What are some important security settings to keep in mind?

Across · 5 Feb 2012, 10:21 PM

I'm setting up accounts for a couple of family members, and it would be good to know some security tips, so that I can set them off on the right foot. We're sharing a family plan. I've already set up various personalities for both of them.

janusz · 5 Feb 2012, 10:45 PM

Use your favourite search engine to look for email security tips

SusieStar · 6 Feb 2012, 01:33 AM

Across, one thing you might want to do, in the event you choose to use IMAP, and NOT POP, is to go into "Options" and select "disable pop logins." This is a good thing to do (I have done so with my own account, and learned about this in these forums). I would hope no one would EVER hack into your account, but...should this ever happen to you, by disabling pop logins, you won't be penalized by someone who may have hacked your login info and, thereby, you suffer consequences, their retrievals by another app, quotas, etc. If you are an IMAP user, simply disable "pop logins."

You might also select your choice carefully regarding "showing images". If you check "do not show", you can always click on "load images" each time when reading your mail, once you know the email is safe. This protects you from webbugs, etc. that allow a spammer to know your address is active! (My own setting choice for this, is to load images for known emails (such as those in my address book).

And, although I like the long-term login with the cookie, (FM simply clears the cookie if I click on "Log Out", you might want to set yours to the standard 2 hr log out.

I've only had FM 6 months, an enhanced account, but these are a couple of safe things I have done. Welcome to FM!

janusz · 6 Feb 2012, 01:50 AM

Quote:

Originally Posted by SusieStar

in the event you choose to use IMAP, and NOT POP, is to go into "Options" and select "disable pop logins." [...] I would hope no one would EVER hack into your account, but...should this ever happen to you, by disabling pop logins, you won't be penalized by someone who may have hacked your login info and, thereby, you suffer consequences, their retrievals by another app, quotas, etc. If you are an IMAP user, simply disable "pop logins."

Can you explain?
Why do you think POP is less secure than IMAP? They both use the same credentials (account name & password), so if somebody guesses/steals the pw (s)he can use either protocol to get in, or login via the website.

By all means disable POP and/or IMAP if you are not going to use them, but do not think this will make your account less vulnerable if you are careless with the password.

n5bb · 6 Feb 2012, 08:43 AM

I would recommend:

Secure the computers or mobile devices from theft.
Aways use secure login passwords for the computing devices themselves (independent of email passwords).
Do not write the device or Fastmail passwords on post-it notes attached to the device unless you want the thief to get easy access to your electronic assets.
In the Fastmail Options>Account Preferences screen:
- I also recommend disabling POP and/or IMAP access at the bottom of the screen if you won't be using email clients with that particular method.
- Your main account password should be secure (long and hard to guess).
- Also, you should have a backup password set up on this page.
In the Fastmail Options>Alternative Logins screen, I recommend using one of these methods for daily passwords, especially if the users will log in remotely (such as on a laptop or other mobile device).
- You can set up a Regular Password login with Full access. This will allow that user to do everything except change the master or backup passwords when logging in. This will allow you to keep control if someone is keylogging or watching the user as they press the login keys, since you can get back control easily by simply logging in with the master password and changing it.
- You can set up a Regular Password login without full access. This will allow that user to do everything except the following:
  - Emails, Notepad entries, and online Files items can not be permanently deleted. Emails can be deleted (which moves them to the Trash folder) but they can't be permanently deleted from Trash.
  - Access to the Options screen is prevented. So the passwords and payment details can't be changed if someone gets that password.
- Even better (for those who use public computers) is using One Time Passwords with a Base password.
  - The user prints out and carries with them the OTP list, but creates their own Base password and memorizes it.
  - Now if the OTP list is lost or stolen, it can't be used unless someone determines the Fastmail login URL, your account name, and your base password.
  - If someone watches you log in once, they can't use that password again, since it's one time password.
- SMS and Yubikey passwords are fine, but they require other equipment and cost, and the Fastmail SMS provider hasn't worked well in the US for a while.

Bill

placebo · 6 Feb 2012, 09:45 AM

If you use an e-mail client to access your account, make sure you enable SSL or TLS so that a secure connection is established to FastMail's servers.

SusieStar · 6 Feb 2012, 01:12 PM

janusz, In no way did I mean to imply that POP is not a secure/safe way to retrieve mail. I can see where it sounded that way.

I have read that some accounts, have limited quotas they are allowed for pop logins. Just meant to suggest, if one's not accessing his email this way, it would simply prevent someone from having his account shut down from too many pop logins? By the same token, if one's not using IMAP access, or any email client, for that matter, then why not disable? (I guess, this is not exactly "security", but, sort of "careful",LOL?)

I have used POP throughout most of my "email" life, though I've grown to really like IMAP. You are right, of course, and I surely did not mean to imply POP is not safe, only that it might prevent one from being shut down for too many logins of this type, if someone else chose to do so. Not a problem for an enhanced account, I don't think? I just started out with FM with an enhanced account so I wouldn't need to worry about much.

Also, yes, do check the ssl box! If one's using Avast Antivirus and Opera (as I do), Avast will want to take care of the ssl feature...but, I do prefer allowing Opera to handle it. So, I just uncheck the box in Avast.

(janusz and n5bb.....I always, always, enjoy and learn from your posts. I defer to both of you! Thanks for so much help in these forums! Have read them for a long time, before I ever joined them. (Susie)

Across · 7 Feb 2012, 01:35 PM

Thanks guys, this is great stuff. Concerning checking the SSL box, I'm assuming you're referring to doing that on the client side, should they choose to use an email client. However, under "External Security" in the "Personalities" section, you have "None," "STARTTLS Encrypted" and "SSL Encrypted." Any recommendations concerning which box I should tick for that? And does ticking the "Sent Items on SMTP" box basically just tell it to save outgoing messages on FastMail instead of just showing up on an email client? And what about "BCC on SMTP"? I understand what sending a BCC email is, but what is a BCC address? I thought BCC was a "from" thing, not a "to" thing.

n5bb · 7 Feb 2012, 03:08 PM

This is veering off-topic, but here goes:

Quote:

Originally Posted by Across

... under "External Security" in the "Personalities" section, you have "None," "STARTTLS Encrypted" and "SSL Encrypted." Any recommendations concerning which box I should tick for that?...

The last 6 setup fields on the Options>Personalities screen are for what is shown as an advanced feature (Send via external SMTP server). This is a specialized feature which very few users will need to use, and I recommend you read the Fastmail Blog entry concerning this feature before enabling it. The average user should not enable this feature.

Quote:

Originally Posted by Across

...And does ticking the "Sent Items on SMTP" box basically just tell it to save outgoing messages on FastMail instead of just showing up on an email client?...

If you use the Fastmail mail.messagingengine.com SMTP to send a message from your email client, if the From address matches the Email address for a particular personality entry, then the features selected for that personality will be active for that outgoing email.

The Sent Items on SMTP checkbox saves a copy of the outgoing message to the Sent Items folder at the you have configured for that personality. As the screen shows you, "Also save to folder when sending via email software".
If you also save the sent message to the same folder on your email client (and that folder is subscribed at the Fastmail IMAP server), then you will have two copies of that sent message at both ends (the Fastmail IMAP server and the email client). So it is recommended that you disable your email client save sent message feature if you select this personality feature.

Quote:

Originally Posted by Across

...And what about "BCC on SMTP"? I understand what sending a BCC email is, but what is a BCC address? I thought BCC was a "from" thing, not a "to" thing.

BCC is another address field you use when sending a message, just like TO and CC. Everyone receiving the message will see all of the TO and CC addresses, but none of the BCC addresses will be visible to anyone receiving that message.

The BCC address(es) field on a Personality setup allows you to enter one or more addresses (separated with a comma) which will receive copies of messages sent using the indicated personality From address (Email address) using the Fastmail web interface. These addresses will be sent using the BCC addressing field, so nobody will see those addresses.
The BCC on SMTP checkbox is described well on the Personality screen: Also send to Bcc addresses when sending via email software.
One reason you might use the automatic BCC features for a personality is to send backup copies of all outgoing messages (with the indicated From address) to another email account for backup or other purposes. So you can back up all outgoing messages to a Gmail account if you wish.

Bill

Across · 8 Feb 2012, 10:22 PM

This is great stuff and is highly appreciated. Anyone care to help me answer this one?

Quote:

Originally Posted by me

...under "External Security" in the "Personalities" section, you have "None," "STARTTLS Encrypted" and "SSL Encrypted." Any recommendations concerning which box I should tick for that?

n5bb · 9 Feb 2012, 04:49 AM

Quote:

Originally Posted by Across

This is great stuff and is highly appreciated. Anyone care to help me answer this one?

That was the first comment in my post.

The last 6 setup fields on the Options>Personalities screen are for what is shown as an advanced feature (Send via external SMTP server).
The average user should not enable this feature.

Bill

Across · 9 Feb 2012, 10:35 AM

Quote:

Originally Posted by n5bb

That was the first comment in my post.

The last 6 setup fields on the Options>Personalities screen are for what is shown as an advanced feature (Send via external SMTP server).
The average user should not enable this feature.

Bill

The last 6:

"Send via external SMTP server" (not checked)
"External server" (blank)
"External port" (587)
"External Security" (STARTTLS Encrypted)
"External username" (blank)
"External password" (blank)

So, due to red being unchecked, the choices for blue are irrelevant? Is that correct?

n5bb · 9 Feb 2012, 10:42 AM

Quote:

Originally Posted by Across

... So, due to red being unchecked, the choices for blue are irrelevant? Is that correct?

You should just leave all of those bottom 6 external settings unmodified. The Send via external SMTP server checkbox activates all of the remaining 5, so if you leave it unchecked the remaining entries are ignored. They have nothing to do with normal email sending, only a special case (mostly for use with corporate servers).

Bill

GeraldR · 9 Feb 2012, 09:48 PM

Quote:

Originally Posted by n5bb

. . . .
You can set up a Regular Password login with Full access. This will allow that user to do everything except change the master or backup passwords when logging in. This will allow you to keep control if someone is keylogging or watching the user as they press the login keys, since you can get back control easily by simply logging in with the master password and changing it.
. . . .
Bill

After of using OTPs for a long time I had missed this. Thank you for pointing out this great feature.

ewal · 10 Feb 2012, 03:49 PM

In addition to the Fastmail settings to mitigate risks I suggest installing tracking software on the machines in the event they are stolen. I use Prey Project, but there are other similar solutions.

In extreme you can lock down the machine remotely.

Ed

5 Feb 2012, 10:21 PM	#1
Across Junior Member Join Date: Jan 2012 Location: St. Louis, United States Posts: 23	What are some important security settings to keep in mind? I'm setting up accounts for a couple of family members, and it would be good to know some security tips, so that I can set them off on the right foot. We're sharing a family plan. I've already set up various personalities for both of them.

6 Feb 2012, 01:33 AM	#3
SusieStar Junior Member Join Date: Nov 2011 Posts: 13	Couple of Helpful Tips for Across Across, one thing you might want to do, in the event you choose to use IMAP, and NOT POP, is to go into "Options" and select "disable pop logins." This is a good thing to do (I have done so with my own account, and learned about this in these forums). I would hope no one would EVER hack into your account, but...should this ever happen to you, by disabling pop logins, you won't be penalized by someone who may have hacked your login info and, thereby, you suffer consequences, their retrievals by another app, quotas, etc. If you are an IMAP user, simply disable "pop logins." You might also select your choice carefully regarding "showing images". If you check "do not show", you can always click on "load images" each time when reading your mail, once you know the email is safe. This protects you from webbugs, etc. that allow a spammer to know your address is active! (My own setting choice for this, is to load images for known emails (such as those in my address book). And, although I like the long-term login with the cookie, (FM simply clears the cookie if I click on "Log Out", you might want to set yours to the standard 2 hr log out. I've only had FM 6 months, an enhanced account, but these are a couple of safe things I have done. Welcome to FM!

6 Feb 2012, 08:43 AM	#5
n5bb Intergalactic Postmaster Join Date: May 2004 Location: Irving, Texas Posts: 8,926	Using secure passwords I would recommend: Secure the computers or mobile devices from theft. Aways use secure login passwords for the computing devices themselves (independent of email passwords). Do not write the device or Fastmail passwords on post-it notes attached to the device unless you want the thief to get easy access to your electronic assets. In the Fastmail Options>Account Preferences screen: I also recommend disabling POP and/or IMAP access at the bottom of the screen if you won't be using email clients with that particular method. Your main account password should be secure (long and hard to guess). Also, you should have a backup password set up on this page. In the Fastmail Options>Alternative Logins screen, I recommend using one of these methods for daily passwords, especially if the users will log in remotely (such as on a laptop or other mobile device). You can set up a Regular Password login with Full access. This will allow that user to do everything except change the master or backup passwords when logging in. This will allow you to keep control if someone is keylogging or watching the user as they press the login keys, since you can get back control easily by simply logging in with the master password and changing it. You can set up a Regular Password login without full access. This will allow that user to do everything except the following: Emails, Notepad entries, and online Files items can not be permanently deleted. Emails can be deleted (which moves them to the Trash folder) but they can't be permanently deleted from Trash. Access to the Options screen is prevented. So the passwords and payment details can't be changed if someone gets that password. Even better (for those who use public computers) is using One Time Passwords with a Base password. The user prints out and carries with them the OTP list, but creates their own Base password and memorizes it. Now if the OTP list is lost or stolen, it can't be used unless someone determines the Fastmail login URL, your account name, and your base password. If someone watches you log in once, they can't use that password again, since it's one time password. SMS and Yubikey passwords are fine, but they require other equipment and cost, and the Fastmail SMS provider hasn't worked well in the US for a while. Bill

6 Feb 2012, 01:12 PM	#7
SusieStar Junior Member Join Date: Nov 2011 Posts: 13	(For janusz,mostly, and a Kudo to nfbb), Explanation janusz, In no way did I mean to imply that POP is not a secure/safe way to retrieve mail. I can see where it sounded that way. I have read that some accounts, have limited quotas they are allowed for pop logins. Just meant to suggest, if one's not accessing his email this way, it would simply prevent someone from having his account shut down from too many pop logins? By the same token, if one's not using IMAP access, or any email client, for that matter, then why not disable? (I guess, this is not exactly "security", but, sort of "careful",LOL?) I have used POP throughout most of my "email" life, though I've grown to really like IMAP. You are right, of course, and I surely did not mean to imply POP is not safe, only that it might prevent one from being shut down for too many logins of this type, if someone else chose to do so. Not a problem for an enhanced account, I don't think? I just started out with FM with an enhanced account so I wouldn't need to worry about much. Also, yes, do check the ssl box! If one's using Avast Antivirus and Opera (as I do), Avast will want to take care of the ssl feature...but, I do prefer allowing Opera to handle it. So, I just uncheck the box in Avast. (janusz and n5bb.....I always, always, enjoy and learn from your posts. I defer to both of you! Thanks for so much help in these forums! Have read them for a long time, before I ever joined them. (Susie) Last edited by SusieStar : 6 Feb 2012 at 01:15 PM. Reason: mistyped n5bb's name, (typing in dark on the "little" computer)!

7 Feb 2012, 01:35 PM	#8
Across Junior Member Join Date: Jan 2012 Location: St. Louis, United States Posts: 23	Thanks guys, this is great stuff. Concerning checking the SSL box, I'm assuming you're referring to doing that on the client side, should they choose to use an email client. However, under "External Security" in the "Personalities" section, you have "None," "STARTTLS Encrypted" and "SSL Encrypted." Any recommendations concerning which box I should tick for that? And does ticking the "Sent Items on SMTP" box basically just tell it to save outgoing messages on FastMail instead of just showing up on an email client? And what about "BCC on SMTP"? I understand what sending a BCC email is, but what is a BCC address? I thought BCC was a "from" thing, not a "to" thing. Last edited by Across : 7 Feb 2012 at 01:40 PM.

5 Feb 2012, 10:45 PM	#2
janusz The "e" in e-mail Join Date: Feb 2006 Location: EU Posts: 4,944	Use your favourite search engine to look for email security tips

6 Feb 2012, 09:45 AM	#6
placebo Cornerstone of the Community Join Date: Jun 2004 Posts: 743	If you use an e-mail client to access your account, make sure you enable SSL or TLS so that a secure connection is established to FastMail's servers.

10 Feb 2012, 03:49 PM	#15
ewal Master of the @ Join Date: Apr 2002 Location: West Sussex, UK Posts: 1,334	In addition to the Fastmail settings to mitigate risks I suggest installing tracking software on the machines in the event they are stolen. I use Prey Project, but there are other similar solutions. In extreme you can lock down the machine remotely. Ed