Security Overview

 

MailArchiva includes many security related features, designed to ensure the integrity and confidentiality of sensitive information. This section outlines some of the main security features of the product. Refer to the Architecture if requiring a high level technical overview of the product.

 

Data storage

 

Email data is stored in multiple volumes. Each volume consists of 4096 archive files. Data in each archive file is encrypted using AES 256-bit encryption according to the WinZIP ZIP AES encryption standard.

 

Refer to http://www.winzip.com/aes_info.htm for further details. The password to each archive file is stored encrypted and hashed as follows: SHA1(encryption password +  salt).

 

Certificate management

 

The product includes X.509 certificate and key management facilities. Using the certificate management functions, it is possible to generate certificate requests, import certificates and keys. The certificates and keys are used primarily for secure authentication purposes.

 

User authentication

 

MailArchiva is capable of authenticating users using a variety of protocols, including NTLM v2 (Microsoft Active Directory), OpenID Connect (OAuth), SAML and LDAP/TLS. Each of these protocols has undergone security analysis, and is generally known to provide satisfactory security guarantees.

 

Bruteforce protection is applied to the login page. For example, if a user enters a password incorrectly several times in a row, the user may be locked out for several hours. 

 

For enhanced security, MailArchiva also supports two-factor authentication using mobile authenticator apps supporting the TOTP authentication standard (e.g. Google Authenticator).

 

Password selection & storage

 

In all places where passwords are supplied, an indication of the strength of the inputted password is provided. All internal passwords are stored with hashed SHA1(password +  salt) and encrypted using 3DES encryption.

 

Data in transit

 

MailArchiva supports receiving mail traffic via SMTP/TLS and IMAP/TLS connections. Thus, all received data may be encrypted and mutually authenticated using installed certificates.

 

Role Based Access Control (RBAC)

 

MailArchiva offers user role management and assignment facilities.  Role Based Access Control (RBAC) is designed to restrict user activity to operating within the bounds of a  defined set of permissions.

 

Web services interface

 

MailArchiva includes a REST API authenticated by way of a random 32 character length key. To protect against bruteforce attack, on each failed login attempt, an exponentially increasing time delay is applied. Furthermore, after a certain number of incorrect attempts, further connections from the offending IP address will be prevented for several hours.

 

Envelope journaling data

 

MailArchiva is capable of archiving and indexing envelope journaling data. This data includes meta info about a message, such as exactly who received the message. Refer to Envelope Journaling for a comprehensive understanding of available meta-data, including how the envelope fields are indexed and stored.

 

IMAP/POP authentication

 

MailArchiva supports IMAP/POP OAUTH secure authentication.

 

Auto update

 

The MailArchiva product includes an inbuilt auto-update engine. Vulnerabilities are patched as soon as they are discovered. The MailArchiva distribution is updated on a frequent basis.

 

Note: Work on the security aspects of the product is ongoing.  We do take security seriously.

 

Was this information helpful?
© 2005 - 2024 ProProfs

Found this information useful? Visit mailarchiva.com to learn more about MailArchiva.

-