=== Improved Webmail ===
As you must have seen the webmail was upgraded and much more modern theme which can now be used on a mobile phone. The old theme is still available and it can be changed in your settings if your preferred it.
There are many little improvements and fixes which are not immediately visible but should improve our daily life. The support for Mailvelope, to be able to encrypt/sign mails from your browser, without disclosing your key to the server, is supposed to be improved but I was not able to enjoy it yet. I will come back to you when I have more time to test but feedback is welcome too.
To secure your login TOTP is also available. After the upgrade there is a small problem though: the QR code does not show up in the new theme, please switch back temporarily to the Larry theme in your settings. More details on how to use it in the documentation:
=== Web Security ===
We are adding extra security features to our hosted web hosts and especially for our services we are limiting the content and features a website can use (using various headers and especially CSP).
On of the consequence is the webmail will not accept unsecure links. I just discovered it should be possible to upgrade the link to a secure version on the fly, which should solve most usability problems; I will work on this soon. If it is blocked, then it is unsafe and your browser logs should say so.
If you want to protect your personal website, please contact us; safe settings are applied everywhere but only fully-managed services will be upgraded automagically, as knowledge of the site's content is needed to protect without breaking.
=== Stuffcloud Talk ===
Now that Toushirou has a new body, and also some software upgrades, this video chat application is working fine so far, enjoy.
=== DNS Security ===
Our main zones are already secured (DNSSEC) but we changed the underlying software (OpenDNSSEC to Bind inline-signing). This simplifies a lot of things even if it is not yet perfect.
With these changes we are able to secure dynamic zones easily and the DDNS zone is now safe. It also makes things possible on the PKI side (see below),
=== PKI ===
Some time ago we began use Let's Encrypt to generate HTTPS certificate that would be trusted by all major browsers. This is working fine and the automation is great. Nevertheless we still kept our non-web services under the umbrella of our custom DuckCorp CA. There are initiatives to secure the web but they all rely on the infamous self-appointed CAs. Despite this, bringing services and user software to use secure connections is important, so we decided to use Let's Encrypt for more services. Currently this only affects SMTP servers but more will follow. This should improve the trust the big providers/corporation on the Internet give to our server (like our mails landing on your recipient's SPAM box for no good reason). The work done on the DNS allows us to deploy Let's Encrypt certificates for non-web services (using the DNS challenge).
Using an external CA is not necessarily giving away the extra security we had with our custom CA. There is a method (DANE) to publish our certificates for each service via the DNS on a secure zone, which we do have. We were already publishing them for non-web services but it had to be reimplemented to work with Let's Encrypt. We should then have the best of both worlds.
=== Mail Security ===
We've reinforced the security level of various services (TLS settings…) and especially the SMTP and IMAP part.
For SMTP we are now using a set of servers protected by DNSSEC with published certificates (DANE). We also advertise a policy to enforce secure connections (MTA-SAS, the HSTS of the mail).
=== AntiSPAM ===
Previously we were quite unforgiving with badly configured servers sending badly formatted or unresolvable introduction (HELO), but a lot of providers have very bad practices and this caused some difficulties to use certain services. We are now using Rspamd filters which are weighting these problems among other things to discover if a mail is really a SPAM and we have relaxed the previous SMTP rules.
=== IPv6 broker ===
We lost our dedicated IP block quite some time ago and there was an expensive way to get another. As funny as this service was, not so many people cared about IPv6 and now that most Internet connections have it included it has been a very long time anyone asked for it. This was de facto over but now it's official.
These are quite important changes to our infra. If you encounter any problem, please let us know. And enjoy the autumn leaf viewing too! :-)