Is Mail-in-a-Box secure enough for me?

Hi, I would just like to say that I’ve been following the Mail-in-a-Box project for around a year now. I’ve been testing it out for the past month or so, and I finally think it’s time to go with it.

I need to up my email security and decided the best thing is to host my own email server. This should get rid of social engineering attacks, and all the stress that third party email hosters have caused me. I describe myself as a high risk user that needs maximum security due to having a large volume of Crypto Currency. My exchange accounts are all tied to my email accounts which I’m afraid one day that my email will get compromised and a hacker will be able to drain my accounts.

I take security very seriously and try to do things the best and most secure way possible. I access my emails using my mobile devices only. The only devices that ever touch my email accounts are my BlackBerry Priv and my Vertu Touch.

I use the best security practices that are given on websites that offer them. I always use 2fa, I opt for GA/Authy codes instead of SMS/Call due to Social Engineering attacks.

I feel my weakest point in my security is my email accounts due to 3rd party email hosting. I’ve used Zoho, Hushmail, and FastMail email hosting. I had problems with Zoho as they let a malicious user reset my email password which caused me a lot of stress, thankfully not much was touched due to all of my logins for websites requiring 2fa. I would like to point out that 2fa is a life saver, I recommend everyone to use 2fa.

I would like your honest opinions regarding my situation. Is Mail-in-the-Box a good option for me? With the following security measures:

  1. Domain just for email purposes with activated 2fa at the domain registrar.
    2a. Bare Metal Server hosted by SoftLayer
    2b. Cloud Server by DO with 2fa activated.

(All of the servers would of course be dedicated just to Mail-in-the-Box)

  1. Mail-in-the-Box with all the recommended security practices.

Thank you for your time, and I would like your honest opinions.

If you think you’re a likely target of an active attack, I wouldn’t say Mail-in-a-Box is necessarily any better than other options, primarily for three reasons:

  • 2FA isn’t implemented yet.
  • The attack surface is fairly wide because of all of the web services (admin panel, webmail, owncloud, zpush), although these could be blocked at the firewall level.
  • We haven’t done an audit of whether the box properly guards against brute force attacks on all services… or really any proper security audit.

That’s not to say it’s worse. But you are trading some issues for other issues.

Just to tell you that if I needed a lot of privacy I wouldn’t go with DO - but maybe with my own dedicated server (check out Kimsufi), or in a Swiss Army secure cloud: - it’s a little bit more expensive than DO but I think that it’s safer.

For the software part, Josh answered you! :smile: