Category Archives: Feature

All Secure, Only Secure

A little later than planned, and after a month of hectic changes, reviews and audits we have finally flipped the switch and disabled all insecure login methods.

If you were previously fetching your email successfully and it no longer appears to be working then this will be the reason.  You need to adjust the configuration of your email client to connect securely for both send and receive.

Details of the hostnames/ports that should be connected to are available on the Tidymail Services and Port Numbers page. But the summary is that any existing insecure configuration should be adjusted to require SSL or TLS.

Most of our client configuration guides contain details on how to configure securely and we can advise for other client software not listed; just email us at helpdesk@tidymail.co.uk

As we noted in our original announcement back in December the security landscape has changed over the past 18 months, not only in its visibility and public awareness but also in regards to the importance of vigilance and good security practice.

 Security is a process not a checkbox.

Security Changes for 2014

2013 has been one of the most “interesting” and volatile for computing security for many years. The technical revelations regarding protocol issues with secure handshakes and the designed-in weaknesses in Elliptic Curve Random Number Generator, and Edward Snowden’s exposure of the NSA and other nations’ intelligence services behaviour in massive data gathering of anything they could tap into will have technical, social and political repercussions for many years to come.

The most immediate effect is the realisation that we should all be encrypting whatever we can.

At Tidymail we have always encouraged the use of secured connections. When we started the service more than 10 years ago we offered and encouraged the use of secured connections. Our web interface has only ever been offered via a secure connection and whilst for traditional email clients there were valid reasons at the time to allow insecure connections we no longer feel it is appropriate to allow these anymore.  A year ago we added the facility to specify that an email client should only be allowed to connect securely. Now we feel it is appropriate to improve matters further.

From 1st April 2014 we will no longer permit insecure access for sending or receiving mail.  All email clients will need to be configured to connect either via an SSL connection, or via a STARTTLS negotiated connection.

Details of the hostnames/ports that should be connected to are available on the Tidymail Services and Port Numbers page. But the summary is that any existing insecure configuration should be adjusted to require SSL or TLS.

Most of our client configuration guides contain details on how to configure securely and we can advise for other client software not listed; just email us at helpdesk@tidymail.co.uk

This is not the only measure we are taking to improve the security of your email but it is the most visible to you.  We continue to work on improving the parts of the system that are not immediately visible and we expect to improve the security of various aspects, both visible and not, over the next year and onwards.

Webmail Updated

We have just updated the webmail access to the new release.

Apart from the obvious selection of bug fixes the most obvious change is the new skin with layout changes. This is a slicker interface and has a number of benefits including the ability to have a three-pane view allowing folders, headers and message preview all in the one screen.

We trust you’ll like this new interface.  If you have any questions regarding it please contact us at helpdesk@tidymail.co.uk

IPV6 for everybody

Today is World IPv6 Launch Day when IPv6 gets permanently enabled for service and equipment.. In the words of the global launch site

Major Internet service providers (ISPs), home networking equipment manufacturers, and web companies around the world are coming together to permanently enable IPv6 for their products and services by 6 June 2012.

We have been working hard behind the scenes in our own small way to make sure that both Tidymail and Wizmail are available on both IPv4 and IPv6.

We actually completed the bulk of this work over a month ago and have been testing and monitoring everything since and are now pleased to announce

Tidymail and Wizmail are now IPV6 enabled.

The websites, the POP and IMAP mail fetch services and the SMTP mail sending service are now available over IPv4 or IPv6.

This means all email hosted domains that have the correct MX settings are now automatically globally visible via IPv4 and IPv6.  And once we have ironed out any initial wrinkles with general access and visibility we’ll be trying to see if there are any new services we can offer with this expanded IP space, so stay tuned.

New version of Webmail

We have installed a new beta version of the webmail client.

Based on the new version 0.8 roundcubemail code with the new “larry” skin this offers a much better desktop feel and a more modern experience.

We have made this the default skin for all Wizmail users and we hope you like it.  If you have any feedback regarding this please contact us at helpdesk@wizmail.org

 

Securing your account from prying eyes

We have always provided and encouraged the use of secure, encrypted communications to our servers but there have been recent events that have highlighted not only the importance of using encrypted links, but also ensuring that only trusted links are used.

As you may have read in various tech-press articles like this one configuring your email client to default to secure connections may not be enough to ensure the link was really secure since many clients when faced with blocked secure link silently fell back to insecure mode, allowing anyone in the path to read the id, password and email content.

We are pleased to announce that you can configure your account to ensure that even if your client falls back to insecure mode we will reject any connection attempt like an invalid account/password.

You can set these controls on your account by visiting the Email Security Controls page and setting the options to Yes.

You may also need to ensure your email client is set to use either “TLS” or “SSL” or “Encrypted” links and that it is connecting to the correct port.  Details of the preferred ports can be found here and configuration guides for various email clients can be found here

Please note that the third option on the page “Send from Authenticated Connections Only” is currently only of use for those remaining customers who are sending from permitted relay-ip address. This was the old mechanism for sending email where we simply trusted the IP address and is being phased out over the next few months.

 

Mail Quota increased for all Full Accounts

We are pleased to announce that we have increased the mail quota for all Full account users to 500MB.

Following our system upgrades last year and extensive testing of the further stability improvements we have been able to increase the available storage for all our Full Account users as part of the standard offering.

Your current usage can be found by enquiring of the Mail Folder Usage web page or it may be presented by your email client.  It can also be seen at the bottom of the folder list in the webmail client.

 

New Tricks Live – Blocking more spam

We’ve just updated our spam recognition mechanism to include a variation on ‘grey-listing’.

As part of the content analysis we now check for common phrases present that would not typically be expected in normal email. If they are present and we’ve not seen them from the particular sender recently we temporarily reject the message. If the message is presented again after a short delay we will mark the email as spam allowing your particular rule (accept,reject,tag) to occur and delivery appropriately.  Since the vast majority of infected PCs acting as spam senders do not operate as proper email senders with industry accepted retry periods they do not send the same message again and so the spam no longer reaches your inbox.

Rejects search facility

We’re rolling out to Tidymail the facility for users to search for items for them which were rejected.  Most of these should be spam, but if you’ve been expecting a particular item which has not arrived, or if you just want to get a general flavour of the spam we’re rejecting on your behalf, the information is there.  It’s pretty raw, being just lines selected from our logs.

This is only a beta service; we might change it or withdraw it once we have some experience of how well (or not) it works.  One thing it will not show is rejects where we decided we didn’t like the sending system even before it got as far as telling us the item recipient.  It doesn’t handle aliases or catchalls either.

To use the service you must have your mail client configured to authenticate, so that we know what name to search the logs for.   Once that is set up, send a mail to rejectlog@tidymail.co.uk – the subject and content will be ignored and can be blank.  You should get sent a mail with selected lines from our logs.  The last couple of log files are searched, so there should be at least one full week’s coverage backward from the time of the request.

Each line should include a date & time, an IP address in square brackets (of the sending system) and a sender name in the form F=<user@domain> (NB: this is the envelope from, not the header from).  There should also be a reason for rejection.

We’ll be interested in your comments on this facility.   Mail to helpdesk@tidymail.co.uk

Rejects search facility

We’ve added a facility for Wizmail (not Tidymail yet) users to search for items for them which were rejected.  Most of these should be spam, but if you’ve been expecting a particular item which has not arrived, or if you just want to get a general flavour of the spam we’re rejecting on your behalf, the information is there.  It’s pretty raw, being just lines selected from our logs.

This is only a beta service; we might change it or withdraw it once we have some experience of how well (or not) it works.  One thing it will not show is rejects where we decided we didn’t like the sending system even before it got as far as telling us the item recipient.  It doesn’t handle aliases or catchalls either.

To use the service you must have your mail client configured to authenticate, so that we know what name to search the logs for.  Send a mail to rejectlog@wizmail.org – the subject and content will be ignored and can be blank.  You should get sent a mail with selected lines from our logs.

Each line should include a date & time, an IP address in square brackets (of the sending system) and a sender name in the form F=<user@domain> (NB: this is the envelope from, not the header from).  There should also be a reason for rejection.

We’ll be interested in your comments on this facility.   Mail to helpdesk@wizmail.org

If all goes well we’ll roll out to Tidymail soon.

Additional – it turns out to be a really good idea to put pcmsuser@wizmail.org as a known-address, with an accept on it.  Otherwise, a URL or phone-number which caused a content-based rejected, and got logged, will result in the rejection of the mail containing the log lines….

css.php