11 Apr MailStore 12 – Easy SSL with Let’s Encrypt and new MailStore Gateway
MailStore version 12 is now live and includes some great new features that will help tighten up security for all MailStore installations. In our opinion the best new feature is the brand new ‘Mailstore Gateway’ service that will make archiving Office 365 and Google G Suite mail much simpler to configure allowing you to use Journaling as the main archive method.
Here is a full rundown of the changes:
Support for “Let’s Encrypt” Certificates
With previous versions of MailStore, all services could run over secured connection protocols utilising Transport Layer Security (TLS) certificates. This can either be the automatically created ‘Self Signed’ SSL certificate created by MailStore itself or a pre-installed ‘Root Trusted’ SSL certificate purchased from a Root Trusted Authority.
With MailStore version 12, a new Let’s Encrypt Root Trusted SSL certificate option has been added. This differs from existing Root Trusted SSL certificates in that they automatically get created and renewed and are FREE! This makes maintaining a valid Root Trusted SSL certificate a breeze.
If you are currently using a self signed SSL certificate, why do you need a Root Trusted SSL certificate?
As your MailStore users are likely going to need to connect to MailStore on a range of mobile devices you may have already noticed that more and more devices are dropping support of Self Signed SSL certificates, or at the very least are making it very difficult to trust them. Over time this makes setting up new users devices a pain and so switching to a Root Trusted SSL certificate is a must.
How long are Let’s Encrypt certificates valid for and how do you renew them?
Let’s Encrypt certificates last for 90 days. MailStore takes care of auto renewing the certificates every 60 days so you no longer need to remember to manually purchase renewals and apply them to your server before old certificates expire!
Should a problem occur with any certificate used within MailStore (for example when the expiry date is approaching) the administrator will be alerted via the MailStore dashboard and if applicable in the email status reports too, so you should never have to deal with an expired certificate again.
MailStore Server version 12 (and also the Management Console in MailStore SPE) will alert administrators to any unsecured outbound connections to email servers or directory services.
This will help administrators spot unsecured traffic that could potential expose login credentials.
MailStore Server and MailStore SPE instances can now also be launched in safe mode, This will pause the running of archive jobs while tests can be performed and configuration errors can be resolved.
With both MailStore Server and MailStore SPE, a secure connection is now established by default whenever the Outlook add-in is used. This approach also applies to Directory Services synchronisation which ensure that secure protocols such as LDAP-TLS or IMAP-TLS are immediately available for new connections.
Simplified Archiving of Cloud Services with MailStore Gateway
In addition to SMTP and POP3 proxy functions that the old MailStore Proxy provided the new FREE MailStore Gateway service provides a simple email server that allows Journal email from cloud services such as Microsoft Office 365 and Google G Suite to be easily archived.
Previously in order to archive Journaled email, an external 3rd party mailbox was needed which would be hosted on a separate domain. MailStore was then configured to collect from it. This could be hosted on your own on-premise mail server or in some cases with an external Internet Service Provider. This made the solution more complex and had security implications as all this email was passing through other servers.
With the new MailStore Gateway, this approach is now a thing of the past . It allows you to easily configure a very specific Gateway mailbox address hosted on your own server that the journaling server sends all email to. The MailStore Gateway can be installed on the same server as MailStore Server or a different server if preferred. The Gateway can also be configured to host multiple Journal mailboxes for multiple domains which makes it ideally suited to the MailStore SPE product when archiving multiple Office 365 customer domains. MailStore Gateway also replaces the functions of the MailStore Proxy product so can provide SMTP and POP3 proxy services for those situations where this is still required.
Security by Design also applies to the Gateway
All emails stored in MailStore Gateway’s mailboxes are protected by strong hybrid encryption. Data cannot be decrypted without the correct mailbox password. For that reason, we strongly recommend that mailbox passwords are kept in a safe and secure location (an enterprise password manager can be useful in this case). Additionally, MailStore Gateway does not permit user names or passwords to be transferred via unencrypted connections. For this reason, servers to which connections are established via the proxy function must support implicit (SMTPS, POP3S) or explicit (SMTP+STARTTLS, POP3+STARTTLS) encryption.
MailStore Gateway’s Management Console can be accessed by common browsers such as Microsoft Edge, Microsoft IE 10+, Google Chrome or Mozilla Firefox.
- MailStore SPE administrators receive a message if a license fails to update
- MailStore integrated users can now opt out of (i.e. deactivate) the password policies in MailStore Server. Users can choose to adopt less secure passwords. However this is something we would not recommend -where possible retain the password policies for added security.
- When using Web Access from MailStore Server and MailStore SPE the browser’s language setting is detected automatically
- MailStore Server and MailStore SPE now officially support Microsoft Windows Server 2019.