| Feature |
Available |
 Enforced use of SSL
|  |
Account administrators can
choose to force their users to only connect to our email and web services (i.e.
WebMail, POP, IMAP, SMTP, FTP, and MySQL) over SSL. When the account
administrator enables this option by checking a single checkbox in his/her
account, all account users will be denied access to these services unless
they connect over SSL-secured channels. Thus, enforcing policies regarding
security use is very easy.
This policy can be configured globally, per-domain, or per-user. |
Password Strength Settings | |
In addition to the SSL-protection of usernames and
passwords, administrators can customize the required degree of complexity
for user passwords. This can be anywhere from very weak to very strong (8+
alphanumeric characters that pass the "crack" password guessing
criteria). |
Password Reuse Policies | |
LuxSci tracks previously used passwords and when they were used (we keep
"hashes" of these passwords for security reasons; we have no way of
determining what these passwords actually were!)
When users change their passwords, they must use a different password
from any that they have used in the past year and which was not any of the
last 4 used. Preventing password re-use helps protect an account from
unauthorized access.
Account administrators can weaken the password reuse requirement to be
as weak as merely requiring that the new password be different from the
current one; or strengthen it to require the password to be different from
the last 8 used and to not have been used in the last 2 years. This can
be configured account-wide and/or on a per-domain basis. |
Password Expiration Policies | |
Administrators can optionally force users
to change their passwords after they get "too old"; one a user's password
has expired services except for WebMail are auto-disabled until the user
logins to reset his/her passwords. Administrators can configure the
password expiration based on password age to be anywhere from 7 days to 1
year. Additionally, administrators can specify when the two emailed
expiration warnings are sent to their users. |
Passwords Never Saved in Plain Text | |
LuxSci does not save plain text versions of user passwords in plain text —
they are always either saved as a hash (for regular login passwords) or encrypted
with PGP (for personal certificate Password Escrow, when enabled). As such, even
senior LuxSci staff does not have access to view user passwords. |
WebMail Login Lockout due to Login Failures | |
To prevent password guessing attempts using our WebMail login page, e a
user is locked out from logging into WebMail for 10 minutes after 5
unsuccessful login attempts.
Administrators can customize how strict this lockout is. Administrators
can choose how many failures result in a lockout (one to twenty), and how
long the lockout window is (1 minute to two hours). All of these
configurations help to limit password guessing, especially by automated
systems; however, some accounts have specific requirements in this regard.
The password lockout feature applies "per IP address" -- so a user
cannot be locked out by another user at another location trying to guess
his/her password. It is also configurable on an account-wide or
per-domain basis. |
Custom Lost Password Instructions | |
Typically, when a user forgets his/her password, s/he can click on a
link on the LuxSci login page, fill out a form that asks some information,
and then the LuxSci Support Staff verify the user's identity (manually)
based on things such as pre-configured alternate email addresses, phone
numbers, and security questions. Support would then send the user a
password reset link.
In some cases, account administrators do not want their users (or
specific) users to be directed to Support, but to be given specific
instructions for lost passwords.
Administrators can optionally specify "Lost Password Instructions"
account-wide, per-domain, and/or per-user. Any affected users who request
password help from the login page will get these instructions instead of
being sent to Support. |
Login Session Length Enforcement | |
Account administrators can configure
a maximum WebMail login session timeout for all users of anywhere from 5
minutes to 8 hours of inactivity. |
Administrative Access for Multiple Users or Accounts | |
Administrators can delegate
administrative access to other account users on a per-domain basis, as
needed. Administrators can also manage multiple LuxSci accounts from a
single login if needed. |
SecureLine Encryption Policies | |
Account administrators can enable SecureLine email encryption settings
quickly and easily on an account-wide and/or domain-wide basis. This
includes auto-creation of user PGP and S/MIME certificates, forced use of
email encryption, inbound email auto-decryption, etc. |
Successful/Failed Login Alerts | |
Users can receive emailed alerts of successful and/or failed logins to
their accounts. These alerts can go to a custom list of email address and
can be enabled/disabled per service (e.g. POP, IMAP, WebMail, SMTP,
FTP).
By default, failed login alerts are enabled and successful login alerts
are disabled. |
Maximal Security Settings and Enforcement | |
LuxSci provides account administrators with a "Maximal Security"
button that allows them, in one click, to configure all of the global or domain-wide
security options to settings that ensure maximal
security. This configures such things as forced use of SSL, strong
passwords, and forced use of SecureLine (if you have purchased it).
Account managers can also contact support to have these settings
"Locked Down" so that no one in the account can alter them without
contacting support directly, getting approval, and leaving an audit
trail.
If you want maximal email security and the assurance that it is setup
correctly and cannot be circumvented, this is for you. |
Enforced use of SSL
