Email Security and Privacy Features

Feature Available
SecureLineTM: End-To-End Email Encryption

The SecureLineTM End-To-End Email Encryption Service provided by LuxSci allows users to send and receive secure email messages with ease. Messages can be sent and received from anyone with an email address, no matter what type of email software or service; regardless if their email services are insecure!

SecureLineTM provides services compatible with PGP and S/MIME. It also offers a message "Escrow" service that can be used to communicate securely with anyone.

See Also:

SecureLineTM End-To-End Email Encryption Service
Secure WebMail (https - TLS)

Your passwords, and the contents of all of your messages, are encrypted via TLS (Transport Layer Security) when transmitted to our WebMail application. Nobody can eavesdrop and you know for sure that you are communicating with LuxSci!

Additionally, you can use our optional visual keyboard to enter your password with a mouse when logging into our WebMail portal. This tool helps you mitigate the possibility that spyware is running on your computer (or the unreliable computer at an Internet Cafe). It prohibits the machine from capturing your password and delivering it to unauthorized people.

Secure IMAP and POP

Regular IMAP and POP put your username, password and all of your messages at risk because messages are sent back and forth between servers in "plain text". Anybody who attempts to review your messages can discover your password. With Secure IMAP and POP over SSL, all of this information is encrypted; nobody can eavesdrop or steal your password!

Secure, Authenticated SMTP

Regular SMTP (like regular IMAP and POP) is also insecure. Anybody that scans your "plain text" messages can discover your password! With Secure SMTP, all of this information is encrypted! Our SMTP Server also requires authentication for SMTP Relaying which forces you to send your username and password in order to send messages. This protects you and LuxSci servers from being used to send Spam.

Our secure SMTP services are provided via TLS (Transport Layer Security; TTLS for SMTP) and SSL. This makes them compatible with all email clients that support one of these mechanisms.

Secure, Anonymous SMTP

Use LuxSci's Secure, Anonymous SMTP server to strip all information about your computer, it's Internet address and your email client from outgoing messages. This provides enhanced privacy as your recipients will have no way to determine the email's origin. They can only track messages back to LuxSci's servers. Otherwise recipients could use your computer address information to determine your physical location by region, city, or even the address!

Secure Email Transmission with TLS

LuxSci's inbound email servers support "Transport Layer Security - TLS". This encrypts and secures emails you receive from other companies during transit to LuxSci's servers (assuming the sender's server supports this feature). Transport Layer Security - TLS also secures all internal emails on LuxSci during transport.

LuxSci's servers will also use TLS whenever possible for outbound email. See: SMTP TLS: All About Secure Email Delivery over TLS.

Two-Factor Authentication for WebMail

LuxSci's Web Interface supports optional two-factor authentication to further secure logins. The first factor is the user's username and password. The second is one of:

  • Google Authenticator
  • A token sent via text message/SMS
  • A token sent to an alternate email address

The Web Interface integrates with any account that you have for advanced two-factor authentication. Options which include: text message, Phone call, hardware token, Mobile device APP, user management, logging, auditing, and more.

Custom Firewall Access Control

Allow and/or deny access to WebMail, POP, IMAP and SMTP based on IP or IP Range. Rules can be implemented per-user, per-domain and/or account wide.

Optionally allow access to POP, IMAP, and SMTP based on a successful prior login to the Web Interface.

Custom firewall rules can also apply to FTP and Secure FTP access.

Read More

Login/Access Auditing

We track all logins to your account via POP, IMAP, SMTP and WebMail. This includes the exact time and the IP address used, among other information. This auditing information is available to you, your account administrator and technical support at all times. You can easily check if unwanted people or programs are logged into your accounts. Additionally, you will be sent automated alerts when login attempts to your account fail.

WebMail Access Restrictions

This option can restrict users' access to WebMail to a specified set of IP addresses or IP blocks (CIDR). It can also restrict the login availability of users to a selected set of countries and/or regions.

Auditing of Email Sending

We track all messages sent from WebMail, your email servers (via SMTP) and your web sites. This allows you, your administrator and our support team to review what email messages are being sent and from where. It also allows LuxSci to proactively stop Spam attempts even if the Spam messages are unintentional or the result of web site insecurity. Note, records of message content are not available to your administrators or to our standard support teams, so this auditing does not tread on privacy concerns.

Incoming Email Attack Guard (with Premium Email Filtering)

Attack Guard protects your message infrastructure from Denial of Service (DoS) attacks and other threats with real-time monitoring and analysis of email traffic patterns. Dictionary attacks, mail bombs, email flooding and other attacks designed to interrupt service or harvest corporate or personal email addresses can be blocked with real-time detection. Additionally, the service scans the incoming Simple Mail Transport Protocol (SMTP) stream for abnormalities in protocol compliance and abuse. This service is automatically included as part of our Premium Email Filtering service.

Customizable WebMail Session Timeouts

Account administrators and users can customize their WebMail session timeout. The default timeout is 2 hours but this range can be designed for timeout flexibility between 5 minutes and 8 hours. Account administrators also have the option to monitor user timeouts and program them to be no longer than the account-wide default.

Customizable WebMail Login Failure Lockouts

Users are blocked from WebMail if they fail to successfully login (from their IP) 5 times within a 10 minute span. Administrators can customize this range (i.e. number of failures and the period of time) globally and on a per-domain basis.

This feature mitigates password guessing via the WebMail interface login screens.

Application-Specific Passwords
Create new username/password aliases that can be used to grant others access to your WebMail, email, settings, FTP/SFTP/SSH, API, etc. These aliases can be revoked at any time, do not expose your real password, can have restricted access, and are exposed your login audit trails (so you know who/what logged in to what service, when, and from where).
Web Portal Security: Mobile Site

LuxSci provides an alternate secure members' web portal (the Mobile Site). The Mobile Site feature uses minimal graphics for maximal speed. It does not require the use of cookies or JavaScript and suppresses some of the features of the full portal that may put you at risk, like viewing HTML attachments inline. The Mobile Site supports most of the non-administrative features of the full members' portal (including WebMail, WebAidesTM, Workspaces and Widgets, technical support, and help) and provides maximal browser compatibility and security.

It is your choice if and when you use the Mobile Site or the Full Site (which does use cookies, JavaScript and more graphics). While the Mobile Site is faster and may be more secure, the Full Site offers a more full-featured experience.

See Also: About the Mobile Site.

Web Hosting Security Highlights

Feature Available
Web Hosting on Dedicated Servers
Secure Web Sites (https / TLS)

We provide secure web site hosting using Transport Layer Security encryption. We can provide TLS certificates for you, alternately you can provide your own. We provide dedicated IP address(es) for your secure site(s).

Secure Web and PDF Form Processing (SecureFormTM)

Upload and download files from your web site or file storage location using Secure Copy or Secure FTP. This protects your username and password and the contents of your data from cyber-intruders.

Secure Web-Based File Manager

Web-based file manager allows secure uploads, downloads and file management though LuxSci's secure web interface. This option is ideal if you need to make changes but do not have access to an SFTP program.

Application-Specific Passwords restrictable to only SFTP & SSH
Create new username aliases and passwords that can grant others (e.g. developers) access to your web/FTP space (only) without giving them access to your real password, your email, or anything else.
Web Site Password Protection

Simple user interface enables and manages password protection for entire web sites and/or individual directories. It can create and manage users or groups of users to determine who has read and write access (i.e. for WebDAV). This eliminates the need to deal directly with .htaccess or .htpasswd files. .htaccess or .htpasswd files.

Secure MySQL Access (over TLS or VPN)

LuxSci provides an alternate port for TLS-enabled access to MySQL databases. This ensures the security of your sensitive data if you connect from a remote location.

Database access also available over a VPN.

Secure Web-Based MySQL Manager (over TLS)

Custom web-based MySQL database management tools allows you to securely upload and execute SQL scripts with ease. It also offers secure download dumps of your database and executes commands on demand.

Anti-Virus Scans

Daily anti-virus scans of your web server file spaces. Any detected malicious content is quarantined.

Denial-of-Service Protection

Protection against some forms of denial of service attacks is taken care of automatically by your server.

Intrusion Detection

Your web server can automatically detect and alert LuxSci support on many kinds of system intrusions.

Account Administration Security

Feature Available
Enforced use of TLS for user logins

Account administrators have the option to force their users to connect to our email and web services (i.e. WebMail, POP, IMAP, SMTP, FTP, and MySQL) exclusively over TLS. The account administrator enables this option by checking a single checkbox in his/her account. After the option is enabled, all account users will be denied access to these services unless they connect over TLS-secured channels. Thus, the administrator can enforce security policies very easily.

This policy can be configured globally, per-domain, or per-user.

Password Strength Settings

In addition to the TLS-protection of usernames and passwords, administrators can customize the required degree of complexity for user passwords. The range of complexity is manageable. It can be designed to require a very weak password or very strong passwords (16+ alphanumeric characters that pass entropy-based password guessing criteria and restrict passwords from containing parts of a user's username).

You can also optionally enable "hacked password checking" ... where passwords are checked against a large database of passwords that have been publicly exposed by breaches across the Internet.

Password Reuse Policies

LuxSci tracks previously used passwords and the time period when they were in use. We keep "hashes" of these passwords for security reasons. However, we cannot determine what these passwords actually were!

Preventing password reuse helps protect an account from unauthorized access. When a user changes his/her password, the new password must be different from any password that he/she used in the past year. It must also differ from their four previous passwords.

Account administrators can customize their password reuse requirement. It can be established weakly; requiring that new passwords merely be different from the current password. The requirement can also be established with strength; requiring that the new password differs from the user's last eight passwords and be different from any password in use over the previous two-year period.. This can be configured account-wide and/or on a per-domain basis.

Password Expiration Policies

Administrators can optionally force users to change their passwords after a certain length of time to keep them from being "too old". If a user's password expires, all services (except WebMail) are auto-disabled until the user logs in to reset his/her passwords. Administrators can configure the password expiration based on password age. The expiration can be configured from anywhere between seven days to one year. Additionally, administrators can specify when expiration warnings are sent to their users. Two such messages will be sent to all users.

Passwords Never Saved in Plain Text
LuxSci does not save plain text versions of user passwords. Rather, they are always saved as a hash (for regular login passwords) or they are encrypted with PGP (for personal certificate Password Escrow, when this feature is enabled). Translation: even senior LuxSci staff does not have access to view user passwords.
WebMail Login Lockout due to Login Failures

Users will be prohibited (locked-out) from logging into WebMail for 10 minutes after five unsuccessful login attempts. This helps prevent password guessing attempts on our WebMail login page.

Administrators can further customize lock-out parameters. They can choose how many login failures result in a lock-out (from one to twenty) and they can choose how long the lock-out window lasts (from one minute to two hours). All of these configurations help limit password guessing, especially by automated systems. However, some accounts have specific requirements in this regard.

The password lock-out feature applies "per IP address", so users cannot be locked out by another user trying to guess his/her password at another location. It is also configurable on an account-wide or per-domain basis.

Custom Lost Password Instructions

LuxSci Support Staff can typically retrieve a user's forgotten password. All the user must do is click the link on the LuxSci login page and fill out a basic form. With that information LuxSci Support Staff can verify the user's identity (manually) based on certain criteria such as pre-configured alternate email addresses, phone numbers and security questions. Support would then send the user a password reset link.

In some cases, account administrators do not want their users (or specific) users to be directed to Support, but to be given specific instructions for lost passwords.

Administrators have the option to specify "Lost Password Instructions" account-wide, per-domain and/or per-user. Any affected users who request password help from the login page will get these instructions instead of being sent to Support.

Self-Serve Secure Password Reset System
Login Session Length Enforcement

Account administrators can configure a maximum WebMail login session timeout (for all users) from anywhere from five minutes to eight hours of inactivity.

Administrative Access for Multiple Users or Accounts

Administrators can delegate administrative access to other account users on a per-domain basis as needed. Administrators can also manage multiple LuxSci accounts from a single login if needed.

SecureLineTM Encryption Policies

Account administrators can quickly enable SecureLineTM email encryption settings on an account-wide and/or domain-wide basis. This includes auto-creation of user PGP and S/MIME certificates, forced use of email encryption, inbound email auto-decryption, etc.

Successful/Failed Login Alerts

Users can receive email alerts detailing successful and/or failed logins to their accounts. These alerts can go to a custom list of email address and can be enabled/disabled per service (e.g. POP, IMAP, WebMail, SMTP, FTP).

By default, failed login alerts are enabled and successful login alerts are disabled.

Maximal Security Settings and Enforcement

LuxSci provides account administrators with a "Maximal Security" button. This feature allows them to configure all of the global or domain-wide security options to settings that ensure maximal security in one click. This configures such things as forced use of TLS, strong passwords and forced use of SecureLineTM (where applicable).

Account managers can also request Support "Lock Down" these settings to ensure nobody in the account can alter them without contacting support directly, getting approval and leaving an audit trail.

If you want maximum email security and the assurance that your email account is setup correctly and cannot be circumvented, this is for you.

Collaboration (WebAide) Security Features

LuxSci's WebAidesTM allow you to create a variety of collaboration instruments such as Blogs and file archives. LuxSci ensures the security of your data in many ways, including:

Feature Available
PGP Encryption

With this feature you can choose to encrypt individual Blog entries and Documents using PGP encryption. The feature also supports the creation of personal and group PGP keys. It allows you to specify recipients of encrypted data on a per-entry basis and verify digital signatures of all encrypted content. Entries encrypted via PGP are secure. Even the LuxSci technical staff cannot access their content without access to your PGP key password (which is never saved in plain text on our servers).

Access Tracking

You can enable access tracking on your Blogs, Documents and Passwords WebAidesTM. This allows users to see who created or edited every entry and when the action occurred.

Security & Access Control.

Only those with a login to LuxSci's web site could possibly access your WebAidesTM (they are not public). You can also determine exactly who has permission to view your WebAidesTM, add entries, edit entries, make comments and administer your Blog. You can specify this per user, per user group, per domain and/or per account. You can however choose to share your WebAidesTM with other members of your account and/or members of other LuxSci accounts; the decision is yours.

TLS, Password, and IP Protection for WebAideTM Feeds

WebAide Feeds (links to access certain WebAide data from external locations) can be secured via:

  • Password protection
  • Allowed access from certain IP addresses or ranges
  • Required feeds that can only be accessed over TLS

These options ensure that even if your feed is "published", you can control who has access.

Encrypted file storage
All files uploaded to WebAidesTM are encrypted-at-rest with AES encryption.

I was having a "hair on fire" moment regarding URL ownership; it was a scam but I needed Peter from Luxsci to verify. Quick, to the point, and calming response made my day! Thank you!"

John Glanville . Athenaeum Capital Partners