LuxSci Security & Privacy Focus

The SecureLine End-To-End Email Encryption Service provided by LuxSci allows users to send and receive secure email messages with ease. Messages can be sent and received from anyone with an email address, no matter what type of email software or service; regardless if their email services are insecure!

SecureLine provides services compatible with PGP and S/MIME. It also offers a message "Escrow" service that can be used to communicate securely with anyone.

See Also:

Your passwords, and the contents of all of your messages, are encrypted via TLS (Transport Layer Security) when transmitted to our WebMail application. Nobody can eavesdrop and you know for sure that you are communicating with LuxSci!

Additionally, you can use our optional visual keyboard to enter your password with a mouse when logging into our WebMail portal. This tool helps you mitigate the possibility that spyware is running on your computer (or the unreliable computer at an Internet Cafe). It prohibits the machine from capturing your password and delivering it to unauthorized people.

Regular IMAP and POP put your username, password and all of your messages at risk because messages are sent back and forth between servers in "plain text". Anybody who attempts to review your messages can discover your password. With Secure IMAP and POP over SSL, all of this information is encrypted; nobody can eavesdrop or steal your password!

Regular SMTP (like regular IMAP and POP) is also insecure. Anybody that scans your "plain text" messages can discover your password! With Secure SMTP, all of this information is encrypted! Our SMTP Server also requires authentication for SMTP Relaying which forces you to send your username and password in order to send messages. This protects you and LuxSci servers from being used to send Spam.

Our secure SMTP services are provided via TLS (Transport Layer Security; STARTTLS for SMTP) and SSL. This makes them compatible with all email clients that support one of these mechanisms.

Use LuxSci's Secure, Anonymous SMTP server to strip all information about your computer, it's Internet address and your email client from outgoing messages. This provides enhanced privacy as your recipients will have no way to determine the email's origin. They can only track messages back to LuxSci's servers. Otherwise recipients could use your computer address information to determine your physical location by region, city, or even the address!

LuxSci's inbound email servers support "Transport Layer Security - TLS". This encrypts and secures emails you receive from other companies during transit to LuxSci's servers (assuming the sender's server supports this feature). Transport Layer Security - TLS also secures all internal emails on LuxSci during transport.

LuxSci's servers will also use TLS whenever possible for outbound email. See: SMTP TLS: All About Secure Email Delivery over TLS.

LuxSci's Web Interface supports optional two-factor authentication to further secure logins. The first factor is the user's username and password. The second is one of:

• Google Authenticator
• www.Duo.com
• A token sent via text message/SMS
• A token sent to an alternate email address

The Web Interface integrates with any Duo.com account that you have for advanced two-factor authentication. Options which include: text message, Phone call, hardware token, Mobile device APP, user management, logging, auditing, and more.

Allow and/or deny access to WebMail, POP, IMAP and SMTP based on IP or IP Range. Rules can be implemented per-user, per-domain and/or account wide.

Optionally allow access to POP, IMAP, and SMTP based on a successful prior login to the Web Interface.

Custom firewall rules can also apply to FTP and Secure FTP access.

Read More

We track all logins to your account via POP, IMAP, SMTP and WebMail. This includes the exact time and the IP address used, among other information. This auditing information is available to you, your account administrator and technical support at all times. You can easily check if unwanted people or programs are logged into your accounts. Additionally, you will be sent automated alerts when login attempts to your account fail.

This option can restrict users' access to WebMail to a specified set of IP addresses or IP blocks (CIDR). It can also restrict the login availability of users to a selected set of countries and/or regions.

We track all messages sent from WebMail, your email servers (via SMTP) and your web sites. This allows you, your administrator and our support team to review what email messages are being sent and from where. It also allows LuxSci to proactively stop Spam attempts even if the Spam messages are unintentional or the result of web site insecurity. Note, records of message content are not available to your administrators or to our standard support teams, so this auditing does not tread on privacy concerns.

Attack Guard protects your message infrastructure from Denial of Service (DoS) attacks and other threats with real-time monitoring and analysis of email traffic patterns. Dictionary attacks, mail bombs, email flooding and other attacks designed to interrupt service or harvest corporate or personal email addresses can be blocked with real-time detection. Additionally, the service scans the incoming Simple Mail Transport Protocol (SMTP) stream for abnormalities in protocol compliance and abuse. This service is automatically included as part of our Premium Email Filtering service.

Account administrators and users can customize their WebMail session timeout. The default timeout is 2 hours but this range can be designed for timeout flexibility between 5 minutes and 8 hours. Account administrators also have the option to monitor user timeouts and program them to be no longer than the account-wide default.

Users are blocked from WebMail if they fail to successfully login (from their IP) 5 times within a 10 minute span. Administrators can customize this range (i.e. number of failures and the period of time) globally and on a per-domain basis.

This feature mitigates password guessing via the WebMail interface login screens.

LuxSci provides an alternate secure members' web portal (the Mobile Site). The Mobile Site feature uses minimal graphics for maximal speed. It does not require the use of cookies or JavaScript and suppresses some of the features of the full portal that may put you at risk, like viewing HTML attachments inline. The Mobile Site supports most of the non-administrative features of the full members' portal (including WebMail, WebAides, Workspaces and Widgets, technical support, and help) and provides maximal browser compatibility and security.

It is your choice if and when you use the Mobile Site or the Full Site (which does use cookies, JavaScript and more graphics). While the Mobile Site is faster and may be more secure, the Full Site offers a more full-featured experience.

See Also: About the Mobile Site.

We provide secure web site hosting using Transport Layer Security encryption. We can provide TLS certificates for you, alternately you can provide your own. We provide dedicated IP address(es) for your secure site(s).

Upload and download files from your web site or file storage location using Secure Copy or Secure FTP. This protects your username and password and the contents of your data from cyber-intruders.

Web-based file manager allows secure uploads, downloads and file management though LuxSci's secure web interface. This option is ideal if you need to make changes but do not have access to an SFTP program.

Simple user interface enables and manages password protection for entire web sites and/or individual directories. It can create and manage users or groups of users to determine who has read and write access (i.e. for WebDAV). This eliminates the need to deal directly with .htaccess or .htpasswd files. .htaccess or .htpasswd files.

LuxSci provides an alternate port for TLS-enabled access to MySQL databases. This ensures the security of your sensitive data if you connect from a remote location.

Database access also available over a VPN.

Custom web-based MySQL database management tools allows you to securely upload and execute SQL scripts with ease. It also offers secure download dumps of your database and executes commands on demand.

Daily anti-virus scans of your web server file spaces. Any detected malicious content is quarantined.

Protection against some forms of denial of service attacks is taken care of automatically by your server.

Your web server can automatically detect and alert LuxSci support on many kinds of system intrusions.

Account administrators have the option to force their users to connect to our email and web services (i.e. WebMail, POP, IMAP, SMTP, FTP, and MySQL) exclusively over TLS. The account administrator enables this option by checking a single checkbox in his/her account. After the option is enabled, all account users will be denied access to these services unless they connect over TLS-secured channels. Thus, the administrator can enforce security policies very easily.

This policy can be configured globally, per-domain, or per-user.

In addition to the TLS-protection of usernames and passwords, administrators can customize the required degree of complexity for user passwords. The range of complexity is manageable. It can be designed to require a very weak password or very strong passwords (16+ alphanumeric characters that pass entropy-based password guessing criteria and restrict passwords from containing parts of a user's username).

Support can also optionally enable "hacked password checking" ... where passwords are checked against a large database of passwords that have been publicly exposed by breaches across the Internet.

LuxSci tracks previously used passwords and the time period when they were in use. We keep "hashes" of these passwords for security reasons. However, we cannot determine what these passwords actually were!

Preventing password reuse helps protect an account from unauthorized access. When a user changes his/her password, the new password must be different from any password that he/she used in the past year. It must also differ from their four previous passwords.

Account administrators can customize their password reuse requirement. It can be established weakly; requiring that new passwords merely be different from the current password. The requirement can also be established with strength; requiring that the new password differs from the user's last eight passwords and be different from any password in use over the previous two-year period.. This can be configured account-wide and/or on a per-domain basis.

Administrators can optionally force users to change their passwords after a certain length of time to keep them from being "too old". If a user's password expires, all services (except WebMail) are auto-disabled until the user logs in to reset his/her passwords. Administrators can configure the password expiration based on password age. The expiration can be configured from anywhere between seven days to one year. Additionally, administrators can specify when expiration warnings are sent to their users. Two such messages will be sent to all users.

Users will be prohibited (locked-out) from logging into WebMail for 10 minutes after five unsuccessful login attempts. This helps prevent password guessing attempts on our WebMail login page.

Administrators can further customize lock-out parameters. They can choose how many login failures result in a lock-out (from one to twenty) and they can choose how long the lock-out window lasts (from one minute to two hours). All of these configurations help limit password guessing, especially by automated systems. However, some accounts have specific requirements in this regard.

The password lock-out feature applies "per IP address", so users cannot be locked out by another user trying to guess his/her password at another location. It is also configurable on an account-wide or per-domain basis.

LuxSci Support Staff can typically retrieve a user's forgotten password. All the user must do is click the link on the LuxSci login page and fill out a basic form. With that information LuxSci Support Staff can verify the user's identity (manually) based on certain criteria such as pre-configured alternate email addresses, phone numbers and security questions. Support would then send the user a password reset link.

In some cases, account administrators do not want their users (or specific) users to be directed to Support, but to be given specific instructions for lost passwords.

Administrators have the option to specify "Lost Password Instructions" account-wide, per-domain and/or per-user. Any affected users who request password help from the login page will get these instructions instead of being sent to Support.

Account administrators can configure a maximum WebMail login session timeout (for all users) from anywhere from five minutes to eight hours of inactivity.

Administrators can delegate administrative access to other account users on a per-domain basis as needed. Administrators can also manage multiple LuxSci accounts from a single login if needed.

Account administrators can quickly enable SecureLine email encryption settings on an account-wide and/or domain-wide basis. This includes auto-creation of user PGP and S/MIME certificates, forced use of email encryption, inbound email auto-decryption, etc.

Users can receive email alerts detailing successful and/or failed logins to their accounts. These alerts can go to a custom list of email address and can be enabled/disabled per service (e.g. POP, IMAP, WebMail, SMTP, FTP).

By default, failed login alerts are enabled and successful login alerts are disabled.

LuxSci provides account administrators with a "Maximal Security" button. This feature allows them to configure all of the global or domain-wide security options to settings that ensure maximal security in one click. This configures such things as forced use of TLS, strong passwords and forced use of SecureLine (where applicable).

Account managers can also request Support "Lock Down" these settings to ensure nobody in the account can alter them without contacting support directly, getting approval and leaving an audit trail.

If you want maximum email security and the assurance that your email account is setup correctly and cannot be circumvented, this is for you.

With this feature you can choose to encrypt individual Blog entries and Documents using PGP encryption. The feature also supports the creation of personal and group PGP keys. It allows you to specify recipients of encrypted data on a per-entry basis and verify digital signatures of all encrypted content. Entries encrypted via PGP are secure. Even the LuxSci technical staff cannot access their content without access to your PGP key password (which is never saved in plain text on our servers).

You can enable access tracking on your Blogs, Documents and Passwords WebAides. This allows users to see who created or edited every entry and when the action occurred.

Only those with a login to LuxSci's web site could possibly access your WebAides (they are not public). You can also determine exactly who has permission to view your WebAides, add entries, edit entries, make comments and administer your Blog. You can specify this per user, per user group, per domain and/or per account. You can however choose to share your WebAides with other members of your account and/or members of other LuxSci accounts; the decision is yours.

WebAide Feeds (links to access certain WebAide data from external locations) can be secured via:

• Password protection
• Allowed access from certain IP addresses or ranges
• Required feeds that can only be accessed over TLS

These options ensure that even if your feed is "published", you can control who has access.