Email Security and Privacy Features

Feature Available
SecureLineTM Email Encryption
Secure WebMail
Secure IMAP and POP
Secure, Authenticated SMTP
Anonymous SMTP
Secure Email Transmission with SMTP TLS
TLS v1.2 and v1.3 support with NIST-recommended ciphers
Two-Factor Authentication for WebMail

LuxSci's Web Interface supports optional two-factor authentication to further secure logins. The first factor is the user's username and password. The second is one of:

  • www.Duo.com
  • Google Authenticator
  • A token sent via text message/SMS
  • A token sent to an alternate email address

The Web Interface integrates with any Duo.com account that you have for advanced two-factor authentication. Options which include: text message, Phone call, hardware token, Mobile device APP, user management, logging, auditing, and more.

Custom Firewall Access Control Lists

Allow and/or deny access to WebMail, POP, IMAP and SMTP, SFTP based on IP or IP Range. Rules can be implemented per-user, per-domain and/or account wide.

Optionally allow access to POP, IMAP, and SMTP and SFTP based on a successful prior login to the Web Interface.

Custom firewall rules can also apply to FTP and Secure FTP access.

Read More

Application-Specific Passwords
Create new username/password aliases that can be used to grant others access to your WebMail, email, settings, FTP/SFTP/SSH, API, etc. These aliases can be revoked at any time, do not expose your real password, can have restricted access, and are exposed your login audit trails (so you know who/what logged in to what service, when, and from where).
Access Auditing

We track all logins to your account via POP, IMAP, SMTP and WebMail. This includes the exact time and the IP address used, among other information. This auditing information is available to you, your account administrator and technical support at all times. You can easily check if unwanted people or programs are logged into your accounts. Additionally, you will be sent automated alerts when login attempts to your account fail.

Auditing of Email Sending

We track all messages sent from WebMail, your email servers (via SMTP) and your web sites. This allows you, your administrator and our support team to review what email messages are being sent and from where. It also allows LuxSci to proactively stop Spam attempts even if the Spam messages are unintentional or the result of web site insecurity. Note, records of message content are not available to your administrators or to our standard support teams, so this auditing does not tread on privacy concerns.

WebMail Access Restrictions by IP/Location and Day/Time

This option can restrict users' access to WebMail to a specified set of IP addresses or IP blocks (CIDR). It can also restrict the login availability of users to a selected set of countries and/or regions.

You can also choose to restrict user's access by time of day and day of week.

Customizable WebMail Session Timeouts

Account administrators and users can customize their WebMail session timeout. The default timeout is 2 hours but this range can be designed for timeout flexibility between 5 minutes and 8 hours. Account administrators also have the option to monitor user timeouts and program them to be no longer than the account-wide default.

Customizable WebMail Login Failure Lockouts

Users are blocked from WebMail if they fail to successfully login (from their IP) 5 times within a 10 minute span. Administrators can customize this range (i.e. number of failures and the period of time) globally and on a per-domain basis.

This feature mitigates password guessing via the WebMail interface login screens.

Web Hosting Security Highlights

Feature Available
Web Hosting on Dedicated Servers
Secure Web Sites (TLS)

We provide secure web site hosting using Transport Layer Security encryption. We can provide TLS certificates for you, alternately you can provide your own. We provide dedicated IP address(es) for your secure site(s).

TLS v1.2 and v1.3 support with NIST-recommended ciphers
Secure Web and PDF Form Processing (SecureFormTM)
SCP and SFTP

Upload and download files from your web site or file storage location using Secure Copy or Secure FTP. This protects your username and password and the contents of your data from cyber-intruders.

Secure Web-Based File Manager

Web-based file manager allows secure uploads, downloads and file management though LuxSci's secure web interface. This option is ideal if you need to make changes but do not have access to an SFTP program.

Application-Specific Passwords restrictable to only SFTP & SSH
Create new username aliases and passwords that can grant others (e.g. developers) access to your web/FTP space (only) without giving them access to your real password, your email, or anything else.
Web Site Password Protection

Simple user interface enables and manages password protection for entire web sites and/or individual directories. It can create and manage users or groups of users to determine who has read and write access (i.e. for WebDAV). This eliminates the need to deal directly with .htaccess or .htpasswd files. .htaccess or .htpasswd files.

Secure Database Access (over VPN)
Secure Web-Based Database Manager

Custom web-based MySQL database management tools allows you to securely upload and execute SQL scripts with ease. It also offers secure download dumps of your database and executes commands on demand.

Anti-Virus Scans

Daily anti-virus scans of your web server file spaces.

Denial-of-Service Protection

Protection against some forms of denial of service attacks is taken care of automatically by your server.

Intrusion Detection

Your web server can automatically detect and alert LuxSci support on many kinds of system intrusions.

Account Administration Security

Feature Available
Enforced use of TLS for user logins
Password Strength Settings

In addition to the TLS-protection of usernames and passwords, administrators can customize the required degree of complexity for user passwords. The range of complexity is manageable. It can be designed to require a very weak password or very strong passwords (16+ alphanumeric characters that pass entropy-based password guessing criteria and restrict passwords from containing parts of a user's username).

You can also optionally enable "hacked password checking" ... where passwords are checked against a large database of passwords that have been publicly exposed by breaches across the Internet.

Password Reuse Policies

LuxSci tracks previously used passwords and the time period when they were in use. We keep "hashes" of these passwords for security reasons. However, we cannot determine what these passwords actually were!

Preventing password reuse helps protect an account from unauthorized access. When a user changes his/her password, the new password must be different from any password that he/she used in the past year. It must also differ from their four previous passwords.

Account administrators can customize their password reuse requirement. It can be established weakly; requiring that new passwords merely be different from the current password. The requirement can also be established with strength; requiring that the new password differs from the user's last eight passwords and be different from any password in use over the previous two-year period.. This can be configured account-wide and/or on a per-domain basis.

Password Expiration Policies

Administrators can optionally force users to change their passwords after a certain length of time to keep them from being "too old". If a user's password expires, all services (except WebMail) are auto-disabled until the user logs in to reset his/her passwords. Administrators can configure the password expiration based on password age. The expiration can be configured from anywhere between seven days to one year. Additionally, administrators can specify when expiration warnings are sent to their users. Two such messages will be sent to all users.

Passwords Never Saved in Plain Text
LuxSci does not save plain text versions of user passwords. Rather, they are always saved as a hash (for regular login passwords) or they are encrypted with PGP (for personal certificate Password Escrow, when this feature is enabled). Translation: even senior LuxSci staff does not have access to view user passwords.
WebMail Login Lockout due to Login Failures

Users will be prohibited (locked-out) from logging into WebMail for 10 minutes after five unsuccessful login attempts. This helps prevent password guessing attempts on our WebMail login page.

Administrators can further customize lock-out parameters. They can choose how many login failures result in a lock-out (from one to twenty) and they can choose how long the lock-out window lasts (from one minute to two hours). All of these configurations help limit password guessing, especially by automated systems. However, some accounts have specific requirements in this regard.

The password lock-out feature applies "per IP address", so users cannot be locked out by another user trying to guess his/her password at another location. It is also configurable on an account-wide or per-domain basis.

Custom Lost Password Instructions

LuxSci Support Staff can typically retrieve a user's forgotten password. All the user must do is click the link on the LuxSci login page and fill out a basic form. With that information LuxSci Support Staff can verify the user's identity (manually) based on certain criteria such as pre-configured alternate email addresses, phone numbers and security questions. Support would then send the user a password reset link.

In some cases, account administrators do not want their users (or specific) users to be directed to Support, but to be given specific instructions for lost passwords.

Administrators have the option to specify "Lost Password Instructions" account-wide, per-domain and/or per-user. Any affected users who request password help from the login page will get these instructions instead of being sent to Support.

Self-Serve Secure Password Reset System
Login Session Length Enforcement

Account administrators can configure a maximum WebMail login session timeout (for all users) from anywhere from five minutes to eight hours of inactivity.

Administrative Access for Multiple Users or Accounts

Administrators can delegate administrative access to other account users on a per-domain basis as needed. Administrators can also manage multiple LuxSci accounts from a single login if needed.

SecureLineTM Encryption Policies

Account administrators can quickly enable SecureLineTM email encryption settings on an account-wide and/or domain-wide basis. This includes auto-creation of user PGP and S/MIME certificates, forced use of email encryption, inbound email auto-decryption, etc.

Successful/Failed Login Alerts

Users can receive email alerts detailing successful and/or failed logins to their accounts. These alerts can go to a custom list of email address and can be enabled/disabled per service (e.g. POP, IMAP, WebMail, SMTP, FTP).

By default, failed login alerts are enabled and successful login alerts are disabled.

Maximal Security Settings and Enforcement

LuxSci provides account administrators with a "Maximal Security" button. This feature allows them to configure all of the global or domain-wide security options to settings that ensure maximal security in one click. This configures such things as forced use of TLS, strong passwords and forced use of SecureLineTM (where applicable).

Account managers can also request Support "Lock Down" these settings to ensure nobody in the account can alter them without contacting support directly, getting approval and leaving an audit trail.

If you want maximum email security and the assurance that your email account is setup correctly and cannot be circumvented, this is for you.

Collaboration (WebAide) Security Features

LuxSci's WebAidesTM allow you to create a variety of collaboration instruments such as Blogs and file archives. LuxSci ensures the security of your data in many ways, including:

Feature Available
PGP Encryption

With this feature you can choose to encrypt individual Blog entries and Documents using PGP encryption. The feature also supports the creation of personal and group PGP keys. It allows you to specify recipients of encrypted data on a per-entry basis and verify digital signatures of all encrypted content. Entries encrypted via PGP are secure. Even the LuxSci technical staff cannot access their content without access to your PGP key password (which is never saved in plain text on our servers).

Access Tracking

You can enable access tracking on your Blogs, Documents and Passwords WebAidesTM. This allows users to see who created or edited every entry and when the action occurred.

Security & Access Control.

Only those with a login to LuxSci's web site could possibly access your WebAidesTM (they are not public). You can also determine exactly who has permission to view your WebAidesTM, add entries, edit entries, make comments and administer your Blog. You can specify this per user, per user group, per domain and/or per account. You can however choose to share your WebAidesTM with other members of your account and/or members of other LuxSci accounts; the decision is yours.

TLS, Password, and IP Protection for WebAideTM Feeds

WebAide Feeds (links to access certain WebAide data from external locations) can be secured via:

  • Password protection
  • Allowed access from certain IP addresses or ranges
  • Required feeds that can only be accessed over TLS

These options ensure that even if your feed is "published", you can control who has access.

Encrypted file storage
All files uploaded to WebAidesTM are encrypted-at-rest with AES encryption.