New IMAP servers deployed with Perfect Forward Secrecy

Our new IMAP servers were successfully deployed today after upgrading the new ZFS based storage, which resolved an error that had previously caused problems. The technical details of this error can be found in the official bug report from the operating system distributor.

The combination of new, powerful IMAP servers and a modern, ZFS based SAN (Storage Area Network) should significantly improve IMAP performance in the coming days and weeks as we move email accounts to the new storage unit.

Perfect Forward Secrecy support for IMAP

Additionally, the new IMAP servers support Perfect Forward Secrecy on SSL (encrypted) connections, which prevents an unlikely eavesdropper to decrypt the communication between client and server.

You do not have to change anything in your email client to enjoy these new technologies, but do let us know if you experience any problems.

5 thoughts on “New IMAP servers deployed with Perfect Forward Secrecy”

  1. This is great news! IMAP is the main way I access Runbox, so I hope its security remains on par with the webmail product.

  2. Unfortunately it has not been as safe as using a browser. I’m desperate for mobile-formatted Webmail, as I have never used Runbox in my phone’s mail client for this very reason.

    If Runbox could help us find phones running forward secrecy-enabled email clients, that would be wonderful. I have a Nokia Windows phone, and neither Nokia or Microsoft can tell me if Outlook on this phone supports forward secrecy.

    Speaking of, why isn’t this page encrypted?

    1. Perfect Forward Secrecy is a feature of the server your client connects to, which causes the server to issue unique SSL keys for each connection. Your email client will simply accept the key which is issued by the server, so you don’t have to change anything for your client to support Perfect Forward Secrecy.

      This page isn’t encrypted because all the information on it is public. We may decide to change this in the future, though.

  3. Hi Geir,

    Thanks so much for clearing this up. I appreciate it.

    Here’s my understanding of how the encryption protocol is determined in a browser. I would like to understand why this is different from an email client…

    When a browser initially connects to a site it performs a “handshake” to determine the best available encryption protocol, and that there are usually several options available. Forward secrecy in available in the latest version of the TLS protocol, but not in older versions. If a browser does not support the latest version, the page will still load using one of the older versions of TLS which may not include forward secrecy. So, even if a website supports forward secrecy, one must check that the browser supports the latest TLS protocol.

    This perhaps mistaken understanding is why I wanted to investigate my email client’s capabilities.

    What I understand from your response is that this does not apply to email clients, and that now that Runbox supports the latest protocol in imap, no imap connections can be made using an older, less secure TLS or SSL protocol.

    Thanks again for simplifying this for us laymen!

    1. As far as we can tell PFS is available in all versions of TLS (which is the successor to SSL), and of all the major browsers only Internet Explorer 6 and 8 on Windows XP do not support PFS (although they do support TLS 1.0). A full list of browser support for PFS can be found here: https://www.ssllabs.com/ssltest/analyze.html?d=runbox.com

      We haven’t been able to find a list of which email client versions support PFS, but we recommend that you always use the most recent (stable) release to ensure PFS support.

      By the way, you can review the security status of our mailservers here: https://ssl-tools.net/mailservers/runbox.com

Leave a Reply

Your email address will not be published. Required fields are marked *