Enhanced Security: ExchangeDefender Now Supports Custom Authenticator Apps for MFA!
ExchangeDefender has recently enhanced our MFA features (multi-factor authentication) to help you enforce domain-level MFA compliance and to make it easier for users to be enrolled and protected by a layered authentication process automatically.
Simply put, we’re making it easier for you to keep everyone protected.
Today we are announcing ExchangeDefender MFA support for custom authenticator apps. By now everyone is familiar with our typical MFA functionality, available under your Settings at https://admin.exchangedefender.com. Just scan the QR code on your device and you’re set!
BUT WHAT IF YOUR DEVICE DOESN’T HAVE A CAMERA?
ExchangeDefender now supports MFA app enrollment using a QR code. This is great for scenarios in which:
– You don’t have a camera on your device
– The QR code doesn’t seem to scan (problems with the camera or monitor)
– You want to use a text-based MFA app
– You want to integrate PowerShell/no-code with MFA
– You want to share your MFA codes with others
If you’re in one of those scenarios, note the text under the QR code when you start the enrollment:
Click on the Can’t scan? Show code link and you’ll get the TOTP secret (aka secret code, MFA code). Paste it in your solution and paste back the 6 digit code it generates. That’s it, you’re done. MFA is now enforced and ExchangeDefender will rely on the codes generated by your app to validate MFA and grant access to your account.
All our features come from user feedback so if there is something we need to be doing to keep you more secure please let us know!
Enhanced MFA Enforcement Policy: Strengthening ExchangeDefender Security Measures
For years, ExchangeDefender users have enjoyed enhanced login security via multi-factor authentication security (aka MFA, 2FA, OTP). In our March feature update, we hope to improve your security and enhance MFA enrollment to keep you and your data safe. Allow us to introduce to you the new MFA Enforcement Policy!
Note from the boss: Before we get to any discussion of policies, our official recommendation is to enforce MFA on every service we provide and to rotate passwords at least once a quarter. I know, nobody likes the second validation prompt but this is a standard in the industry and I can’t think of a bank or a vendor that doesn’t require it. Maybe I’m jaded because we’re a cybersecurity company.. and with all the layers of MFA/VPN/auth we have in place I spend an insane amount of time trying to find my key or wait for the new pin to display in my authentication app. Because when I interact with a vendor that holds my information and they have no login security.. all I can wonder is what else they’re not doing to keep my data safe? Is this a real business or some WordPress plugin?
At the same time, I understand we have a ton of customers in SMB space where sometimes (obnoxious) tech can be slow and difficult to implement. But you pay us to keep you safe – and to keep your backups safe, and to keep your business continuity safe, and to do that we absolutely must require MFA. But we also can’t expect staff who have clicked on a Release/Trust link for over a decade to be cool with suddenly being forced into MFA enforcement workflow on Monday. So we designed a compromise. I hope it fits your organization and I hope you adopt it as fast as possible.
Sincerely,
–Vlad Mazek, CEO Own Web Now Corp.
In March 2024 you will have the ability to enforce or require MFA enrollment at the domain level. What this means is that you’ll be able to require MFA enrollment with an authenticator app for everyone with just one click at https://admin.exchangedefender.com:
With this policy, you can secure your users’ login with multi-factor authentication without making them enroll a device.
How does it work?
When your users go to admin.exchangedefender.com and attempt to access Inbox, WFS, or LiveArchive we will check their MFA enrollment and if none is found we’ll just tell them we have to verify their identity:
When they check their mailbox they’ll see an email from ExchangeDefender and just provide the code back.
This way your ExchangeDefender login is technically secured at ExchangeDefender with MFA even if you haven’t enrolled a device in MFA yet. There is no way to get into the secure areas of your account without enrolling into MFA. But what if someone guessed the password, they can just enroll a device and hijack the account, right? No.
When you set MFA Enforcement to Required/Forced, all your users are automatically set into an MFA mode that relies on their email address for secondary verification. When they visit admin.exchangedefender.com for the first time and provide their username and password the system will check their MFA enrollment and if email MFA is detected the system will send them an email with a verification code to proceed. This way we’re using the email MFA as a way to verify their identity and then we enroll their authenticator app as usual by scanning the QR code.
ExchangeDefender Quarantine Reports behavior will not change at all as a result of the change in the MFA Enforcement policy. ExchangeDefender Quarantine Reports do not rely on the login system at all as the user is never prompted to authenticate to trigger the release of the message. Instead, quarantine operations are tokenized and one “release” request does not automatically grant any other release or trust requests with the same token. It also doesn’t automatically log them into ExchangeDefender so there is no getting by the MFA!
Secure your logins now
It’s 2024 and the world has changed when it comes to authentication and identity when dealing with services online. Experiencing a cybersecurity threat or compromise is an incredibly expensive and frustrating experience that can easily be avoided by requiring an ID check before granting access to sensitive information. ExchangeDefender MFA Enforcement Policy is your way to protecting your organization from unauthorized and unverified access.
Improved SPAM Release Security: Quick Release
ExchangeDefender is giving users more power to lock down their valuable data. Now that ExchangeDefender handles business continuity and backups for M365/Gmail tenants there is even more information in ExchangeDefender that demands more flexibility with security policies. First, let’s talk about the upcoming feature that allows you to lock down your ExchangeDefender SPAM Quarantine Report activity.
Bit of background: ExchangeDefender Quarantine Reports are an immensely popular ExchangeDefender feature (coming up for an upgrade this spring btw!) that sends users a list of quarantined messages with a set schedule. Users tend to rarely look in Junk Items or review SPAM unless they are waiting for something so this is a cool feature that our users just love. Scroll down the list of quarantined messages and release or trust just by tapping the link. Super convenient, but does it meet your security requirements?
ExchangeDefender Quick Release feature now enables you to choose between convenience and a more secure release process. For many organizations, having the message released or get added to trusted senders with just a click is a huge time saver and user convenience. But if your Microsoft M365 / Gmail account gets compromised (which happens ALL the time) or you deploy a new security/business/CRM (mostly AI stuff) that scans links then this “convenience” can turn into an Inbox packed with SPAM messages that some hacker/service inadvertently released.
If this happens to you, know that ExchangeDefender can help with the “Secure Release” setting. By enforcing Secure Release, when the user clicks to release or trust a message they will be prompted to authenticate before they can release/trust the message. This way if you get hacked or install link scanning/crawling software in your tenant will not be able to access the messages without a password.
Now please, go setup your favorite authenticator app with ExchangeDefender MFA (next up, you can set it to be mandatory/required)
How To Get LiveArchive Web UI
By now we hope everyone who needs a backup has started it via ExchangeDefender LiveArchive and as previously mentioned we’ve got a huge new feature to show off this Wednesday:
During this event, we will discuss the ExchangeDefender LiveArchive Web UI, the open-source eDiscovery platform for your LiveArchive email backups. This stack can be hosted anywhere, even on your PC as in the example below. With database services holding metadata and the location of the email message on S3 storage, the LiveArchive user interface is very similar to webmail platforms. We even have themes that are inspired by GMail and M365 platforms so users can access their backups in the interface that feels similar to the one they are familiar with.
We know a lot of our partners and clients like to tinker, so if you like to get ahead here is a sample docker-compose.yml you can use to launch LiveArchive Web UI right now (production branch):
services: app: image: public.ecr.aws/y9g1h8n8/exchangedefender/livearchive:latest extra_hosts: - 'host.docker.internal:host-gateway' ports: - '${APP_PORT:-80}:80' volumes: - livearchive-config:/app/storage/app/settings - livearchive-loadbalancer:/data environment: LIVEARCHIVE_PERSISTENCE: browser networks: - livearchive volumes: livearchive-config: livearchive-loadbalancer: networks: livearchive: driver: bridge
Then simply point your browser to the container or if you’re running it on your PC http://localhost
That should give you everything you need to access LiveArchive backups with a modern and responsive eDiscovery frontend you own – we should discuss more details about deployment, different cloud hosting options, best practices, and different ways you can use LiveArchive Web UI. This should be plenty to get you started and get your questions ready for the live webinar this Wednesday, February 7th. and we look forward to seeing you there.
P.S. If you’re looking for old LiveArchive business continuity features, they are now a part of ExchangeDefender Inbox! Dive into the new world of ExchangeDefender Inbox, our smartest, most advanced email outage protection. Unlock insights on top features and highlights with our new brochure!
Getting Ready for LiveArchive UI – What You Need to Know!
ExchangeDefender will be launching the LiveArchive Web UI during our webinar next week and we are looking forward to showing you how to launch it with a single command! In the meantime, this blog post is intended to give you a heads-up about the requirements and functionality so you can make design decisions.
Docker & Design
In a recent post, we discussed why MariaDB/RDS is required for the LiveArchive Web UI: it’s where we store the message metadata such as sender/recipient/subject/etc. These elements drive the UI and enable users to locate messages, search, and complete eDiscovery and email recovery tasks.
ExchangeDefender has organized the entire LiveArchive Web UI into a single container that can run on your own docker on a workstation or NAS in your office, across a wide variety of virtualization products and services, as well as public cloud like Amazon Web Services and Microsoft Azure. This makes ExchangeDefender Web UI easy to update, easy to manage, and easy to tweak to your requirements.
There are two ways to configure and start the container: preconfigured with environment variables or on-demand browser configuration. If you start the container without the environment defined you will be presented with a web configuration wizard that will prompt for S3 and RDS credentials. If this is the first time you’re deploying LiveArchive Web UI or just want to test it, this is the best way. Once you close your browser all the configuration vanishes and nobody else has access to your mail.
After you’ve configured everything to your liking and are looking to put the service into production, place the appropriate information in the container environment variables, and the container will always launch in production mode and bypass the wizard configuration.
Authentication
ExchangeDefender Web UI was designed to facilitate your email backup and eDiscovery needs. Our experience in compliance archiving and long-term email archiving has allowed us to work with countless organizations and one thing they all have in common is that they all have their own unique access and control needs.
ExchangeDefender Web UI by default presents all the available mailboxes and each email address has its own path. Using this predictable data storage process your Web Application Firewall can easily be configured to include or exclude data by path alone.
We designed the solution so it can be launched quickly, accessed, and managed without a lot of technical skill, and so it can be quickly modified/optimized for production. LiveArchive offers a lot of solutions to modern email problems and the flexibility means you can run different LiveArchive Web UI for different personnel or different tasks.
Resources & Customization
ExchangeDefender Web UI is completely free and open source. This means you can download it, modify it, and use it freely.
It also means that the solution will live even after ExchangeDefender as an organization is gone. You will not find any references or callbacks to our network and all the protocols are fully documented. This enables you to truly craft a failover email solution that can be completely disconnected from the Internet and placed into cold storage / safe.
Resource-wise the container is a little more than a web server and you can run hundreds of users with even the minimal 1 cpu / 1gb ram. This is possible because the SQL workload and data storage are handled by other services.
We hope you’re as excited about the launch as we are. Please join us for the webinar to see how it’s done and we’ll even help you set yours up right after the event! Just think of a good subdomain to point to your new LiveArchive backup platform.
‘LiveArchive Web UI’ Launch Webinar – Join Now!
The new ExchangeDefender LiveArchive has been delighting our clients for months and we’ve got a surprise for you coming in February with a huge new feature pack we can’t wait to show you:
ExchangeDefender LiveArchive Web UI is the free, open-source, host-anywhere platform that will make it easy to access and perform eDiscovery tasks with your LiveArchive backups. Instead of just staring at a directory in S3, you can have a beautiful interface to quickly locate, view, and export messages. You can host it anywhere that offers container hosting or on your PC, you have the entire source code that’s free forever that you can customize and build on, and it’s free!
We’ve even rolled out similar user interface elements so that the experience will feel familiar to users of Microsoft M365 or Google Gmail:
During the launch webinar, we will go over the features, execute a full deployment so you can see how easy and quick the process is, and go over the security best practices. In less than an hour, you will have all the expertise needed to position, price, deploy, and manage the entire LiveArchive backup system.
Unlocking the Power of LiveArchive: Exploring the Need for RDS/DB Integration
We’ve had a busy December rolling out LiveArchive with our partners and one of the most common questions that comes up is:
“Do I really need RDS/MariaDB/database service for LiveArchive? Can’t I get away with just S3 if we’re only using it for backup?”
The technical answers to this are “no” and “yes”, respectively. Unfortunately, in the real world both those answers are wrong. Allow us to explain:
ExchangeDefender LiveArchive relies on S3 object storage to store emails which is why it’s required for the service. ExchangeDefender does not require the RDS/MariaDB/database service for deployment – we will still perform the same backup of messages to object storage and place all emails into the appropriate user@domain.com folder. You can still download .eml files and open them with no issues in Outlook and other popular email clients.
Problem:
Unless you know the exact message I’d of the email you’re looking for you’ll have to download the entire user@domain.com directory and use a text search to locate it.
Solution:
Add RDS to LiveArchive so your archive looks more like this:
ExchangeDefender LiveArchive uses database services (choice of RDS, MariaDB, MySQL) to store message metadata which contains important message information such as message sender, recipient, subject, and attachments. That metadata is what our ExchangeDefender Web UI relies on to give you a friendly interface to access, search, export, and locate messages quickly in a friendly web interface. ExchangeDefender LiveArchive UI also enables you to filter your message view so you can do eDiscovery: enabling you to limit your search by sender, subject, and date.
We understand why some IT staff would want to do the bare minimum – the market, “nobody is buying stuff”, the complexity, nobody is ever going to look at it – and we hope that the explanation of how database services are used gives you the initiative to deploy RDS. It’s practically free (or totally free if you run it on your hardware) and it will greatly improve your performance, reduce time to recovery, and make it possible to quickly delegate eDiscovery or move data in a format that is open, documented, and will likely be around for decades. Not even tape can claim that!
ExchangeDefender’s Top Solutions of 2023: Safeguarding Your Email Ecosystem
In the dynamic landscape of digital communication, having a robust and reliable email management system is crucial for businesses and individuals alike. ExchangeDefender, a leader in email security solutions, offers a suite of cutting-edge products designed to ensure seamless communication, data protection, and business continuity. Let’s delve into some of ExchangeDefender’s most popular solutions in 2023.
#1 – ExchangeDefender Inbox: Your Email’s Safety Net
ExchangeDefender Inbox is a modern and secure email platform that serves as a backup plan for your primary email systems, such as Outlook and Gmail. When faced with email outages, technical difficulties, or delivery issues, Inbox ensures uninterrupted communication by actively creating copies of your emails.
Inbox operates independently of your email hosting. If your primary email service experiences downtime, you can seamlessly switch to ExchangeDefender Inbox to send and receive emails in real-time. This innovative feature provides a safety net, ensuring you stay connected even during service outages.
#2 – ExchangeDefender Bypass: Overcoming Email Roadblocks
ExchangeDefender Bypass is a game-changer in overcoming email roadblocks. It offers a disposable email address service that delivers emails despite outages, blacklists, throttling, or other IT problems. With the ability to set up and delete addresses at any time, Bypass provides a free, simple, private, and secure solution for uninterrupted email flow.
Key Features:
- Masking your entire address and domain for enhanced privacy.
- Emails sent to Bypass addresses bypass typical security restrictions.
- Subject modification for easy identification of external messages.
#3 — ExchangeDefender Encryption: Simple and Secure Data Protection
Easy-to-Use Encryption
ExchangeDefender Encryption provides a simple yet powerful solution for encrypting emails and sharing documents securely. With auto-detection of sensitive data and real-time reporting, this on-demand encryption software is both user-friendly and affordable for small businesses.
Key Benefits:
- Regulatory compliance and enhanced business practices.
- Secure messaging via email, URL, or SMS.
- Detailed reporting on when an email is read.
#4 — ExchangeDefender PRO: Total Email Security for Business
Email Protection at Its Best
ExchangeDefender PRO is an advanced email security suite designed to safeguard your business against a wide range of threats, including SPAM, malware, phishing, spoofing, ransomware, and spyware. With 24/7 protection and new quarantine reports, ExchangeDefender PRO offers deeper insights into email management and security, empowering informed decision-making.
New Feature: Simplified Security Configuration
The introduction of the Default Domain Security Policy Wizard streamlines the configuration of essential security policies, making it user-friendly and efficient. Navigating the complexities of security policies becomes a breeze with this innovative tool, ensuring a safer digital environment for your business.
#5 — LiveArchive: Long-Term Email Archiving and Backup
Peace of Mind for Critical Data
LiveArchive.next is ExchangeDefender’s next-gen solution for long-term email archiving and backup. Designed to address the unique challenges faced by clients in 2023, LiveArchive.next ensures access to critical data even in worst-case scenarios, such as account wipes, crypto locks, or business closures.
Key Features:
- Live backup of all inbound and outbound messages.
- Email backups are stored on industry-standard S3 data object storage.
- Client-owned backups with customizable data retention.
ExchangeDefender’s suite of solutions goes beyond conventional email management, offering a comprehensive approach to security, continuity, and privacy. In an era where digital communication is paramount, these tools empower businesses and individuals to navigate the challenges of the modern email landscape with confidence and ease.
LiveArchive Onboarding
ExchangeDefender LiveArchive has gotten a massive refresh for 2024 to help our users get a better email backup & archiving solution that fits their needs. We are helping our partners and clients deploy the new LiveArchive solution stack and export data so here are some best practices and suggestions if you’re waiting for your deployment window or choose to DIY it.
Overview
If you already have a plan, roll it out right now! Documentation and step-by-step guide is available here: https://exchangedefender.com/docs/livearchive-cloud-backend
If you’re deploying this for someone else, here is a quick executive overview of the features you might want to bring up and explain to the decision-maker:
– Archiving solution in which you control and own the backend (no vendor lock-in)
– Archives corporate email from a journal mbox on M365
– No size limitation for archived messages
– No limit for attachments
– Integrates with cloud (Gmail/O365/etc) or on-prem
– Encrypted storage of archive emails and attachments
– One-time setup, no need to maintain a user list
– Filter archive emails on a per-domain basis
– Enable archive rules in S3 to enable pruning of archive messages
– Quickly download the entire mailbox for any user
– Downloaded mailboxes can be imported into Outlook/O365/imap/maildir etc
In a nutshell, it’s an archiving solution for email that integrates with all popular email and cloud services, is affordable to operate, and relies on open-source solutions with an excellent track record that can enable you to create a backup strategy that fits your needs. There are tons of providers and hardware/software platforms that you can use as the backend depending on the complexity of retention policies.
Choose your cloud service
ExchangeDefender LiveArchive backend is powered by open source stack of MariaDB (open source version of Oracle MySQL) and S3 (open source object storage). They are available from public cloud companies as hosted services (example: Amazon Web Services RDS) as well as containers that can be deployed on a wide variety of cloud solutions (Azure, AWS, Linode, Dreamcloud), virtualized locally, even on consumer-level NAS appliances (example: QNap).
In terms of functionality, LiveArchive has the same features regardless of where the backend is hosted.
The choice is mostly between convenience and flexibility. You will have the most convenience deploying LiveArchive with Amazon AWS but you can build a more flexible or more affordable solution as well. You will have the most control over your data if you store it on a local NAS or server but that comes at the expense of maintenance and management of the backend hardware/software stack. You should find a provider that can reliably host the open source stack, offer you support if you ever have an issue with the account, and most importantly provide a reliable high-speed connection for you to restore your data with someday.
Choose your access & recovery strategy
ExchangeDefender LiveArchive can function in minimal mode with just access to S3 bucket to store messages. This is the most affordable and most efficient way to archive messages, but without message metadata, all you’ll have is user@domain.com directories and any eDiscovery/search/recovery would require you to run a full-text search on the entire directory. If you are primarily concerned about the cost and are only backing up email for CYA purposes in the event of a disaster, this might be a viable option.
ExchangeDefender recommends deploying LiveArchive with MariaDB/AWS RDS service enabled. Doing so will enable LiveArchive to log your messages to a SQL database that is used by LiveArchive Web UI to access and recover messages. Deploying Web UI with MariaDB enables you to deliver the same LiveArchive service we have delivered for decades, but with you fully owning the entire archiving solution end to end on a proven and reliable open-source platform.
Your choice of access will dictate your recovery strategy. Minimalist/CYA approach to archiving will enable you to restore and search entire mailboxes. Adding LiveArchive Web UI and MariaDB makes the entire solution more user-friendly.
Confirm that you can access your cloud services remotely
ExchangeDefender LiveArchive onboarding calendar for 2023 is nearly full so to make sure your deployment goes smoothly make sure you can access your S3 and RDS resources remotely. Our documentation will help you set the whole thing up but please pay particular attention to confirming remote connectivity. If you can’t reach the S3 or SQL from Starbucks Wifi odds are great that LiveArchive won’t be able to either so please make sure you can access all the buckets, that you can create and drop tables in SQL, etc. We look forward to getting your next-gen archiving solution up and running!
Preparing for LiveArchive Retirement
As mentioned on our recent webinars and blog posts, LiveArchive has worked very hard for us for decades and it’s time for it to go to Florida and retire.
The new kid on the block – ExchangeDefender Inbox – has been running our client’s business continuity for over a year and it’s proven to be more efficient and popular than LiveArchive. Just log in to your account (https://admin.exchangedefender.com) or use passwordless login and click on Inbox. You’ll have the last two weeks of email waiting for you there and you can send/receive while your email server/mailbox/or whatever is down or under maintenance.
Longer Term Archiving
While Inbox will take care of our clients’ email needs when their email is having issues, many of you need long-term archiving. If LiveArchive was ever power-used it would be in the realm of data recovery after a disaster, cryptolocker, or other threat destroyed the client’s email infrastructure. For those of you who are aware of the risk, there will be a need for archiving to go way beyond two weeks – even years. This is what the new LiveArchive will start doing for you on January 1st, 2024!
First, let’s get ready for the retirement of the current LiveArchive – the service will shut off on December 31st, 2023 at which point all data including backups and configurations will be removed from our network. This means that if you wish to keep current LiveArchive contents the migration request must be put in as a ticket at our support site at https://support.exchangedefender.com. Simply open a ticket with the subject “LiveArchive Migration” and provide the domain names you wish to migrate and the S3/RDS login credentials by December 1st, 2023. As promised on the webinar, we are offering this migration free of charge to our clients and partners but you need to get in the line by December 1st and have your AWS S3/RDS or self-hosted setup completed.
Second, if you need any help with AWS S3/RDS or if you’d like assistance with deploying this solution in your home office or data center, we got you too. If you need help and get in touch with us by December 1st, we’ll take care of it for you. It’s super simple, takes about 5 minutes total, and is extensively documented – but we love our clients and if you want an extra pair of hands we can help you. After December 1st (and depending on availability) we will take care of the setup for a one-time fee of $499 for AWS or $999 for self-hosted.
Future of LiveArchive
We look forward to this middle tier that every organization that relies on email to run their business needs. For business continuity, Inbox will give you access to email anywhere, anytime. For backups and long-term retention across various clouds and storage options, LiveArchive will take care of archiving your data. For additional assurance and best-in-class storage that meets complex compliance and insurance requirements, ComplianceArchive is your eDiscovery and compliance archiving solution. Simply put no matter how critical email is to your organization we’ve got a solution that fits your problems and your budget.
The new LiveArchive will start doing for you on January 1st, 2024!