Security and Encryption
Data Security
- All data in S3 buckets is using server-side encryption with AWS Key Management Service (SSE-KMS).
- Separate buckets for mail storage, mail search index, temporary data, smtp incoming and smtp outgoing.
- 24h expiration for temporary data.
- Shared encryption keys for Starter plan, per organisation encryption keys for Pro plan and per user keys for the Ultimate plan.
- All data coming from external sources is validated against predefined regexes.
Data transfer encryption
- Client connection to outgoing SMTP server is using SSL encrypted connection.
- Client connection to POP3 server is using SSL encrypted connection.
- Incoming (email receiving) SMTP server starts as unenecrypted (for compatibility) and can negotiate TLS connection for clients that support STARTTLS.
- Webmail is enforcing redirect to HTTPS and uses Let's Encrypt SSL Certificates
Application implementation.
- All platform related operations happen within isolated AWS Lambda functions ( fully serverless ).
- Different environments run in different AWS accounts ( dev environment separated from production ).
- No engineering access on production, limited readonly operational access which does not include data buckets.
- Limited 1 hour access sessions for production can be approved for exceptional reasons and all session operations are recorded.
- All lambda functions run in VPC with internet access disabled *1.
- Permissions assigned to each lambda function follow the least priviledge principle.
- Dynamic access policies are used (assume role) to further restrict user access to its own data only ( even when bucket is shared)*2.
- Security Tokens stored in SecretsManager with Security Policy limited to exact Lambda Functions and Key Rotation enabled.
- Lambdas have write only permission to Cloudwatch Logs and production logs are streamed to a different AWS account
- Log retention is set to 400 days.
- No credentials logged.
- Failing operations have metrics filter and alarms enabled.
- Unit tests and e2e testing are part of the CI/CD pipeline.
- Code quality and security scan reports.
- Minimum depdendant external library (eg. Stripe)
*1. few exceptions apply, eg. loading email remote resources like images.
*2. except background tasks as these operations are not linked to a user session.
*2. except background tasks as these operations are not linked to a user session.
Webmail Security
- Own domain SSL certificate via Let's Encrypt.
- Each mail domain webmail has its own Cloudfront distribution.
- Web Application Firewall ( AWS WAF ) is enabled for the Ultimate plan.
- All remote email contents are proxied via our servers and do not expose client IP address.
- Common Browser security headers used (CSP, STS, etc.).
- Multi Factor Authentication available for the Pro plan and can be enforced for the Ultimate plan.
- Connection review and session length control (Pro+Ultimate)
- Geolocation access restriction ( WAF only )
- No 3rd party tracking.
- No 3rd party vendors access to data.
- No sensitive data stored in localStorage.
- No sensitive data sent via GET method.
- Disabled CORS and iframe.