New Account Security features launched

March 14, 2017 Leave a comment

We are excited to announce the launch of a new Account Security interface with Two-Factor Authentication (2FA) for Runbox.

This completes more than a year of development, and we are quite proud of the result. The new features will significantly improve the security of your Runbox account when you activate them.

Account Security features

The new Account Security interface includes 4 main features: Two-Factor Authentication, Manage Services, App Passwords, and Last Logins.

Used separately or in combination, these features add extra layers of security to your Runbox account.

Two-Factor Authentication

Two-Factor Authentication (2FA) is a log in procedure where an additional piece of information is required in addition to your username and account password.

This additional factor is a code that can only be used once, or for a limited period of time.

Two-Factor Authentication
Runbox Two-Factor Authentication

Runbox 2FA currently supports Timed One-Time Passwords (TOTP) and One-Time Passwords (OTP) as additional factors. We are planning to expand this with Yubikey or U2F support.

Manage Services

The new Account Security interface lets you disable various services such as IMAP, POP, and SMTP. These are the services you use when using an email app/program to access your mail.

By disabling services you are not using, you prevent attempts at unauthorized access to your account via those services.

App Passwords

You can also set up unique passwords for each of your apps or devices, giving you complete control over the access to your account.

If you then happen to lose a device you can simply delete the corresponding app password, effectively disabling access from that device.

Last Logins

This section shows a list of the most recent login attempts to your account from each service such as web, IMAP, POP, and SMTP.

If you suspect that there have been unauthorized login attempts to your account, you can review this list and take appropriate action.

How to set up Account Security features

To get started, just go to the Account Security screen to set up 2FA and the other security features.

We encourage you to review our Account Security help page for details about the new functionality first. This will ensure that you understand how 2FA works and prevent you from getting locked out of your account.

We welcome any questions or feedback you might have, either as comments to this blog post or via our contact form or support system.

Continue Reading →

Max accounts upgraded to 25GB

March 1, 2017 1 Comment

Today we have upgraded the email storage space for all Max accounts from 15 GB to 25 GB.

New Max subscriptions and upgrades from other price plans will also get 25GB email storage space.

If you currently have a Max subscription and have previously purchased email storage add-ons, you now have those add-ons on top of 25 GB. You might therefore want to review your email storage add-ons in case you need less than 25 GB.

We will continue to evaluate our price plans in order to stay competitive, and feedback and comments are welcome as always.

Continue Reading →

New Web Servers Deployed

February 3, 2017 12 Comments

Yesterday we deployed our new web servers, which are powering the Runbox web app at https://runbox.com. There are a few changes and improvements that were deployed at the same time, and that we would like to tell you about.

New login screen

Among other things you may have noticed that the login procedure has changed. This is related to the roll-out of our new Account Security features, which include Two-Factor Authentication. We will post more about this soon, but the important thing to note is that the new login regime is more secure than before. This also completes our transition to a new, global authentication system which we have described previously.

If you have problems logging in

If you are experiencing problems logging in, please make sure that your browser has the latest version of the login screen. You can do this by pressing Ctrl + F5 on Windows and Cmd + R on macOS. If this doesn’t help, please try to clear your browser’s cache and restart it. If this doesn’t help or if you are unsure how to accomplish this, please contact Runbox Support.

There are a few other wrinkles on the new web servers that we are currently ironing out, and besides a more powerful and reliable webmail service we have also deployed a new spam filter.

New spam filter in beta

The new spam filter is powered by Cloudmark, which is one of the strongest authorities on spam analysis in the world. You can try out the new spam filter by going to Manager > Filter and selecting “Cloudmark (beta)” under “Detect junk mail”. If you are already using Dspam (the trainable spam filter) you can select “Both” to activate Cloudmark and Dspam.

The Cloudmark spam filter will automatically catch more spam by comparing spam signatures (fingerprints) with the central Cloudmark database. If you click “Not spam” or “Report spam” to correct spam filter behavior in the webmail, a report will be sent encrypted to the central Cloudmark service. Select “Train using reduced email details” to only send a message signature instead of the full message when reporting misclassified messages.

The Runbox Aero webmail theme

And if you haven’t already done so, we recommend that you try out the Runbox Aero webmail theme, which you can find in Webmail > Preferences. This theme has a more modern design and includes larger and more legible fonts.

More new features to come!

Finally, with the new web servers we have also established a streamlined deployment system that makes the path from development to production much more efficient. We won’t bore you with details, but we can say that you can expect more exciting features from Runbox going forward.

Continue Reading →

Free services for environmental NPOs

December 24, 2016 3 Comments

When a year nears its end there’s a natural inclination to take stock, and 2016 has been a year like few others.

At Runbox, while working hard each day to improve our product and ensure that our services are reliable and secure, we have watched the world’s events unfold from our vantage point in the high north.

With customers in 172 countries we feel that we are connected with people in every corner of the world.

And as our planet completes another revolution, its fate seems more uncertain than ever. Just since Runbox was launched in 2000,

  • average global temperature has increased 0.4°C [1],
  • average sea level has risen almost 6cm (2 inches) [2],
  • human population has grown by more than 1 billion [3], and
  • around 30,000 species have gone extinct [4,5].

 

Source: https://en.wikipedia.org/wiki/Global_warming

Humanity’s ecological footprint is so large that we are literally about to eradicate the planet’s resources:

  • Humans annually absorb more than 42% of the Earth’s terrestrial net primary productivity, 30% of its marine net primary productivity, and 50% of its fresh water [6].
  • 40% of the planet’s land is devoted to human food production, up from 7% in 1700 [6].
  • 50% of the planet’s land mass has been transformed for human use [6].

Clearly this is not sustainable, and humanity is on a collision course with its environment.

This increasing urgency implores us to do more to help decrease human impact. We all depend on our environment — and when it deteriorates it affects us all.

So starting this Christmas, in line with our Company Values and our commitment to sustainability, Runbox will offer free services to environmental non-profit and non-governmental organizations.

This includes both our email hosting and web hosting services, up to 100 email accounts and 1 000 MB website storage per organization. If you are a registered environmental NPO/NGO, please contact us to apply.

We encourage other email and web hosting providers to do the same.

And we wish everyone the very best for the new year.

Sources

1. https://en.wikipedia.org/wiki/Global_warming

2. http://climate.nasa.gov/vital-signs/sea-level/

3. https://en.wikipedia.org/wiki/Population_growth

4. https://www.geol.umd.edu/~tholtz/G204/lectures/204conservation.html

5. https://en.wikipedia.org/wiki/Holocene_extinction

6. Vitousek, P. M., H. A. Mooney, J. Lubchenco, and J. M. Melillo. 1997. Human Domination of Earth’s Ecosystems. Science 277 (5325): 494–499; Pimm, S. L. 2001. The World According to Pimm: a Scientist Audits the Earth. McGraw-Hill, NY; The Guardian. 2005. Earth is All Out of New Farmland. December 7, 2005.

Continue Reading →

How To Use Email Securely

November 1, 2016 7 Comments

Much has been said and written in the media recently regarding email, and here at Runbox we’d like to take the opportunity to help make it all a bit more understandable.

What is email, anyway?

Email, or electronic mail, is the most common method of exchanging digital messages.

It is easily the most flexible online messaging service available, because it lets users send and receive unlimited text, multimedia, and other files to anyone with an email address anywhere in the world.

Email was invented in the 1960s and is still one of the most popular services currently available via the Internet, with over 90% of US Internet users actively using email.

How does email work?

Email systems consist of computers and devices that are connected via the Internet. These computers and devices can be servers that process and store electronic mail, or clients such as laptops and smartphones that are used to send and receive email.

Email clients and server Email clients connected to a server

When someone sends an email, the message is transferred from his or her device to a server that processes the message.

Based on the recipient email address, the server finds out where to send the message next.

This is usually to another server associated with the recipient’s address, and often via a number of other servers that act as dispatchers.

There are many different types of email software that can send, receive, and store email. If you use a computer or a smartphone, you might be familiar with software such as Outlook, Apple Mail, or Thunderbird.

Where is my email actually stored?

Because the volume of email is so large, email clients typically let servers store all the email that is received and sent and only download messages when they are opened.

This is very convenient because the server can then do resource intensive things like filtering out spam and viruses, and other kinds of sorting and processing.

Another important reason for keeping emails stored on a server is that it lets more than one client access the same messages.

For instance, you can set up your laptop, your tablet, and your smartphone to access all the email that is stored in your account on the server. You can also use a webmail in your web browser, which essentially works as an email client.

This means that your email will be synchronized across all your devices, without you having to do anything manually.

You can read more about how this works in our Help article Using an Email Client with IMAP.

How can I be sure that no one else can access my email?

When you sign up for an email account, you select a username and a password that only you know. This ensures that only you can access the email that is stored in your account on the server.

As you can imagine, it is important that you choose a strong password to make sure that no one else can guess it. It’s also important to be aware of scams that may try to trick you into revealing information that could let someone gain access to your account.

End-To-End Encryption
End-To-End Encryption

However, to be certain no one can read your email even if they were to gain access to it, you can use encryption.

Email encryption can protect your messages all the way from your device to the recipient’s, by encoding them in such a way that it’s virtually impossible for someone unauthorized to unscramble them.

You can read more about this in our Blog post Email Encryption with Runbox and our Help article Encrypting Your Runbox Email.

We hope this article helped clarify what email is, how it works, and how to use it securely. For a more in-depth article, please see How Email Works.

Continue Reading →

Account security and password strength

July 3, 2016 19 Comments

In the recent past, some high profile companies have had user account details stolen by criminals. In some cases these details have been made public. Many people use the same usernames and passwords across different services, which means that their other accounts may also be at risk.

Use a Strong Password

Runbox has not had a data breach. However, if you use one of the affected services and have used the same login with Runbox then your Runbox account could also be at risk.

We would suggest you update your Runbox password if you feel it might be necessary. What would have been a strong password a few years ago, might not be strong now. This is because criminals have an increasing ability to try large numbers of known passwords against accounts.

For useful tips about choosing strong passwords we recommend our Account Security help page. It is easier than you might think to create good passwords that are easy to remember.

Two-Factor Authentication

To improve account security further, Runbox will be launching two-factor authentication (2FA) in the near future.

With 2FA turned on you will need to provide both your username, password, and an additional piece of information to access Runbox and your account settings. And if you choose to use IMAP, POP, or SMTP, you will be given strong passwords to use.

In the meantime, if you have any questions about account security, please contact us at Runbox Support.

Continue Reading →

CalDAV calendar in beta testing

June 8, 2016 20 Comments

We’re happy to announce that our new CalDAV service is now in open beta testing.

With CalDAV you can store your calendars on Runbox’ servers using calendar apps on your computer or smart phone. This is the first step towards a full-fledged Runbox Calendar service, as we are planning to develop an integrated web interface as well.

Please remember that this is a beta phase and that the service might be less consistent than our standard services. We therefore recommend that you back up your calendar data before and while testing it.

Setting up Runbox CalDAV

To try Runbox CalDAV in your Calendar client, just set up a new account with your Runbox username and password and https://dav.runbox.com/ as Server Address.

Note: If you are using your own domain with Runbox, the correct username format is you@nulldomainyouown.com.

  • Apple Calendar users: Setup should be straight forward after selecting Add Account… > Add CalDAV Account… from the menu.
  • Outlook users: To extend Outlook with CalDAV functionality you can try the Outlook CalDav Synchronizer plugin.
  • Thunderbird users: For Thunderbird Lightning setup instructions, please see this comment.

PS: In case you are wondering what CalDAV stands for it’s Calendar Distributed Authoring and Versioning, and it’s the established standard for storing and accessing calendar information on the Internet.

Continue Reading →

Hardened web server security

March 31, 2016 5 Comments

We have recently hardened our web server security, giving Runbox an A+ rating on securityheaders.io — in addition to our existing A+ rating on ssllabs.com.

The policies we have implemented are the following:

X-Frame-Options: Tells the browser that we don’t allow the Runbox web site to be framed (included) by other web sites, which defends against attacks like click-jacking.

HTTP Strict Transport Security: Strengthens our implementation of Transport Layer Security (TLS) by making the browser enforce the use of encrypted communication (HTTPS).

Content Security Policy: Protects our web site from Cross-Site Scripting (XSS) attacks.

HTTP Public Key Pinning: Protects us from from Man-in-the-Middle attacks by making sure the TLS certificates used by the browsers are the ones implemented on our servers.

X-XSS-Protection: Sets the configuration for the cross-site scripting filters built into most browsers.

X-Content-Type-Options: Forces browsers to use the declared file content type instead of trying to be too clever, which helps to reduce the danger of drive-by downloads.

These changes will help ensure that your use of Runbox is as safe and secure as possible, and we will continue making security-related improvements in the future.

Continue Reading →

TLS Upgraded for Incoming Email

February 12, 2016 3 Comments

Today we have upgraded the TLS (Transport Layer Security) of our incoming email servers to support version 1.2, which is the most recent. This means that when email is sent to Runbox from other services, the highest level of encryption will be used if the other service supports it.

This also means that all communication between your email program and Runbox now uses TLS 1.2 (if supported by your email program).

 

Continue Reading →

Spam filter upgrades and policies

January 24, 2016 Leave a comment

New Spam Filter Servers

As part of our ongoing fight against spam, Runbox has recently deployed a new cluster of spam filter servers and made a few changes to how we deal with spam.

We now block a lot more spam by rejecting connections from servers that are known to send spam. Most of these connections are from virus infected computers, and it is relatively easy to identify these machines via their IP addresses.

Another change we’ve made is to upgrade SpamAssassin so that it performs more extensive checks of incoming mail.

This is the first among several steps we are taking to clear your Inbox of spam, and we will post more news about this in the near future.

Changes to Bulk Mailing Policy

We’ve also decided to tighten our policies on bulk mailing using Runbox’ outgoing email servers to prevent Runbox from ending up on blacklists used by other email services.

As email use continues to grow and more people around the world are online, so does the amount of email sent for marketing and promotional reasons. Often mailing lists are badly managed and people receive email they no longer want, so they mark them as spam instead of unsubscribing from them.

Meanwhile spam systems are getting smarter, and email providers create statistics from the actions of their customers. If a customer marks a message as spam (whether it is spam or not), this is recorded in a database, and it can result in those domains and server IP addresses being blocked.

Only a very small number of Runbox customers use our services for marketing and promotional messages, but this can still have an adverse affect on all Runbox customers. Therefore we have decided that Runbox can no longer be used for bulk mailing, and we are now changing our Terms of Service to reflect this.

If you are using, or are planning to use, Runbox for bulk mailings, please see our page about Bulk Mailing and contact Runbox Support.

Continue Reading →