Security Transparency
Transparency
In an effort to remain transparent about our security practices, we have published this to describe our current security measures.
"Isn't it bad security to describe your security measures?" No. In fact, it makes it more secure. If everyone can examine our structure and practices, then we can receive better critique and improve ourselves. Security through obscurity is ineffective, security through transparency is proven effective.
Passwords/Cookies Administrator passwords are required to have minimum 16-characters. System-wide passwords (e.g, databases, SSH keys/passphrases) are minimum of 24-characters and/or using strictly public-key authentication, passwords are stored in environment variables over hardcoding. User passwords are hashed in BCrypt or SHA-512 before being stored in the database. Session cookies are encrypted with DES-EDE3-CBC algorithm.
Network All connections to and from the server (HTTP, IMAP, SMTP, SSH) allow and/or strictly require SSL/TLS where applicable.
System The mail server runs on Ubuntu 22.04 with latest security patches. All docker dependencies and packages are routinely updated.
Access Control All web administrative access is and kept separated from system administration, with both being treated with heavy safeguards.
Monitoring All administrative tasks (web and system) are logged and stored for up to 90 days. All user actions (e.g, sending a certain amount of mail, changing their name) are logged in-memory. All login success and failed logs are saved persistently and cleared routinely.
Code Audits We do regular code audits for unsafe functions, improperly validated user input, insecure coding practices, information leakage, and unsafe memory management.
Proactive Approach In belief of a proactive approach to security, we have an active bug bounty program to reward and financially compensate security researchers for finding vulnerabilities in our services.