Several suggestions for Runbox's security and performance

Runbox Chat
#1

Hello! It seems it could be better, if Runbox implements the following tips:

  1. Enable the support of the TLS 1.3 on both mail servers and web servers. This protocol is already supported in GnuTLS and Openssl. The protocol could reduce the performance impact of traffic encryption on servers. Also an OCSP stapling could improve the performance.

  2. Runbox already implemented the HSTS policy, but it can be improved by turning it on for all the subdomains of Runbox (includeSubDomains). Due to that, currently Runbox’s website can’t be applied to be preloaded in strict HTTPS in all major web browsers. Turning on the includeSubDomains policy would make it allegeable to be preloaded in all web browsers. See this

1 Like
#2

  1. Runbox doesn’t verity MX certificates even if DANE is present on MX servers.

  2. Runbox doesn’t verify and apply DMARC policies. Also it would be helpful for admins if Runbox implements DMARC reporting.

  3. Runbox uses Exim 4.86_2 MTA, which is outdated and prone to several severe security vulnerabilities called 21Nails. Ten of these vulnerabilities can be exploited remotely. More info here

  4. It would be beneficial if Runbox implements The Authenticated Received Chain (ARC, RFC 8617), which will preserve email authentication results across subsequent intermediaries that may modify the message, and thus would cause email authentication measures to fail to verify when that message reaches its final destination.

  5. I don’t think that Runbox’s servers fetch and check MTA-STS policies, thus it would be also beneficial to support MTA-STS and TLS-RPT as a reporting mechanism.

1 Like
#3

Our servers are fully patched for these vulnerabilities. The version number on its own isn’t relevant.

The other suggestions are ones we are aware of and will be looking at as time and resources allow. We do appreciate the suggestions though as it means we are already thinking along the same lines :slight_smile:

#4

That’s a huge relieve! Thank you for your answer, Dave, as always! :slight_smile:

#5

Two years have passed - nothing changed. Runbox also doesn’t respect SPF, DKIM and DMARC policies of other domains. Runbox scores 0/10 on a simple spoofing test. I’m closing my account and moving forward