EmailDiscussions.com  

Go Back   EmailDiscussions.com > Discussions about Email Services > Email Comments, Questions and Miscellaneous
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read
Stay in touch wirelessly

Email Comments, Questions and Miscellaneous Share your opinion of the email service you're using. Post general email questions and discussions that don't fit elsewhere.

Reply
 
Thread Tools
Old 4 May 2021, 10:31 PM   #31
FredOnline
The "e" in e-mail
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
Hey Scott, and welcome to EMD!

I've been experimenting with this 2FA problem I have, it seems that it does work if I "X" out or close the webmail window, and then go to login again.

But if I log off from webmail, and go to login again, it always asks for the TOTP code.
FredOnline is offline   Reply With Quote
Old 6 May 2021, 07:49 PM   #32
alexu2007
Essential Contributor
 
Join Date: Aug 2007
Posts: 287
I signed up for an account and I am impressed so far.

There is an unique feature, not found in any other email providers, something like an automatic temporary identity:

I have an alias set up in routing section. Let's say I receive an email sent to this alias, and it's delivered to my main email address. From Roundcube, if I hit reply to this email, the "from" address is automatically changed with the alias address. I did not setup an identity with the alias address, but it seems that the webmail use the alias address as "from" address when I want to reply to that email.

It's something very useful and I am glad that it's working this way
alexu2007 is offline   Reply With Quote
Old 7 May 2021, 12:07 AM   #33
ScottPurelymail
Junior Member
 
Join Date: May 2021
Posts: 4
Quote:
Hey Scott, and welcome to EMD!

I've been experimenting with this 2FA problem I have, it seems that it does work if I "X" out or close the webmail window, and then go to login again.

But if I log off from webmail, and go to login again, it always asks for the TOTP code.
Oh! I see what you mean now- that docs section you quoted is confusing verbiage on our part. What it's supposed to mean is that the section on the management page only shows webmail logins (which if you don't explicitly log out tend to persist). The reason it's worded that way is because originally that documentation was only attached to the user management page, and I must've missed the context when it was split out.

I assumed most users would stay logged in (on a trusted device) or login/logout completely (on an untrusted device). Would a separate "trust this device" option for 2FA so you would need your password but not the 2FA be useful?

Quote:
I signed up for an account and I am impressed so far.

There is an unique feature, not found in any other email providers, something like an automatic temporary identity:

I have an alias set up in routing section. Let's say I receive an email sent to this alias, and it's delivered to my main email address. From Roundcube, if I hit reply to this email, the "from" address is automatically changed with the alias address. I did not setup an identity with the alias address, but it seems that the webmail use the alias address as "from" address when I want to reply to that email.

It's something very useful and I am glad that it's working this way
Glad you find it useful
I personally go through a lot of disposable aliases. Technically you can send email as any address you own, which includes everything under your domains.
ScottPurelymail is offline   Reply With Quote
Old 7 May 2021, 12:28 AM   #34
FredOnline
The "e" in e-mail
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
Quote:
Originally Posted by ScottPurelymail View Post
Would a separate "trust this device" option for 2FA so you would need your password but not the 2FA be useful?
That is the way that I expected it would work, which is my experience with 2FA with other e-mail providers.

Please do consider a separate "trust this device" option.
FredOnline is offline   Reply With Quote
Old 7 May 2021, 05:41 PM   #35
JeremyNicoll
Essential Contributor
 
Join Date: Dec 2017
Location: Scotland
Posts: 483
Quote:
Originally Posted by ScottPurelymail View Post
I assumed most users would stay logged in (on a trusted device) or login/logout completely (on an untrusted device).
I suppose it depends on what someone classes as a trusted device?

I mean: I'd trust a home pc, using a wired internet connection, more than a public pc or one using a public wifi connection... but in none of these situations is it impossible that my pc could get stolen, or 'borrowed' for temporary use eg by a house guest I wouldn't want a stolen machine to let anyone else log into any service I use.
JeremyNicoll is offline   Reply With Quote
Old 7 May 2021, 08:18 PM   #36
TenFour
Master of the @
 
Join Date: Feb 2017
Location: USA
Posts: 1,683
Quote:
in none of these situations is it impossible that my pc could get stolen, or 'borrowed' for temporary use eg by a house guest I wouldn't want a stolen machine to let anyone else log into any service I use.
I never leave any computer unlocked when out of my immediate control or observation, even when it is at my home. Sure, if nobody else is here I'll go to the bathroom or something like that, but every computer is set to lock itself after a few minutes. One neat thing is with Chromebooks you can unlock them by having your unlocked phone nearby.
TenFour is offline   Reply With Quote
Old 8 May 2021, 06:42 PM   #37
rnkn
Member
 
Join Date: Nov 2013
Posts: 61
I don't understand why a person would want 2FA and then want a checkbox to bypass it. The strength of TOTP is in adding a time factor to the existing HMAC-SHA-1 one-time password. Those "remember this device" options reduce the security of this.

I think it's a mark of quality that Purelymail does not permit this.

(You can read RFC 6238 & 4226 for background on this.)
rnkn is offline   Reply With Quote
Old 21 May 2021, 11:50 PM   #38
FredOnline
The "e" in e-mail
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
DMARC Question

I have set a DMARC TXT record for a domain in the format:

Quote:
v=DMARC1; p=quarantine; rua=mailto:xxx@xxx.xxx; ruf=mailto:xxx@xxx.xxx; fo=1;
That appears to be working OK, however I've since noticed this in the Purelymail Admin Portal in Domains:

Quote:
DNS records are acceptable, however there were some warnings
No DMARC record found.
Scrolling down, there is mention of a CNAME record for DMARC:

Quote:
A DMARC record is optional but recommended. It makes DKIM and SPF more effective and allows us to notify you if your domain is the target of large spoofing efforts. This is again a CNAME record with a specific host, like DKIM.

CNAME _dmarc _dmarcroot.purelymail.com.
I haven't created a CNAME record as the DMARC TXT record appears to be working OK.

Am I missing something here?
FredOnline is offline   Reply With Quote
Old 22 May 2021, 12:06 AM   #39
ScottPurelymail
Junior Member
 
Join Date: May 2021
Posts: 4
Quote:
Originally Posted by FredOnline View Post
I have set a DMARC TXT record for a domain in the format:



That appears to be working OK, however I've since noticed this in the Purelymail Admin Portal in Domains:



Scrolling down, there is mention of a CNAME record for DMARC:



I haven't created a CNAME record as the DMARC TXT record appears to be working OK.

Am I missing something here?
So technically, we give out the DMARC/DKIM records as CNAMEs because we're allowed to and it makes management easier- if we need to update it for all customers, we can do that. The CNAME we give resolves to a TXT record.

It's fine to roll your own DMARC txt record, the DNS checker just won't recognize it. There's no action tied to it recognizing your DMARC record in particular.

Yours would read:
Quote:
v=DMARC1; p=quarantine; rua=mailto:xxx@xxx.xxx; ruf=mailto:xxx@xxx.xxx; fo=1;
Which would be slightly different from our, which reads:
Quote:
v=DMARC1; p=reject; rua=mailto:dmarc@purelymail.com; ruf=mailto:dmarc@purelymail.com
In particular we have p=reject (we advise other mail servers that a message which is neither SPF valid nor DKIM signed should be rejected as it did not come from us, as we sign every message with DKIM) where you have p=quarantine (other mail servers should treat it as suspicious).

(Also, we wouldn't get DMARC reports for your domain, which we do automatically check.)
ScottPurelymail is offline   Reply With Quote
Old 22 May 2021, 12:24 AM   #40
FredOnline
The "e" in e-mail
 
Join Date: Apr 2011
Location: Manchester UK
Posts: 2,616
Thanks for that quick response, Scott. Most appreciated.

If I were to create that CNAME record, would that be of any help (or hindrance) to Purelymail?
FredOnline is offline   Reply With Quote
Old 28 May 2021, 09:54 PM   #41
ScottPurelymail
Junior Member
 
Join Date: May 2021
Posts: 4
Quote:
Originally Posted by FredOnline View Post
Thanks for that quick response, Scott. Most appreciated.

If I were to create that CNAME record, would that be of any help (or hindrance) to Purelymail?
Oh shoot, forgot to opt in to notifications here.
Anyway, it might kind of help, although not in any big way- it's fine to leave your setup as is. Just make sure you don't have a CNAME and a TXT record at the same time.
ScottPurelymail is offline   Reply With Quote
Reply


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Forum Jump


All times are GMT +9. The time now is 03:40 PM.

 

Copyright EmailDiscussions.com 1998-2022. All Rights Reserved. Privacy Policy