Best Practices for Zimbra Email Security
Email contains our most valuable data, yet we often show little concern for its security and protection.
Password strength and security are the most substantial components of basic data security. Strong passwords—or even better, strong passphrases—help protect the sensitive data contained inside your business user mailboxes. Because so many password-recovery systems use email, accessing company mailboxes is the first step identity thieves use to breach credit cards and everything else.
XMission wants to help you maintain proper email security. In this post, we will cover proper password practices, the need to frequently change mailbox passwords, email encryption, and even how to securely share sensitive data with XMission using self-destructing notes. Zimbra Domain Administrators and mailbox holders alike will find this post helpful.
Password Aging & Compliance
Since 2015 XMission has required all Zimbra mailbox accounts to change their passwords annually. Internal statistics show a 75% reduction in compromised email accounts since implementation.
Any business managing customer bank card information already must change critical system passwords every 90 days. So, most of you are already used to regularly updating and maintaining passwords.
Expired passwords act the same way as an incorrectly entered password. Your user’s email applications stop working for no apparent reason.
A simple way to test for either an expired or incorrect password is to have your user log into webmail, https://zimbra.xmission.com. If the password has expired they are prompted to change the password. Should the password work on webmail you know they have a typo in their application settings. Domain Admins cannot use the “View mail” tool to determine user password status.
XMission is developing a process to notify end users and Domain Administrators of upcoming mailbox password expiration. We will contact you in the near future with details.
Let’s Talk about Passwords and Passphrases!
Passwords using a long combination of mixed case letters, numbers, and punctuation marks can be difficult to remember. For this reason, XMission strongly encourages passphrases as they are generally more memorable than true random strings for passwords.
Password security is about making your passphrase or password as difficult to find as possible. Imagine the needle in the haystack. Where your password is the needle, randomness is the haystack, and entropy the size of the haystack. People are generally poor random generators, so using a computer to generate the random password is preferred. The more unpredictable the randomness generator, the more secure your password. Good password security targets an entropy of about 70 binary bits, or about one password in 1.18 sextillion possible passwords (BIG HAYSTACK). In simpler terms, 70 binary bits means four or five words with a couple of special characters and numbers in your passphrase (about 28-35 total characters).
Example: Here is a 71 bit password created using a trusted password generator: Milhouse-jump-hoover-training13 (Please do not use.)
The following password generators meet the entropy requirements for strong passwords:
- https://xmission.com/password (click “PASSWORD GENERATOR”)
- https://ae7.st/g/ (made by an XMission employee)
- https://www.rempe.us/diceware/
- https://qrmn.uk/dwr/
Storing and remembering all your unique passwords is difficult. We recommend using an encrypted password manager to store your credentials. This way it doesn’t matter if you forget a password as you can just copy and paste as needed from the manager. These manager programs are good at generating random passphrases. Programs such as KeePass, 1Password, LastPass are all highly recommended managers.
How to Change Passwords
Using our help document, your account holders can update their own passwords easily through the Zimbra system using the drop down menu near their name in top right corner of Zimbra webmail.
You can also learn how admins can change passwords for your mailbox accounts.
It is important that you ALWAYS set strong passwords, even when testing. XMission runs password audits to detect weak passwords assigned to mail accounts. If you set one that is weak there is a good chance you will be contacted to change it immediately. Weak passwords cause compromises which often lead to mail delivery delays and mail system load concerns. A single compromised mailbox can be costly in terms of service impacts for all mailboxes on the system, damage to your domain’s reputation, and requiring hours of Administrator time to resolve. Your participation in renewing secure passwords is key to a more performant email service and happy users.
Note: While XMission Zimbra servers accept passwords 8 characters and up we strongly request implementing the password practices covered above.
Deeper Email Data Security
XMission encourages all mailbox holders to utilize the safest possible email practices which include:
- Passwords of sufficient length and entropy that are changed at least once a year
- Email encryption tools such as OpenPGP and S/MIME, which allow you to encrypt and sign messages that only the intended recipient can view. Both tools work in Zimbra webmail as well as with all major email applications.
- Modify email addresses specific to websites and subscribed mailing lists. Zimbra allows unlimited extensions to user mailboxes using suffix support: user+variable@example.com. Reference this unlimited email address blog post
- Multi-Step Authentication for secured access to email accounts.
For a deeper dive into Zimbra Collaboration security features check out Zimbra whitepapers on Two-Factor and Protecting Your Zimbra.
Secure Note Sharing and Phishing
Should you need to share sensitive data we request using our secure note sharing service called Secrets, https://secrets.xmission.com. This self-destructing note sharing system allows you to enter text data into the message field and then encrypt it. You can then copy/paste the generated link to share with another person. Notes can be viewed only one time for up to three minutes before the being permanently destroyed. Pro Tip: When sending a link to a mobile device it is best to use an additional password as mobile applications often open all links to create a preview thus destroying your note.
XMission will never ask you for your password in email. Any request is most likely a phishing attempt by someone to gain access to your account and information and should be reported to spam@xmission.com. Always be aware and verify before giving out any personal information and only send to trusted addresses at XMission. The most common trusted addresses are accounting@xmission.com, billing@xmission.com, sales@xmission.com, support@xmission.com, and voip@xmission.com.
XMission provides Zimbra hosting and sells Zimbra server licensing and support for on-premise deployments. Contact zimbrasales@xmission.com to request a demo, get a quote, or purchase. Mention this blog post to receive special incentives.
Bookmark this post for future reference!
Please comment or ask questions below. We would love to hear from you. Remember, sharing is easy as clicking on of the social buttons below.
John Webster, XMission Email Product Manager and Zimbra evangelist, has worked at XMission for over 20 years doing his favorite thing: helping companies securely communicate with customers through technology to grow their business. When he’s not uncovering Zimbra’s secrets you might find him in our beautiful Utah mountains. Connect with him on LinkedIn today!
Converting an old HTML website to modern WordPress Buy Zimbra Open Source Support & Zimbra Suite Plus Tools from XMission
Comments are currently closed.