YubiKey Discount for all FastMail Users

February 8, 2010 — Jack Miller

FastMail now supports YubiKey.   YubiKey is a hardware-based device that provides two-factor authentication.  Another way FastMail helps you keep your security credentials secure.

To learn more about our YubiKey implementation, read the following post.

As part of our implementation, Yubico is pleased to offer all FastMail users a 25% discount on a Pair of YubiKeys (one black and one white).  Simply enter the name: FASTMAIL in the coupon code upon checkout.

The YubiKey store can be located at: https://store.yubico.com/

Posted in Marketing, News. Leave a Comment »

Yubikey authentication available on production

February 3, 2010 — Rob Mueller

The Yubikey authentication mechanism we were trialling on on our beta server has now been released to production.

There’s been a few small changes since we first rolled it out on beta.

  1. After feedback from Yubico, we’ve made a few extra internal security improvements. In two-factor mode, the Yubikey one-time value is checked before the password, so a one-time value can’t be reused with the wrong password
  2. On the login screen, you can click the “+ More” link to display the Yubikey login box. Currently the password box will continue to work if you put the Yubikey one-time value in there, but we recommend using the specific Yubikey login box, because the browser won’t prompt you to save the one-time value as a password, which obviously won’t work a second time

We’ve also added some help documentation about Yubikey so people can learn about how it works and how to get one.

Posted in News. Leave a Comment »

ns2.messagingengine.com IP address change

February 3, 2010 — Rob Mueller

A few days ago, we changed the IP address of ns2.messagingengine.com from 64.34.176.20 to 74.52.143.114. In general, this shouldn’t have affected any users because we tell users to point their domains to our name server records ns1.messagingengine.com and ns2.messagingengine.com.

However we’ve noticed that a few users have slightly esoteric DNS setups where they’ve used the explicit IP address of the old ns2.messagingengine.com server. For those users, you need to update your DNS setup. We highly recommend that if possible, you don’t ever use the explicit IP address, but use appropriate server names or CNAMEs. This allows us to change the IP addresses of ns1 or ns2 without any user changes being required.

Posted in Technical. Leave a Comment »

Restore from Backup

February 2, 2010 — Rob Mueller

As part of our reliability setup, we take a daily incremental snapshot of all emails and keep them for 1 week. For years, we’ve allowed people to restore emails from our backups by contacting support if they accidentally deleted an email they later realised they needed.

We’re now making this functionality available to all users via an automated interface on the Options –> Restore from Backup screen. You can use this interface at any time to initiate a restore of all emails in your account (including those deleted in the last week) from our backups. For large accounts, the process can take some time, possibly several hours, so please be patient. We’ll email you when the process is complete.

Please read the screen carefully about how the process works, and don’t use it unless you really do need to restore.

Posted in News. Leave a Comment »

Opportunistic SSL/TLS encryption on outgoing emails

January 29, 2010 — Rob Mueller

Early last year, we implemented opportunistic encryption of incoming emails. We’ve now done the same thing for outgoing emails. This means that for email sent via FastMail (either the web interface or SMTP), if the receiving server advertises STARTTLS support in response to an EHLO command, we will try and negotiate a secure connection and send the email over a secure connection. However if the negotiation fails for any reason, we’ll fallback to a standard connection.

Some extra notes on this:

  • This doesn’t change what happens when sending via SMTP from your email client/software (eg. Outlook, Apple Mail, Thunderbird, etc) to the FastMail servers. Whether that connection is encrypted is controlled by your email client/software and what you configured when you set it up
  • We can’t force a remote server to use encryption, it’s only if the remote server advertises support for encryption that we try and setup a secure channel
  • This is not full end-to-end encryption of the email. The email is only encrypted during transit from our server to the other server, once it’s at their side, it’s stored in whatever form the other side stores emails. For full end-to-end encryption, you need something like PGP
  • The only way to tell if an email has gone over an encrypted connection or not is to look at the headers of the email on the received side. In other words, as a sender, it’s unfortunately not easy to tell, only the receiver can easily tell

Since this feature is only enabled if the other side advertises support for it, it shouldn’t affect sending to servers that don’t support STARTTLS, and thus shouldn’t affect the deliverability of email in any way.

Posted in Technical. Leave a Comment »

Yubikey authentication trial on beta server

January 20, 2010 — Rob Mueller

We’re currently running a trial of Yubikey authentication on our beta server.

To enable this, just login and go to Options -> Alternate Logins, and create a new Yubikey login set. For the Base Password, just touch your Yubikey button to generate a new one-time code to allow us to associate your particular Yubikey with your account. Currently these logins only work on the beta server web interface.

The Yubikey is a small USB authentication device that you can use to login to your FastMail account (beta web interface only at the moment) instead of your regular password. The Yubikey doesn’t need any client software. You just plug it into a USB port and it acts like a USB keyboard that most OS’s automatically support. It has one button on it, that when you press it, it generates a new one-time 44 character password.

The main advantage of a Yubikey login over a regular static password login is that to login, you must have the physical Yubikey token plugged into your machine, and you must press the button on it to generate a new one-time password. You can’t re-enter an already used one-time password, or copy and paste an existing one-time password. This prevents replay attacks if someone captures any of your logins (eg keylogger, tcp dump, malware root kit, etc).

Here’s the way it works:

  1. Each device has a unique id, that’s the first 12 chars
  2. Each device has an internal "shared secret" AES encryption key
  3. Each time you press the button, it generates a new one-time value that encrypted with that key, that’s the other 32 characters

The way it generates the one-time value is like this:

  1. It takes some internal values and joins them together
  2. It then encrypts that data using a symmetric cipher with the shared AES key that’s stored in the Yubikey, and also on the Yubico server so the server can decrypt it

The internal values that are joined and encrypted include:

  1. A private internal value
  2. A number of counter fields (each time you plug the key into a machine, or generate a new key, internal non-volatile counters are incremented)
  3. Timer field (an internal 8hz counter value)
  4. A random number
  5. A CRC checksum

So at the receiving side, you get the 44 char value. The first 12 chars normally let you work out who’s key it is (we still need to ask for your login name, because we you allow you to associate your Yubikey with multiple different accounts if you want). With the other 32 bytes, they are decrypted using the shared AES key, and then all the values are checked to make sure they are valid (eg counters are all higher than their previous values, checksum is valid, etc). There’s more details at the Yubico website (PDF manual).

So with this approach, you can validate a login, and be sure that if someone captures your keystrokes/one-time password value, it’s useless, because it can’t be used again.

We don’t actually store the AES key or do the decryption. That’s done with the Yubico web API service. So the shared key is stored in the Yubikey itself, and on the Yubico web service API server.

You can order Yubikeys from the Yubico website order page.

If you want to ask more questions, there’s a forum thread about this you can check out: Yubikey forum thread.

Update 22 Jan 2010: We’ve now added a two factor Yubikey authentication option. With this method, you need to enter both a password, and touch your Yubikey button to generate a one-time password. The advantage of this approach is that if you login on a machine with a keylogger/malware/root kit that captures your username + password + yubikey one time password, it doesn’t matter, because the yubikey one time password can’t be reused. If someone steals your physical Yubikey, then it doesn’t matter, because they don’t know your fixed static password. This is why it’s called “two factor” authentication. (Of course it doesn’t protect against the case of both the static password and physical key being stolen, but that’s a lot less likely)

Off topic: Just as an FYI, this isn’t related to the FastMail implementation, but it is neat. If you’re a business that wants to use Yubikeys for authenticating people within your own organisation, you can run your own Yubikey validation server rather than using the Yubico Web API one. In that case what you’d do is before handing the Yubikeys to people in your organisation, you’d reprogram them with you’re own new random AES code. You’d also store that AES code on your own validation server. This means staff could then use their Yubikey to validate against your organisations validation server. Of course it wouldn’t work for other externally run services that validate against the Yubico web API anymore, because the shared AES key is no longer valid in that case.

Posted in News, Technical. Leave a Comment »

New website throttling feature available

January 17, 2010 — Rob Mueller

We recently had a users website come under a DDOS attack. The site itself was reasonably small (only a few HTML files and downloadable files), but because the requests were coming in continuously at several per-second from many different IP addresses, it was quickly eating into the users available bandwidth.

To help with this, we’ve added a new throttling feature to websites, that allows people to limit access rates to their websites from individual IPs. On the Files –> Websites screen when you setup or edit a website, you can change the IP Throttling to one of the following values:

  • 10000/200M
  • 2000/50M
  • 500/20M
  • 100/5M
  • 20/2M

The 2 values are “number of requests” and “bandwidth of requests” per-IP per-10 minutes respectively. So setting the 10000/200M value will limit each accessing IP to a website to no more than 10,000 requests and 200M of data per 10 minutes. If a particular IP goes over one of the limits, we’ll return an error page to requests from that IP for the given website for the next 10 minutes.

In general, people shouldn’t need to change this value from the default 10000/200M, but if their site does come under some form of attack, this will provide a way to help limit the damage.

Posted in Technical. Leave a Comment »

Roboform can cause extreme slowness in Firefox

January 14, 2010 — Rob Mueller

If you use Firefox and Roboform together, and find the webmail interface slow, the problem may be Roboform.

The main symptom of the problem is that page loads are very slow. When clicking on a link or button, the Firefox tab will change to “Loading” with the spinning loading icon, and the page will appear to load after a short moment, but then the browser will completely “freeze” (no spinning loading icon, no scrolling or interaction with any element on the page possible, CPU pegged to 100%) for 1-10 seconds before finally becoming interactive again. The amount of time the freeze occurs for is often proportional to the size of the page, so displaying 500 rows of a mailbox will take many seconds, even on a fast machine.

After some testing and disabling of Firefox extensions one by one, I tracked the problem down to Roboform (the problem occurs even with the as current latest version 6.9.98).

So if you are also experiencing this problem, as a first step, you can use Tools –> Add-ons to disable the Roboform extension inside Firefox. After disabling the extension and then restarting Firefox, you should find the web interface a lot faster.

As a long term solution, I recommend using the password manager built into Firefox instead, and completely removing Roboform. Unfortunately I don’t know an easy way of transferring passwords from Roboform to Firefox, so I’ve had to do it manually one by one. Within Firefox, you can also use the free extension SyncPlaces to store a copy of your Firefox passwords and bookmarks in your FastMail file storage area via WebDAV. You can also use SyncPlaces on multiple machines to keep your bookmarks and passwords in sync across those machines.

Posted in News. Leave a Comment »

Truedomain anti-phishing and email authentication

January 6, 2010 — Rob Mueller

One of the big problems with email is that the email standards were developed during the earlier days of the internet when all the machines and people connected to the internet trusted each other. That means that emails are very easy to forge and spoof, because there was no method of trust or authentication built into the email standards.

Over time systems have been added which try and add these extra layers of trust. Unfortunately each of these systems introduces it’s own problems.

RBLs provide a list of machines that are untrusted, or have shown malicious behaviour, or have sent spam (each RBL has different listing criteria). Using these you can block emails from particular machines, or give them a higher spam score. Unfortunately RBLs can cause false positives, and cause legitimate emails to be blocked.

SPF is a way to trust the domain in the “SMTP envelope from” address. Unfortunately most people don’t actually see the envelope from address, so this isn’t actually very useful. In most cases, the main thing this will help stop is backscatter because email with forged from addresses won’t be accepted and/or bounced. Unfortunately SPF breaks forwarding of emails, something lots of people want to do. There’s an additional standard SRS that attempts to fix this, but it’s annoying to implement, given the only small benefit that SPF provides.

DKIM is a way to sign emails using a public/private key system based on a particular domain. Basically if you own xyz.com, then you can sign an email with DKIM, and the receiver can verify that:

  1. The email was signed by the domain xyz.com
  2. The email content and headers haven’t been altered in any way from when xyz.com sent it

In theory this is very useful, because it provides a way to identify trusted emails. The problem is that just verifying that an email is signed by xyz.com isn’t really enough. The big queston is “Do you trust email from xyz.com?”.

If the domain is yahoo.com, then the answer is generally “no”. Anyone can signup a free account at yahoo.com, and then send you emails, that will be DKIM signed by yahoo.com. So knowing an email is signed by yahoo.com doesn’t tell you much useful about the trust of that email.

On the other hand, if the domain is facebook.com, then the answer is generally “yes”. At the moment, the only email being sent by facebook.com is official notification emails from Facebook. Similarly sites like paypal.com, linkedin.com, ebay.com, etc are domains you do want to trust, as any emails they do send are definitely from their corresponding company only, and not from just any person.

The problem is that there’s lots of email providers out there, and lots of domain owners out there. To make DKIM useful as a way to trust emails, each email provider has to work out which domains they want to list as trusted and a way to display those emails. With lots of different email providers and potential companies to trust, that creates a huge number of required relationships.

td1

What’s needed is someone that sits in the middle to act as a mediator between companies that want emails they send to be trusted, and the email providers, so they don’t have to build and maintain lists of domains to trust individually themselves.

That’s where Truedomain comes in. Their aim is to work with senders to build a list of trusted sending domains, and easily allow receivers to check the DKIM signatures on received emails to see if they’re from a trusted domain. When an email is from a trusted domain, they make it easy to display trust details for that domain, including the sending company, and a logo from that company. This is particularly useful as a way to protect users from phishing emails.

td2

Emails that are truedomain protected are now displayed in the FastMail web interface with a light green background on the mailbox screen, and the logo from the company next to the from name/address. Additionally on the message read screen, a green box under the subject line also shows the company logo and details of what company sent the email.

Mailbox screen display

td3

Message read screen display

td4

For email users, you can think of truedomain as EV SSL for email. In the same way that SSL certificate providers vet companies, and then provide them a certificate that displays a secure connection in your browser with the company name, truedomain vets companies, and then provides a way for their emails to display securely in your email service with the company logo and name.

With the large amount of phishing emails, and the huge cost phishing emails cause, we believe that truedomain are providing a useful service that will continue to grow as more sending companies and email receivers get on board.

Posted in News. Leave a Comment »

Using Microsoft Outlook 2010 with FastMail

December 14, 2009 — Jack Miller

Microsoft has released a public beta for Office 2010 including a new release of Outlook.

The good news is that Microsoft has improved the Outlook user experience when connecting to an IMAP-based email service such as FastMail.

The biggest improvement over Outlook 2010: The ability to specify a “Trash” folder on the server.  Outlook will now behave in a similar manner to the FastMail web interface, that is, when you delete an item it will be moved from its current folder into the Trash folder.  This removes the annoying strikeout interface in Outlook.

The following will list the steps to use your FastMail account with Outlook 2010.   If you upgrade from a previous version of Outlook it will import your settings, you would simply have to update the Deleted Items behavior (step 19 below).

——————–

  1. Open Outlook 2010, it may ask you to setup a new account.  If it does not, you can add a new email account by clicking on the File menu, choose Info, then click the Account Settings button.
  2. Outlook will present a list of accounts (in a new installation, this would be blank).   Click “New…” under the Email tab
  3. Choose “Manually configure server settings” at bottom of page.  (click Next)
  4. Choose “Internet E-Mail” (click Next)
  5. Complete the form to look similar to the sample below.  Be sure to put your FastMail account name and password in correctly.
  6. Click the “More Settings…” button
  7. Under the General tab, you can choose a more friendly name for your email account (Outlook defaults to your email address).  In the example below, it was changed to: Bob Jones – FastMail.
  8. Click on Outgoing Server tab,  check the box next to “My Outgoing Server requires authentication”
  9. Click on Advanced tab.
    Under Incoming Server, use SSL type of encrypted connection (instead of None)
    Under Outgoing Server, Use SSL type of connection (instead of None)
    Change Outgoing Server port to 465 (from 25)
  10. If you are an individual user (or a business/family user who does NOT use shared folders), set Root Folder Path to INBOX
    If you are a Business user who uses shared folders, leave Root Folder blank.
  11. Press OK to close the “More Settings” window
  12. Press Next
  13. You should receive a Congratulations message from Outlook.  Click Finish.
  14. If you changed the Root Folder Path, you will see a warning, just click OK, this is normal.
  15. Once the Account Settings screen reappears, highlight your FastMail account again.  Press “Change…” above.
  16. Press the “More Settings” button
  17. We can now establish the locations for your Sent and Deleted Items folders.
  18. First select the Sent Items tab, find the Sent Items folder under your FastMail account name.  If your Sent Items is not listed, you may need to click the “More Folders…” button and press the Query button to have Outlook learn all of the server folder names.
  19. Finally, click on the Deleted Items tab, locate your Trash folder under your FastMail account name.
  20. Press OK to close the dialog box.
  21. Click Next, then click Finish.  Finally, press the Close button.  Your configuration is complete

Some other tips:

You may want to drag your “Personal Folders” to be below the FastMail account folders.  Once you have FastMail, you will not be searching Personal Folders for new mail.  Instead, all new mail will arrive in the Email account folders you have just linked to your FastMail account.


Posted in Marketing, News. Leave a Comment »
« Older posts