Group: netwin.surgemail
From: Frank Bulk <fbulk@mypremieronline.com>
Subject: [SurgeMail List] securityheaders.io
Date: Thu, 13 Apr 2017 04:15:54 +0000

I just became aware of this new “security checking” site, and I see that our webmail doesn’t score so well:

https://securityheaders.io/?q=webmail.premieronline.net

Is there some low-hanging fruit that Netwin can add to improve the default webmail site’s security?

Frank


From: "Neil Herber (nospam)" <nospam@eton.ca>
Date: Thu, 13 Apr 2017 13:12:38 -0400

This is a multi-part message in MIME format.
--------------8801E09D374EA02D57329C32
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit

I am not an expert by any means, but I can see one problem: you are
serving the login page over http and not https. This potentially exposes
any of the form data to sniffing.

Compare to my site:

https:/secure.eton.ca/surgeweb

I am not sure I would agree with your "security checking site" either.
Qualys gives you an "A" SSL report:

https://www.ssllabs.com/ssltest/analyze.html?d=webmail.premieronline.net

AFAIK, Qualys ONLY checks an https connection.

Your server has both http and https open. My SurgeWeb server runs behind
an Apache proxy where I have set up a redirect to force http to https.
(Try http:/secure.eton.ca/surgeweb to see it switch.)

There should be SurgeMail settings that will force logins over https,
but NetWin can give you those. (My proxy setup means I don't need to use
or know them.)

Neil


On 2017-04-13 12:15 AM, Frank Bulk wrote:
>
> I just became aware of this new “security checking” site, and I see
> that our webmail doesn’t score so well:
>
> https://securityheaders.io/?q=webmail.premieronline.net
>
> Is there some low-hanging fruit that Netwin can add to improve the
> default webmail site’s security?
>
> Frank
>

-- 
Neil Herber


--------------8801E09D374EA02D57329C32
Content-Type: text/html; charset=windows-1252
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html;
      charset=windows-1252">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <p>I am not an expert by any means, but I can see one problem: you
      are serving the login page over http and not https. This
      potentially exposes any of the form data to sniffing.</p>
    <p>Compare to my site:</p>
    <p><a class="moz-txt-link-freetext" href="https:/secure.eton.ca/surgeweb">https:/secure.eton.ca/surgeweb</a></p>
    <p>I am not sure I would agree with your "security checking site"
      either. Qualys gives you an "A" SSL report:</p>
    <p><a class="moz-txt-link-freetext" href="https://www.ssllabs.com/ssltest/analyze.html?d=webmail.premieronline.net">https://www.ssllabs.com/ssltest/analyze.html?d=webmail.premieronline.net</a></p>
    <p>AFAIK, Qualys ONLY checks an https connection.</p>
    <p>Your server has both http and https open. My SurgeWeb server runs
      behind an Apache proxy where I have set up a redirect to force
      http to https. (Try <a class="moz-txt-link-freetext" href="http:/secure.eton.ca/surgeweb">http:/secure.eton.ca/surgeweb</a> to see it
      switch.) <br>
    </p>
    <p>There should be SurgeMail settings that will force logins over
      https, but NetWin can give you those. (My proxy setup means I
      don't need to use or know them.)<br>
    </p>
    <p>Neil<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 2017-04-13 12:15 AM, Frank Bulk
      wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:8553324d3a784a2aa75e533b6e1d1188@mypremieronline.com">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <meta name="Generator" content="Microsoft Word 15 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
	{mso-style-name:msonormal;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
span.EmailStyle19
	{mso-style-type:personal-compose;}
..MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p>I just became aware of this new “security checking” site, and
          I see that our webmail doesn’t score so well:<o:p></o:p></p>
        <p><a
            href="https://securityheaders.io/?q=webmail.premieronline.net"
            moz-do-not-send="true">https://securityheaders.io/?q=webmail.premieronline.net</a>
          <o:p></o:p></p>
        <p>Is there some low-hanging fruit that Netwin can add to
          improve the default webmail site’s security?<o:p></o:p></p>
        <p>Frank<o:p></o:p></p>
      </div>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="72">-- 
Neil Herber</pre>
  </body>
</html>

--------------8801E09D374EA02D57329C32--


From: Surgemail Support (Marijn) <surgemail-support@netwinsite.com>
Date: Sat, 15 Apr 2017 01:47:19 -0500

This is a multi-part message in MIME format.

------=_SW_677798432_1492238839_mpa=
Content-Type: text/plain; charset=utf-8; format=flowed


Thanks for the report. I'm pretty sure we are currently not using any 
of those headers, we will investigate and tweak / add settings for as 
appropriate.

Marijn


On Thursday 13/04/2017 at 4:18 pm, surgemail-list@netwinsite.com 
wrote:
>
>
> I just became aware of this new “security checking” site, and I 
> see that our webmail doesn’t score so well:
> https://securityheaders.io/?q=webmail.premieronline.net
> Is there some low-hanging fruit that Netwin can add to improve the 
> default webmail site’s security?
> Frank


------=_SW_677798432_1492238839_mpa=
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style>
 .sw_message P{margin:0px;padding:0px;}
 .sw_message {FONT-SIZE: 12pt;FONT-FAMILY:Tahoma,Arial,Helvetica,sans-serif;background:white;}
 .sw_message blockquote{margin-left:5px;padding-left:5px;border-left:2px solid #144fae;color: #144fae;}
 .sw_message blockquote blockquote{border-left:2px solid #006312;color: #006312;}
 .sw_message blockquote blockquote blockquote{border-left:2px solid #8e5656;color: #8e5656;}
 .sw_message blockquote blockquote blockquote blockquote{border-left:2px solid #888;color: #888;}
</style>
</head>
<body class=3d"sw_message">
<div>Thanks for the report. I'm pretty sure we are currently not using any o=
f those headers, we will investigate and tweak / add settings for as appropr=
iate.</div><div><br></div><div>Marijn&nbsp;</div><div>&nbsp;</div><div id=3d=
"editor_signature"></div><div>On Thursday 13/04/2017 at 4:18 pm, surgemail-l=
ist@netwinsite.com wrote: </div><blockquote type=3d"cite"><style>}   =09{fon=
t-family:Calibri; =09panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */=
 .sw_message p.MsoNormal, .sw_message li.MsoNormal,  =09{margin:0in; =09marg=
in-bottom:.0001pt; =09font-size:11.0pt; =09font-family:"Calibri",sans-serif;=
} .sw_message a:link,  =09{mso-style-priority:99; =09color:blue; =09text-dec=
oration:underline;} .sw_message a:visited,  =09{mso-style-priority:99; =09co=
lor:purple; =09text-decoration:underline;} .sw_message p.msonormal0, .sw_mes=
sage li.msonormal0,  =09{mso-style-name:msonormal; =09mso-margin-top-alt:aut=
o; =09margin-right:0in; =09mso-margin-bottom-alt:auto; =09margin-left:0in; =
=09font-size:11.0pt; =09font-family:"Calibri",sans-serif;}   =09{mso-style-t=
ype:personal-compose;}   =09{mso-style-type:export-only; =09font-size:10.0pt=
;}   =09{size:8.5in 11.0in; =09margin:1.0in 1.0in 1.0in 1.0in;}   =09{page:W=
ordSection1;} --></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3d"edit" spidmax=3d"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3d"edit">
<o:idmap v:ext=3d"edit" data=3d"1" />
</o:shapelayout></xml><![endif]--><div><div class=3d"WordSection1"><p>I just=
 became aware of this new =e2=80=9csecurity checking=e2=80=9d site, and I se=
e that our webmail doesn=e2=80=99t score so well:<o:p></o:p></p><p><a target=
=3d"_blank" href=3d"https://securityheaders.io/?q=3dwebmail.premieronline.ne=
t">https://security<wbr>headers.io/?q=3dwebmail.premieronline.net</a><o:p></=
o:p></p><p>Is there some low-hanging fruit that Netwin can add to improve th=
e default webmail site=e2=80=99s security?<o:p></o:p></p><p>Frank<o:p></o:p>=
</p></div></div></blockquote><br> 
</body></html>

------=_SW_677798432_1492238839_mpa=--



From: Surgemail Support (Marijn) <surgemail-support@netwinsite.com>
Date: Thu, 20 Apr 2017 05:04:55 -0500

This is a multi-part message in MIME format.

------=_SW_1707679497_1492682695_mpa=
Content-Type: text/plain; charset=utf-8; format=flowed


What I believe to be the right selection of headers added for all of 
surgemail's web interfaces in surgemail version:  7.2j-19+
Made it as strict as I could while having existing interfaces continue 
to work

Rating is now much better according to this site (A instead of F):
      https://securityheaders.io/?q=netwinsite.com%3A7080%2Fsurgeweb

Personally I'm not convinced how much more security it actually 
provides... Also, it is possible some emails may no longer show some 
external content they used to show. Let us know if you find this is 
the case and it causes trouble for you. Also if you happen to be 
making use of services like google advertising or google analytics in 
surgeweb etc this may well be affected and need further tweaking of 
settings.

Let us know what platforms you need and I'll upload some builds 
tomorrow if you want to confirm this is working as expected for you.

Marijn


On Saturday 15/04/2017 at 6:47 pm, Surgemail Support (Marijn)  wrote:
>
>
> Thanks for the report. I'm pretty sure we are currently not using any 
> of those headers, we will investigate and tweak / add settings for as 
> appropriate.
>
> Marijn
>
>
> On Thursday 13/04/2017 at 4:18 pm, surgemail-list@netwinsite.com 
> wrote:
>>
>>
>> I just became aware of this new “security checking” site, and I 
>> see that our webmail doesn’t score so well:
>> https://securityheaders.io/?q=webmail.premieronline.net
>> Is there some low-hanging fruit that Netwin can add to improve the 
>> default webmail site’s security?
>> Frank
>


------=_SW_1707679497_1492682695_mpa=
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style>
 .sw_message P{margin:0px;padding:0px;}
 .sw_message {FONT-SIZE: 12pt;FONT-FAMILY:Tahoma,Arial,Helvetica,sans-serif;background:white;}
 .sw_message blockquote{margin-left:5px;padding-left:5px;border-left:2px solid #144fae;color: #144fae;}
 .sw_message blockquote blockquote{border-left:2px solid #006312;color: #006312;}
 .sw_message blockquote blockquote blockquote{border-left:2px solid #8e5656;color: #8e5656;}
 .sw_message blockquote blockquote blockquote blockquote{border-left:2px solid #888;color: #888;}
</style>
</head>
<body class=3d"sw_message">
<div>What I believe to be the right selection of headers added for all of su=
rgemail's web interfaces in surgemail version: &nbsp;<span style=3d"font-siz=
e: 12pt;">7.2j-19+&nbsp;</span></div><div>Made it as strict as I could while=
 having existing interfaces continue to work</div><div><br></div><div>Rating=
 is now much better according to this site (A instead of F):</div><div>&nbsp=
; &nbsp; &nbsp;&nbsp;https://securityheaders.io/?q=3dnetwinsite.com%3A7080%2=
Fsurgeweb</div><div><br></div><div>Personally I'm not convinced how much mor=
e security it actually provides... Also, it is possible some emails may no l=
onger show some external content they used to show. Let us know if you find =
this is the case and it causes trouble for you. Also if you happen to be mak=
ing use of services like google advertising or google analytics in surgeweb =
etc this may well be affected and need further tweaking of settings.&nbsp;</=
div><div><br></div><div>Let us know what platforms you need and I'll upload =
some builds tomorrow if you want to confirm this is working as expected for =
you.</div><div><br></div><div>Marijn &nbsp;</div><div>&nbsp;</div><div id=3d=
"editor_signature"></div><div>On Saturday 15/04/2017 at 6:47 pm, Surgemail S=
upport (Marijn)  wrote: </div><blockquote type=3d"cite"><div class=3d"sw_mes=
sage"><div>Thanks for the report. I'm pretty sure we are currently not using=
 any of those headers, we will investigate and tweak / add settings for as a=
ppropriate.</div><div><br></div><div>Marijn&nbsp;</div><div>&nbsp;</div><div=
 id=3d""></div><div>On Thursday 13/04/2017 at 4:18 pm, surgemail-list@netwin=
site.com wrote: </div><blockquote><style>.sw_message }   =09{font-family:Cal=
ibri; =09panose-1:2 15 5 2 2 2 4 3 2 4;} /* Style Definitions */       =09{m=
so-style-type:personal-compose;}   =09{mso-style-type:export-only; =09font-s=
ize:10.0pt;}   =09{size:8.5in 11.0in; =09margin:1.0in 1.0in 1.0in 1.0in;}   =
=09{page:WordSection1;} --></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3d"edit" spidmax=3d"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3d"edit">
<o:idmap v:ext=3d"edit" data=3d"1" />
</o:shapelayout></xml><![endif]--><div><div class=3d"WordSection1"><p>I just=
 became aware of this new =e2=80=9csecurity checking=e2=80=9d site, and I se=
e that our webmail doesn=e2=80=99t score so well:<o:p></o:p></p><p><a target=
=3d"_blank" href=3d"https://securityheaders.io/?q=3dwebmail.premieronline.ne=
t">https://security<wbr>headers.io/?q=3dwebmail.premieronline.net</a><o:p></=
o:p></p><p>Is there some low-hanging fruit that Netwin can add to improve th=
e default webmail site=e2=80=99s security?<o:p></o:p></p><p>Frank<o:p></o:p>=
</p></div></div></blockquote><br></div></blockquote><br> 
</body></html>

------=_SW_1707679497_1492682695_mpa=--



From: Frank Bulk <fbulk@mypremieronline.com>
Date: Wed, 10 May 2017 04:09:14 +0000

--_000_35164c3c2a4d4a3d9aae38ed7e18e6fcmypremieronlinecom_
Content-Type: text/plain; charset="utf-8"
Content-Type: text/html; charset="utf-8"


From: Surgemail Support (Marijn) <surgemail-support@netwinsite.com>
Date: Fri, 12 May 2017 06:45:20 -0500

This is a multi-part message in MIME format.

------=_SW_815957658_1494589520_mpa=
Content-Type: text/plain; charset=utf-8; format=flowed


The latest linux builds in the specials directory are only a couple of 
days old and should be all good I believe wrt this issue:
      ftp://netwinsite.com/pub/surgemail/specials

Marijn


On Wednesday 10/05/2017 at 4:10 pm, surgemail-list@netwinsite.com 
wrote:
>
>
> Thanks for doing this.  We’re willing to try – do you have amd64 
> linux build for us?
>
> Frank
>
>
>
> From: Surgemail Support [mailto:surgemail-support@netwinsite.com]
> Sent: Thursday, April 20, 2017 5:05 AM
> To: surgemail-list@netwinsite.com
> Subject: Re: [SurgeMail List] securityheaders.io
>
>
> What I believe to be the right selection of headers added for all of 
> surgemail's web interfaces in surgemail version:  7.2j-19+
>
> Made it as strict as I could while having existing interfaces continue 
> to work
>
>
>
> Rating is now much better according to this site (A instead of F):
>
>      https://securityheaders.io/?q=netwinsite.com%3A7080%2Fsurgeweb
>
>
>
> Personally I'm not convinced how much more security it actually 
> provides... Also, it is possible some emails may no longer show some 
> external content they used to show. Let  us know if you find this is 
> the case and it causes trouble for you. Also if you happen to be 
> making use of services like google advertising or google analytics in 
> surgeweb etc this may well be affected and need further tweaking of 
> settings.
>
>
>
> Let us know what platforms you need and I'll upload some builds 
> tomorrow if you want to confirm this is working as expected for you.
>
>
>
> Marijn
>
>
>
> On Saturday 15/04/2017 at 6:47 pm, Surgemail Support (Marijn) wrote:
>>
>>
>>
>> Thanks for the report. I'm pretty sure we are currently not using any 
>> of those headers, we will investigate and tweak / add settings for  as 
>> appropriate.
>>
>>
>>
>> Marijn
>>
>>
>>
>> On Thursday 13/04/2017 at 4:18 pm, surgemail-list@netwinsite.com 
>> wrote:
>>>
>>>
>>>
>>> I just became aware of this new “security checking” site, and I 
>>> see that our webmail doesn’t score so well:
>>> https://securityheaders.io/?q=webmail.premieronline.net
>>> Is there some low-hanging fruit that Netwin can add to improve the 
>>> default webmail site’s security?
>>> Frank
>>
>


------=_SW_815957658_1494589520_mpa=
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style>
 .sw_message P{margin:0px;padding:0px;}
 .sw_message {FONT-SIZE: 12pt;FONT-FAMILY:Tahoma,Arial,Helvetica,sans-serif;background:white;}
 .sw_message blockquote{margin-left:5px;padding-left:5px;border-left:2px solid #144fae;color: #144fae;}
 .sw_message blockquote blockquote{border-left:2px solid #006312;color: #006312;}
 .sw_message blockquote blockquote blockquote{border-left:2px solid #8e5656;color: #8e5656;}
 .sw_message blockquote blockquote blockquote blockquote{border-left:2px solid #888;color: #888;}
</style>
</head>
<body class=3d"sw_message">
<div>The latest linux builds in the specials directory are only a couple of =
days old and should be all good I believe wrt this issue:</div><div>&nbsp;&n=
bsp;&nbsp;&nbsp;&nbsp;&nbsp;ftp://netwinsite.com/pub/surgemail/specials</div=
><div><br></div><div>Marijn &nbsp; &nbsp; &nbsp;</div><div>&nbsp;</div><div =
id=3d"editor_signature"></div><div>On Wednesday 10/05/2017 at 4:10 pm, surge=
mail-list@netwinsite.com wrote: </div><blockquote type=3d"cite"><style>}   =
=09{font-family:Calibri; =09panose-1:2 15 5 2 2 2 4 3 2 4;}   =09{font-famil=
y:Tahoma; =09panose-1:2 11 6 4 3 5 4 4 2 4;} /* Style Definitions */ .sw_mes=
sage p.MsoNormal, .sw_message li.MsoNormal,  =09{margin:0in; =09margin-botto=
m:.0001pt; =09font-size:11.0pt; =09font-family:"Calibri",sans-serif;} .sw_me=
ssage a:link,  =09{mso-style-priority:99; =09color:blue; =09text-decoration:=
underline;} .sw_message a:visited,  =09{mso-style-priority:99; =09color:purp=
le; =09text-decoration:underline;} .sw_message p.msonormal0, .sw_message li.=
msonormal0,  =09{mso-style-name:msonormal; =09mso-margin-top-alt:auto; =09ma=
rgin-right:0in; =09mso-margin-bottom-alt:auto; =09margin-left:0in; =09font-s=
ize:11.0pt; =09font-family:"Calibri",sans-serif;} .sw_message p.swmessage, .=
sw_message li.swmessage,  =09{mso-style-name:sw_message; =09mso-margin-top-a=
lt:auto; =09margin-right:0in; =09mso-margin-bottom-alt:auto; =09margin-left:=
0in; =09background:white; =09font-size:12.0pt; =09font-family:"Tahoma",sans-=
serif;}   =09{mso-style-type:personal-reply; =09font-family:"Calibri",sans-s=
erif; =09color:windowtext;}   =09{mso-style-type:export-only; =09font-size:1=
0.0pt;}   =09{size:8.5in 11.0in; =09margin:1.0in 1.0in 1.0in 1.0in;}   =09{p=
age:WordSection1;} --></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3d"edit" spidmax=3d"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3d"edit">
<o:idmap v:ext=3d"edit" data=3d"1" />
</o:shapelayout></xml><![endif]--><div><div class=3d"WordSection1"><p class=
=3d"MsoNormal">Thanks for doing this.&nbsp; We=e2=80=99re willing to try =e2=
=80=93 do you have amd64 linux build for us?<o:p></o:p></p><p class=3d"MsoNo=
rmal"><o:p>&nbsp;</o:p></p><p class=3d"MsoNormal">Frank<o:p></o:p></p><p cla=
ss=3d"MsoNormal"><o:p>&nbsp;</o:p></p><div><div style=3d"border:none;border-=
top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in"><p class=3d"MsoNormal"><b=
>From:</b> Surgemail Support [mailto:surgemail-support@netwinsite.com] <br><=
b>Sent:</b> Thursday, April 20, 2017 5:05 AM<br><b>To:</b> surgemail-list@ne=
twinsite.com<br><b>Subject:</b> Re: [SurgeMail List] securityheaders.io<o:p>=
</o:p></p></div></div><p class=3d"MsoNormal"><o:p>&nbsp;</o:p></p><div><p cl=
ass=3d"MsoNormal"><span style=3d"font-size:12.0pt;font-family:&quot;Tahoma&q=
uot;,sans-serif">What I believe to be the right selection of headers added f=
or all of surgemail's web interfaces in surgemail version: &nbsp;7.2j-19+&nb=
sp;<o:p></o:p></span></p></div><div><p class=3d"MsoNormal"><span style=3d"fo=
nt-size:12.0pt;font-family:&quot;Tahoma&quot;,sans-serif">Made it as strict =
as I could while having existing interfaces continue to work<o:p></o:p></spa=
n></p></div><div><p class=3d"MsoNormal"><span style=3d"font-size:12.0pt;font=
-family:&quot;Tahoma&quot;,sans-serif"><o:p>&nbsp;</o:p></span></p></div><di=
v><p class=3d"MsoNormal"><span style=3d"font-size:12.0pt;font-family:&quot;T=
ahoma&quot;,sans-serif">Rating is now much better according to this site (A =
instead of F):<o:p></o:p></span></p></div><div><p class=3d"MsoNormal"><span =
style=3d"font-size:12.0pt;font-family:&quot;Tahoma&quot;,sans-serif">&nbsp; =
&nbsp; &nbsp;&nbsp;<a target=3d"_blank" href=3d"https://securityheaders.io/?=
q=3dnetwinsite.com%3A7080%2Fsurgeweb">https://security<wbr>headers.io/?q=3dn=
etwinsite.com%3A7080%2Fsurgeweb</a><o:p></o:p></span></p></div><div><p class=
=3d"MsoNormal"><span style=3d"font-size:12.0pt;font-family:&quot;Tahoma&quot=
;,sans-serif"><o:p>&nbsp;</o:p></span></p></div><div><p class=3d"MsoNormal">=
<span style=3d"font-size:12.0pt;font-family:&quot;Tahoma&quot;,sans-serif">P=
ersonally I'm not convinced how much more security it actually provides... A=
lso, it is possible some emails may no longer show some external content the=
y used to show. Let  us know if you find this is the case and it causes trou=
ble for you. Also if you happen to be making use of services like google adv=
ertising or google analytics in surgeweb etc this may well be affected and n=
eed further tweaking of settings.&nbsp;<o:p></o:p></span></p></div><div><p c=
lass=3d"MsoNormal"><span style=3d"font-size:12.0pt;font-family:&quot;Tahoma&=
quot;,sans-serif"><o:p>&nbsp;</o:p></span></p></div><div><p class=3d"MsoNorm=
al"><span style=3d"font-size:12.0pt;font-family:&quot;Tahoma&quot;,sans-seri=
f">Let us know what platforms you need and I'll upload some builds tomorrow =
if you want to confirm this is working as expected for you.<o:p></o:p></span=
></p></div><div><p class=3d"MsoNormal"><span style=3d"font-size:12.0pt;font-=
family:&quot;Tahoma&quot;,sans-serif"><o:p>&nbsp;</o:p></span></p></div><div=
><p class=3d"MsoNormal"><span style=3d"font-size:12.0pt;font-family:&quot;Ta=
homa&quot;,sans-serif">Marijn &nbsp;<o:p></o:p></span></p></div><div><p clas=
s=3d"MsoNormal"><span style=3d"font-size:12.0pt;font-family:&quot;Tahoma&quo=
t;,sans-serif">&nbsp;<o:p></o:p></span></p></div><div><p class=3d"MsoNormal"=
><span style=3d"font-size:12.0pt;font-family:&quot;Tahoma&quot;,sans-serif">=
On Saturday 15/04/2017 at 6:47 pm, Surgemail Support (Marijn) wrote: <o:p></=
o:p></span></p></div><blockquote style=3d"border:none;border-left:solid #144=
FAE 1.5pt;padding:0in 0in 0in 4.0pt;margin-left:3.75pt;margin-top:5.0pt;marg=
in-bottom:5.0pt"><div><div><p class=3d"MsoNormal" style=3d"background:white"=
><span style=3d"font-size:12.0pt;font-family:&quot;Tahoma&quot;,sans-serif;c=
olor:#144FAE">Thanks for the report. I'm pretty sure we are currently not us=
ing any of those headers, we will investigate and tweak / add settings for  =
as appropriate.<o:p></o:p></span></p></div><div><p class=3d"MsoNormal" style=
=3d"background:white"><span style=3d"font-size:12.0pt;font-family:&quot;Taho=
ma&quot;,sans-serif;color:#144FAE"><o:p>&nbsp;</o:p></span></p></div><div><p=
 class=3d"MsoNormal" style=3d"background:white"><span style=3d"font-size:12.=
0pt;font-family:&quot;Tahoma&quot;,sans-serif;color:#144FAE">Marijn&nbsp;<o:=
p></o:p></span></p></div><div><p class=3d"MsoNormal" style=3d"background:whi=
te"><span style=3d"font-size:12.0pt;font-family:&quot;Tahoma&quot;,sans-seri=
f;color:#144FAE">&nbsp;<o:p></o:p></span></p></div><div><p class=3d"MsoNorma=
l" style=3d"background:white"><span style=3d"font-size:12.0pt;font-family:&q=
uot;Tahoma&quot;,sans-serif;color:#144FAE">On Thursday 13/04/2017 at 4:18 pm=
, <a target=3d"_blank" href=3d"mailto:surgemail-list@netwinsite.com">surgema=
il-list@netwinsite.com</a> wrote: <o:p></o:p></span></p></div><blockquote st=
yle=3d"border:none;border-left:solid #006312 1.5pt;padding:0in 0in 0in 4.0pt=
;margin-left:3.75pt;margin-top:5.0pt;margin-bottom:5.0pt"><div><div><p class=
=3d"MsoNormal" style=3d"background:white"><span style=3d"font-size:12.0pt;fo=
nt-family:&quot;Tahoma&quot;,sans-serif;color:#006312">I just became aware o=
f this new =e2=80=9csecurity checking=e2=80=9d site, and I see that our webm=
ail doesn=e2=80=99t score so well:<o:p></o:p></span></p><p class=3d"MsoNorma=
l" style=3d"background:white"><span style=3d"font-size:12.0pt;font-family:&q=
uot;Tahoma&quot;,sans-serif;color:#006312"><a href=3d"https://securityheader=
s.io/?q=3dwebmail.premieronline.net" target=3d"_blank">https://security<wbr>=
headers.io/?q=3dwebmail.premieronline.net</a><o:p></o:p></span></p><p class=
=3d"MsoNormal" style=3d"background:white"><span style=3d"font-size:12.0pt;fo=
nt-family:&quot;Tahoma&quot;,sans-serif;color:#006312">Is there some low-han=
ging fruit that Netwin can add to improve the default webmail site=e2=80=99s=
 security?<o:p></o:p></span></p><p class=3d"MsoNormal" style=3d"background:w=
hite"><span style=3d"font-size:12.0pt;font-family:&quot;Tahoma&quot;,sans-se=
rif;color:#006312">Frank<o:p></o:p></span></p></div></div></blockquote><p cl=
ass=3d"MsoNormal" style=3d"background:white"><span style=3d"font-size:12.0pt=
;font-family:&quot;Tahoma&quot;,sans-serif;color:#144FAE"><o:p>&nbsp;</o:p><=
/span></p></div></blockquote><p class=3d"MsoNormal"><span style=3d"font-size=
:12.0pt;font-family:&quot;Tahoma&quot;,sans-serif"><o:p>&nbsp;</o:p></span><=
/p></div></div></blockquote><br> 
</body></html>

------=_SW_815957658_1494589520_mpa=--



From: Frank Bulk <fbulk@mypremieronline.com>
Date: Wed, 31 May 2017 20:49:08 +0000

--_000_2adbac2076224d698164ee15447bda08mypremieronlinecom_
Content-Type: text/plain; charset="utf-8"
Content-Type: text/html; charset="utf-8"


From: Frank Bulk <fbulk@mypremieronline.com>
Date: Wed, 31 May 2017 21:17:30 +0000

--_000_c4e6cc27c80c4c21b0805c0826841ac1mypremieronlinecom_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Correct, we are not auto-redirecting today.

Frank

From: Neil Herber (nospam) [mailto:nospam@eton.ca]
Sent: Thursday, April 13, 2017 12:13 PM
To: surgemail-list@netwinsite.com
Subject: Re: [SurgeMail List] securityheaders.io


I am not an expert by any means, but I can see one problem: you are serving=
 the login page over http and not https. This potentially exposes any of th=
e form data to sniffing.

Compare to my site:

https:/secure.eton.ca/surgeweb<https://secure.eton.ca/surgeweb>

I am not sure I would agree with your "security checking site" either. Qual=
ys gives you an "A" SSL report:

https://www.ssllabs.com/ssltest/analyze.html?d=3Dwebmail.premieronline.net

AFAIK, Qualys ONLY checks an https connection.

Your server has both http and https open. My SurgeWeb server runs behind an=
 Apache proxy where I have set up a redirect to force http to https. (Try h=
ttp:/secure.eton.ca/surgeweb<http://secure.eton.ca/surgeweb> to see it swit=
ch.)

There should be SurgeMail settings that will force logins over https, but N=
etWin can give you those. (My proxy setup means I don't need to use or know=
 them.)

Neil

On 2017-04-13 12:15 AM, Frank Bulk wrote:

I just became aware of this new "security checking" site, and I see that ou=
r webmail doesn't score so well:

https://securityheaders.io/?q=3Dwebmail.premieronline.net

Is there some low-hanging fruit that Netwin can add to improve the default =
webmail site's security?

Frank



--

Neil Herber

--_000_c4e6cc27c80c4c21b0805c0826841ac1mypremieronlinecom_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;
	color:black;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Preformatted Char";
	margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";
	color:black;}
p.msonormal0, li.msonormal0, div.msonormal0
	{mso-style-name:msonormal;
	mso-margin-top-alt:auto;
	margin-right:0in;
	mso-margin-bottom-alt:auto;
	margin-left:0in;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;
	color:black;}
span.EmailStyle19
	{mso-style-type:personal;}
span.HTMLPreformattedChar
	{mso-style-name:"HTML Preformatted Char";
	mso-style-priority:99;
	mso-style-link:"HTML Preformatted";
	font-family:Consolas;
	color:black;}
span.EmailStyle22
	{mso-style-type:personal-reply;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
..MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body bgcolor=3D"white" lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal"><span style=3D"color:windowtext">Correct, we are not=
 auto-redirecting today.<o:p></o:p></span></p>
<p class=3D"MsoNormal"><span style=3D"color:windowtext"><o:p>&nbsp;</o:p></=
span></p>
<p class=3D"MsoNormal"><span style=3D"color:windowtext">Frank<o:p></o:p></s=
pan></p>
<p class=3D"MsoNormal"><span style=3D"color:windowtext"><o:p>&nbsp;</o:p></=
span></p>
<div>
<div style=3D"border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in =
0in 0in">
<p class=3D"MsoNormal"><b><span style=3D"color:windowtext">From:</span></b>=
<span style=3D"color:windowtext"> Neil Herber (nospam) [mailto:nospam@eton.=
ca]
<br>
<b>Sent:</b> Thursday, April 13, 2017 12:13 PM<br>
<b>To:</b> surgemail-list@netwinsite.com<br>
<b>Subject:</b> Re: [SurgeMail List] securityheaders.io<o:p></o:p></span></=
p>
</div>
</div>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p>I am not an expert by any means, but I can see one problem: you are serv=
ing the login page over http and not https. This potentially exposes any of=
 the form data to sniffing.<o:p></o:p></p>
<p>Compare to my site:<o:p></o:p></p>
<p><a href=3D"https://secure.eton.ca/surgeweb">https:/secure.eton.ca/surgew=
eb</a><o:p></o:p></p>
<p>I am not sure I would agree with your &quot;security checking site&quot;=
 either. Qualys gives you an &quot;A&quot; SSL report:<o:p></o:p></p>
<p><a href=3D"https://www.ssllabs.com/ssltest/analyze.html?d=3Dwebmail.prem=
ieronline.net">https://www.ssllabs.com/ssltest/analyze.html?d=3Dwebmail.pre=
mieronline.net</a><o:p></o:p></p>
<p>AFAIK, Qualys ONLY checks an https connection.<o:p></o:p></p>
<p>Your server has both http and https open. My SurgeWeb server runs behind=
 an Apache proxy where I have set up a redirect to force http to https. (Tr=
y
<a href=3D"http://secure.eton.ca/surgeweb">http:/secure.eton.ca/surgeweb</a=
> to see it switch.)
<o:p></o:p></p>
<p>There should be SurgeMail settings that will force logins over https, bu=
t NetWin can give you those. (My proxy setup means I don't need to use or k=
now them.)<o:p></o:p></p>
<p>Neil<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<p class=3D"MsoNormal">On 2017-04-13 12:15 AM, Frank Bulk wrote:<o:p></o:p>=
</p>
</div>
<blockquote style=3D"margin-top:5.0pt;margin-bottom:5.0pt">
<p>I just became aware of this new &#8220;security checking&#8221; site, an=
d I see that our webmail doesn&#8217;t score so well:<o:p></o:p></p>
<p><a href=3D"https://securityheaders.io/?q=3Dwebmail.premieronline.net">ht=
tps://securityheaders.io/?q=3Dwebmail.premieronline.net</a>
<o:p></o:p></p>
<p>Is there some low-hanging fruit that Netwin can add to improve the defau=
lt webmail site&#8217;s security?<o:p></o:p></p>
<p>Frank<o:p></o:p></p>
</blockquote>
<p class=3D"MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>-- <o:p></o:p></pre>
<pre>Neil Herber<o:p></o:p></pre>
</div>
</body>
</html>

--_000_c4e6cc27c80c4c21b0805c0826841ac1mypremieronlinecom_--


From: Frank Bulk <fbulk@mypremieronline.com>
Date: Thu, 1 Jun 2017 14:47:50 +0000

--_000_e0d0252ef4fc411b83a85468ce387ffemypremieronlinecom_
Content-Type: text/plain; charset="utf-8"
Content-Type: text/html; charset="utf-8"