Community Discussions and Support
AW: AW: Mercury I security

I think there is no need for enable > fetch > disable or not in every case. Are the iDevices from your company? If so, then let the guys run the vpn the entire time or at least for the working hours.

I think there is no need for enable > fetch > disable or not in every case. Are the iDevices from your company? If so, then let the guys run the vpn the entire time or at least for the working hours.

Hi All,

I am very nervous about the continuous failed attempts at IMAP connection.  I assume they're dictionary attacks so am strengthening passwords but am wondering if there is anything else I can do.  Currently I have...

  • SSL/TLS support enabled
  • Plaintext logins disabled
  • Support for deprecated SSL is not enabled
  • Self-signed certificate is in place
TIA!
<p>Hi All,</p><p>I am very nervous about the continuous failed attempts at IMAP connection.  I assume they're dictionary attacks so am strengthening passwords but am wondering if there is anything else I can do.  Currently I have...</p><ul><li>SSL/TLS support enabled</li><li>Plaintext logins disabled</li><li>Support for deprecated SSL is not enabled </li><li>Self-signed certificate is in place </li></ul><div>TIA! </div>

I think there is nothing more on your side. Are these connections from road warriors? If so, perhaps you can go via vpn?

I think there is nothing more on your side. Are these connections from road warriors? If so, perhaps you can go via vpn?

Our Mercury is accessable from local LAN only. Home workers are able to connect to Company LAN via VPN and Roundcube Webmail server. Roundcube is running on a Linux machine and is connecting to Mercury via IMAP.

Streetworkers have additional mail accounts. Their office accounts read e.g. name@company.com and are accessable by Pmail while their additional mobile accounts read name.mobile@company.com. The mobile accounts will not be polled and retrieved by Mercury. Such users could adjust the forwarding of their office e-mails to their "mobile" account by themselves by editing the FORWARD file. So, all mobile devices are never connected to Mercury directly but dealing with mails via ISP mail accounts directly. Maybe a little bit complicated, but this keeps the Mercury interfaces free of unauthorized login attemps from the internet.

<p>Our Mercury is accessable from local LAN only. Home workers are able to connect to Company LAN via VPN and Roundcube Webmail server. Roundcube is running on a Linux machine and is connecting to Mercury via IMAP.</p><p>Streetworkers have additional mail accounts. Their office accounts read e.g. name@company.com and are accessable by Pmail while their additional mobile accounts read name.mobile@company.com. The mobile accounts will not be polled and retrieved by Mercury. Such users could adjust the forwarding of their office e-mails to their "mobile" account by themselves by editing the FORWARD file. So, all mobile devices are never connected to Mercury directly but dealing with mails via ISP mail accounts directly. Maybe a little bit complicated, but this keeps the Mercury interfaces free of unauthorized login attemps from the internet. </p>

Joerg,

Is there much pushback from your users having to maintain two mailboxes or with copies-to-self not being in the company mailbox? 

Sellerie,

Yes, I have three road warriors that routinely connect via IMAP.  I do as well during long holidays.  I don't know anything about vpn's other than what the acronym stands for and their purpose so am obviously clueless about what that would look like for connecting to Mercury.

<p>Joerg,</p><p>Is there much pushback from your users having to maintain two mailboxes or with copies-to-self not being in the company mailbox?  </p><p>Sellerie,</p><p>Yes, I have three road warriors that routinely connect via IMAP.  I do as well during long holidays.  I don't know anything about vpn's other than what the acronym stands for and their purpose so am obviously clueless about what that would look like for connecting to Mercury. </p>

[quote user="Brian Fluet"]Is there much pushback from your users having to maintain two mailboxes or with copies-to-self not being in the company mailbox?[/quote]

When travelling, our users do send e-mails (by android cell phones) only for their travel planning, like informing the ship agent about their arrival or receiving updated itineraries from us. Insofar the second account doesn't matter. Quite the reverse, for that insignificant mails to many different agencies around the world we do not have to burn our standard e-mail addresses. [:D]

[quote user="Brian Fluet"]Yes, I have three road warriors that routinely connect via IMAP.  I do as well during long holidays.  I don't know anything about vpn's other than what the acronym stands for and their purpose so am obviously clueless about what that would look like for connecting to Mercury.[/quote]

But for important e-mail communication they can use their Windows notebooks with VPN client installed, since our VPN client is working under Windows only.

We are a small company without an separate IT department or big IT budget. Nevertheless a firewall is essential to ensure the security of Company's IT devices and LAN. When purchased, we took care that the appliance has VPN built-in abilities since we are not interested to install and maintain a separate VPN server (like OpenVPN). Finally we've purchased a Zyxel USG110. Beside a "next-generation-firewall" the device could work as VPN terminator for L2TP, IPSec and SSL VPNs. But because the other types of VPN are a little bit complicated to setup, we are using the SSL VPN ability. Beside some VPN settings in the firewall only a SSL VPN Windows Client has to be installed on affected notebooks. When starting the client it establishes a tunnel through the internet where your notebook obtains an IP from your remotely located company LAN. Now you could even start your Pmail. But often, depending on your internet connection speed, it takes quite long until Pmail is completely loaded. That's why some colleagues are using Thunderbird, connected by IMAP and others are using Roundcube as a local mail webservice in our LAN.

VPNs are a fantastic business since you are working inside your local network while located elsewhere.

<p>[quote user="Brian Fluet"]Is there much pushback from your users having to maintain two mailboxes or with copies-to-self not being in the company mailbox?[/quote]</p><p>When travelling, our users do send e-mails (by android cell phones) only for their travel planning, like informing the ship agent about their arrival or receiving updated itineraries from us. Insofar the second account doesn't matter. Quite the reverse, for that insignificant mails to many different agencies around the world we do not have to burn our standard e-mail addresses. [:D] </p><p>[quote user="Brian Fluet"]Yes, I have three road warriors that routinely connect via IMAP.  I do as well during long holidays.  I don't know anything about vpn's other than what the acronym stands for and their purpose so am obviously clueless about what that would look like for connecting to Mercury.[/quote]</p><p>But for important e-mail communication they can use their Windows notebooks with VPN client installed, since our VPN client is working under Windows only. </p><p>We are a small company without an separate IT department or big IT budget. Nevertheless a firewall is essential to ensure the security of Company's IT devices and LAN. When purchased, we took care that the appliance has VPN built-in abilities since we are not interested to install and maintain a separate VPN server (like OpenVPN). Finally we've purchased a Zyxel USG110. Beside a "next-generation-firewall" the device could work as VPN terminator for L2TP, IPSec and SSL VPNs. But because the other types of VPN are a little bit complicated to setup, we are using the SSL VPN ability. Beside some VPN settings in the firewall only a SSL VPN Windows Client has to be installed on affected notebooks. When starting the client it establishes a tunnel through the internet where your notebook obtains an IP from your remotely located company LAN. Now you could even start your Pmail. But often, depending on your internet connection speed, it takes quite long until Pmail is completely loaded. That's why some colleagues are using Thunderbird, connected by IMAP and others are using Roundcube as a local mail webservice in our LAN. </p><p>VPNs are a fantastic business since you are working inside your local network while located elsewhere. </p>

Thanks Joerg.

I have a decent Cisco Router that has VPN capability and client software so that piece is in place.  My hurdle then becomes my iDevice users.  All three push email to iPhones and/or iPads via IMAP.  My research shows that VPN apps exist but these guys have to react and respond quickly so I think the enable VPN > fetch mail > disable VPN process would be prohibitive. 

More thinking and research to be done...

<p>Thanks Joerg.</p><p>I have a decent Cisco Router that has VPN capability and client software so that piece is in place.  My hurdle then becomes my iDevice users.  All three push email to iPhones and/or iPads via IMAP.  My research shows that VPN apps exist but these guys have to react and respond quickly so I think the enable VPN > fetch mail > disable VPN process would be prohibitive.  </p><p>More thinking and research to be done... </p>
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Pending draft ... Click to resume editing
Discard draft