Quack,
=== Improved Webmail ===
As you must have seen the webmail was upgraded and much more modern
theme which can now be used on a mobile phone. The old theme is still
available and it can be changed in your settings if your preferred it.
There are many little improvements and fixes which are not immediately
visible but should improve our daily life. The support for Mailvelope,
to be able to encrypt/sign mails from your browser, without disclosing
your key to the server, is supposed to be improved but I was not able to
enjoy it yet. I will come back to you when I have more time to test but
feedback is welcome too.
To secure your login TOTP is also available. After the upgrade there is
a small problem though: the QR code does not show up in the new theme,
please switch back temporarily to the Larry theme in your settings. More
details on how to use it in the documentation:
https://users.duckcorp.org/index.php/Services/Mail#Using_a_Web_Interface
=== Web Security ===
We are adding extra security features to our hosted web hosts and
especially for our services we are limiting the content and features a
website can use (using various headers and especially CSP).
On of the consequence is the webmail will not accept unsecure links. I
just discovered it should be possible to upgrade the link to a secure
version on the fly, which should solve most usability problems; I will
work on this soon. If it is blocked, then it is unsafe and your browser
logs should say so.
If you want to protect your personal website, please contact us; safe
settings are applied everywhere but only fully-managed services will be
upgraded automagically, as knowledge of the site's content is needed to
protect without breaking.
=== Stuffcloud Talk ===
Now that Toushirou has a new body, and also some software upgrades, this
video chat application is working fine so far, enjoy.
=== DNS Security ===
Our main zones are already secured (DNSSEC) but we changed the
underlying software (OpenDNSSEC to Bind inline-signing). This simplifies
a lot of things even if it is not yet perfect.
With these changes we are able to secure dynamic zones easily and the
DDNS zone is now safe. It also makes things possible on the PKI side
(see below),
=== PKI ===
Some time ago we began use Let's Encrypt to generate HTTPS certificate
that would be trusted by all major browsers. This is working fine and
the automation is great. Nevertheless we still kept our non-web services
under the umbrella of our custom DuckCorp CA. There are initiatives to
secure the web but they all rely on the infamous self-appointed CAs.
Despite this, bringing services and user software to use secure
connections is important, so we decided to use Let's Encrypt for more
services. Currently this only affects SMTP servers but more will follow.
This should improve the trust the big providers/corporation on the
Internet give to our server (like our mails landing on your recipient's
SPAM box for no good reason). The work done on the DNS allows us to
deploy Let's Encrypt certificates for non-web services (using the DNS
challenge).
Using an external CA is not necessarily giving away the extra security
we had with our custom CA. There is a method (DANE) to publish our
certificates for each service via the DNS on a secure zone, which we do
have. We were already publishing them for non-web services but it had to
be reimplemented to work with Let's Encrypt. We should then have the
best of both worlds.
=== Mail Security ===
We've reinforced the security level of various services (TLS settings…)
and especially the SMTP and IMAP part.
For SMTP we are now using a set of servers protected by DNSSEC with
published certificates (DANE). We also advertise a policy to enforce
secure connections (MTA-SAS, the HSTS of the mail).
=== AntiSPAM ===
Previously we were quite unforgiving with badly configured servers
sending badly formatted or unresolvable introduction (HELO), but a lot
of providers have very bad practices and this caused some difficulties
to use certain services. We are now using Rspamd filters which are
weighting these problems among other things to discover if a mail is
really a SPAM and we have relaxed the previous SMTP rules.
=== IPv6 broker ===
We lost our dedicated IP block quite some time ago and there was an
expensive way to get another. As funny as this service was, not so many
people cared about IPv6 and now that most Internet connections have it
included it has been a very long time anyone asked for it. This was de
facto over but now it's official.
These are quite important changes to our infra. If you encounter any
problem, please let us know.
And enjoy the autumn leaf viewing too! :-)
\\_o<
--
Marc Dequènes (Duck)
