Security Overview
MailArchiva includes many security related features, designed to ensure the integrity and confidentiality of sensitive information. This section outlines some of the main security features of the product. Refer to the Architecture if requiring a high level technical overview of the product.
Data storage
Email data is stored in multiple volumes. Each volume consists of 4096 archive files. Data in each archive file is encrypted using AES 256-bit encryption according to the WinZIP ZIP AES encryption standard.
Refer to http://www.winzip.com/aes_info.htm for further details. The password to each archive file is stored encrypted and hashed as follows: SHA1(encryption password + salt).
Certificate management
The product includes X.509 certificate and key management facilities. Using the certificate management functions, it is possible to generate certificate requests, import certificates and keys. The certificates and keys are used primarily for secure authentication purposes.
User authentication
MailArchiva is capable of authenticating users using a variety of protocols, including NTLM v2 (Microsoft Active Directory), OpenID Connect (OAuth), SAML and LDAP/TLS. Each of these protocols has undergone security analysis, and is generally known to provide satisfactory security guarantees.
Bruteforce protection is applied to the login page. For example, if a user enters a password incorrectly several times in a row, the user may be locked out for several hours.
For enhanced security, MailArchiva also supports two-factor authentication using mobile authenticator apps supporting the TOTP authentication standard (e.g. Google Authenticator).
Password selection & storage
In all places where passwords are supplied, an indication of the strength of the inputted password is provided. All internal passwords are stored with hashed SHA1(password + salt) and encrypted using 3DES encryption.
Data in transit
MailArchiva supports receiving mail traffic via SMTP/TLS and IMAP/TLS connections. Thus, all received data may be encrypted and mutually authenticated using installed certificates.
Role Based Access Control (RBAC)
MailArchiva offers user role management and assignment facilities. Role Based Access Control (RBAC) is designed to restrict user activity to operating within the bounds of a defined set of permissions.
Web services interface
MailArchiva includes a REST API authenticated by way of a random 32 character length key. To protect against bruteforce attack, on each failed login attempt, an exponentially increasing time delay is applied. Furthermore, after a certain number of incorrect attempts, further connections from the offending IP address will be prevented for several hours.
Envelope journaling data
MailArchiva is capable of archiving and indexing envelope journaling data. This data includes meta info about a message, such as exactly who received the message. Refer to Envelope Journaling for a comprehensive understanding of available meta-data, including how the envelope fields are indexed and stored.
IMAP/POP authentication
MailArchiva supports IMAP/POP OAUTH secure authentication.
Auto update
The MailArchiva product includes an inbuilt auto-update engine. Vulnerabilities are patched as soon as they are discovered. The MailArchiva distribution is updated on a frequent basis.
Found this information useful? Visit mailarchiva.com to learn more about MailArchiva.