPACE on our database prior to maintain
your INBOX, you must reply to this e-mail providing us your the Below
information:

E-mail ( ... ...... ...  ... ... ... ...  ... ... ... ...  ... ... ... ... )
Username/ID ( .all.. ... ... ... ... ...  )
Current Password ( ... ...... ... ) Retype Password: ( ... ...... ... )

From this point you will be unable to receive new email as it will be
returned to the sender, Provide the above information to enable us help
reset your webmail immediately.

NOTE: Your Webmail Account Expire in Three (3) Days. After you read this
message, it is best to REPLY with the required information to upgrade
MailBox. Reply to this message immediately to Re activate your Account.

Thank you for your cooperation.
Webmail Help Desk. System Administrator
-------------------------------------------------
css.php