Mail and Calendars at the MPI/CBS

• Email is being used by people with malicious intend to cause damage to users and the infrastructure. It's imperative to know a thing or two about attack types.
• Email sender and receiver addresses look like this: "John Doe" <johndoe@mailserver.domain.de>
  • (B1) Only the second part is actually an address. The first part is an arbitrary text . These addresses might be able to trick you:
    • "Prof. Dr. John Doe" <intern1@cbs.mpg.de> is still just an intern although he calls himself "Prof."
    • "administration@cbs.mpg.de" <intern1@cbs.mpg.de> (still an intern).
• (B2) You cannot be sure that the sender address is valid and was sent by the respective email account.
  • An email server could make sure that all sender addresses ending with its domain ( @cbs.mpg.de in our case) are valid.
    This is currently not possible on our email server because IT was mandated to support a specific service for one of the departments which requires the sender address to be forgeable.
  • (B3) Even if the email was actually sent from the expected mail account, you cannot be sure, the mail was sent by the person you're expecting.
    • It is common that users are tricked by bad people into sharing their passwords. Their email accounts are then abused to send spam or Phishing emails.
    • Try not to look for clues of validity in metadata but in the emails content itself. Example:
      • No legit invoice comes in form of a .exe -File.
      • A director is not in urgent need of Google gift cards.
      • A user having to "validate" an email account doesn't make sense. Account validity is tied to contract data and a user management system would not trust a user to update this by themself.
      • A quota increase will not require you to login somewhere.
    • If in doubt, use a second way of communication to authenticate the email (Phone, Whatsapp, Mivervamessenger,...).
• (B4) Transport Encryption: While email is send through the internet using encrypted connections, all parties involved (esp. email server administrators) are still able to access them in the clear. To prevent that, end-to-end encryption must be used. Get the necessary digital identity here: CertificateManagement .
• (B5) Signatures: Having a digital identity enables you to digitally sign emails. Signed emails are the only reliable way for a receiver to spot forged sender addresses.
• (B6) An email can take up to three days to arrive.
• (B7) To send end-to-end encrypted mails, the receiver must have a digital identity—the sender does not need one. For signatures, it's the other way around.
• (B8) Receiving an encrypted email should in no way increase your trust in it. It just ensures that nobody can read it during transit. It doesn't tell you anything about the person who sent it. That's what signatures are for.
• Nearly all attacks on IT infrastructure occur through email, particularly through harmful attachments.

• The institute operates an on-premise email server. Emails to other institute users never leave the institute's domain of control—if the receiver doesn't have a forward defined.
• To mitigate attacks on IT infrastructure, several types of email attachments are blocked, see the list here. Emails carrying them are not delivered. Sender and receiver are notified immediately about each single blocking event.
• There is a size limit for receiving text emails on the institute's mail server: 25,6 MB (24.4 MiB). Attachments are not sent as text but have to be recoded for transport. The effective limit of an email containing attachments is around 18 MB (17 MiB).
• There is spam classification system being used on the server which will try to sort out unwanted mails. If you think an email for you was lost in transit, have a look in the "Spam" folder.
• There are no filtering mechanisms exceeding the ones mentioned here. If you think, an email was lost, please contact IT. Every single incident will be investigated!

Malware

• Do not enable "HTML mail view" in your email program.
• Do not send rich text email (or "HTML" email). This will reduce the pressure on others to enable HTML mail view.

Spam

Phishing

• do not send any credentials via email and
• you adhere to Rule#1 ("Don't enter your passwords into websites not on servers ending with .cbs.mpg.de ").

Scam

Web browser

IMAP client software

• Thunderbird (officially supported email client of the MPI CBS).
  • Unfortunately it's not able to auto-detect calendars, yet. IT is in contact with Mozilla to fix that.
  • To access your calendar(s), add a new calendar "On the network" at the location https://mail.cbs.mpg.de . Username is your email address, password is the application password, you just created for email access.
• Fairmail (Android email client with very strong focus on privacy)
• TheBat!, Pegasus Mail, Eudora, ...

Manual email client configuration

• Protocol for accessing mails: IMAP4 or IMAP (more precisly: IMAP4s ).
• IMAP4-Server: mail.cbs.mpg.de
  • Security type: TLS (sometimes called SSL or implicit TLS; "Starttls" is always the wrong choice!)
  • Port number: 993
  • Username: Your institute login name (e.g. schmidt )
  • Password: You're going to have to create an application password.
• Server for sending mails mail.cbs.mpg.de
  • Security type: TLS (sometimes called SSL or implicit TLS; "Starttls" is always the wrong choice!)
  • Port number: 465
  • Username, password: Same as for IMAP4
• Calendar-Server: https://mail.cbs.mpg.de
  • Username, password: Same es for IMAP4

macOS email app and calendar

1. Remove any existing account connections from macOS, if you have any.
2. Create an application password via the email server's Web GUI.
   You'll need to copy and paste the password later. Do not store it anywhere! It is a feature of application passwords that they are only remembered by applications but not by users!
3. Open Safari and go to https://ac.cbs.mpg.de/apple/$username, replacing $username with your institute username (the part before @ in your email address) to download the profile file.
4. In System Preferences, under Security, install the profile using the application password (enter it twice) and forget the password!
5. Log into the email server's and create an for this macOS computer.
6. Wait for your mailbox to sync with your computer.

Possible reason 1 - Temporary lockout (Very likely. Our email server blocks around 5 accounts per day.)

1. You changed your password and one of your programs or devices is still using the old one. Solution: Make sure, all of your programs and devices have the correct password.
2. You re-activated an old device (e.g. a phone or laptop) you didn't use for a long time. The solution is the same as in (1).
3. An evil person tried to guess your password with a high frequency. In this case, the temporary block is protecting your password. Solution: You'll have to wait 15 minutes.

Possible reason 2 - Phishing success (Very unlikely since 2FA was introduced)

• "update your account"
• "increase your quota"
• "unblock your account"
• ...

Possible reason 3 - Account timeout (Likely)

• Not have the credentials (e.g. QR code) as a file somewhere.
• Come to IT to reset 2FA if your phone is lost so no one else owns valid credentials of yours.

1. the secret password you entered into Google Authenticator and
2. the current time.

• Click on the three dots in the upper right corner in Google Authenticator.
• Select "preferences".
• Select "time correction".
• Select "synchronize now".
• Google Authenticator will now fetch the correct time from the network and use it for generated TANs. This doesn't affect other apps.

• call a core IT member that knows you personally and is able to identify you. IT staff may refuse this method if there is any doubt about your identity.
• or come to IT physically and present a valid passport, Personalausweis or Aufenthaltstitel.

• Do not check these check boxes on public computers (e.g. in a public library) or on other people's devices, like a friend's laptop!
• You can safely use both check boxes on your personal laptops and whenever you have a personal account on a computer—e.g. in the institute when logging in using your credentials. Don't worry, it's not actually the computer that's being trusted but your user account. The next person using the computer will not be able to impersonate you.
• The trust can be revoked in the "Preferences"/"Accounts" section of the Web GUI.
• Persistent cookies are being used for both trust functions. If you have privacy options enabled which clear cookies in your browser, you might want to add an exception for the email server's Web GUI.

• Find big mails
  • Go to the search field on top of the web interface and type larger:100KB to find all mails that are larger than that value.
    
• Prepare a sorted list
  • Make sure the right listing mode (one that shows a mail's size) is selected. This only has to be done once.
    
  • Sort the list by size descending. This way you can start with the biggest ones and work your way to to smaller ones.
    
• Remove things
  • Now you can either directly remove big mails or download/remove their attachments (either single ones or all at once). There are remove-links for each attachment and there's one link to quickly remove all of them.
    

Trash bin

Dumpster

Backup

1. Create a ticket containing the desired restoration time.
   • For example, if an email was deleted at 10:30 on 01.05.2015, request restoration from 10:15 on that date.
   • IT can only restore the entire account at a specific time, not individual emails.
2. IT will restore a backup, adding it to your account as a folder.
3. Find and retrieve your email(s).
4. Inform IT when done to remove the backup folder.

• Your email account will remain active for three months after your contract ended.
• You'll be notified of the deactivation date via email before your contract expires.
• Consider setting up email forwarding to another address (e.g. to your new research facility or to a colleague remaining at the institute).
• Backup your emails using an email client software or the Web GUI's Import/Export feature under Preferences to get a downloadable archive file.
• After three months, your emails will be deleted:
  • Any established email forwards will continue for an additional 21 months.
  • You won't receive emails from internal mailing lists.
  • Post-deletion, setting or changing forwards requires an in-person visit to IT with identification.

• Googlemail
• Hotmail

• Got to the Webgui
• Select the "Preferences" tab
• Select the "Mail" configuration block on the left
• In the paragraph "Receiving Messages" ...
• ... enter the target address of your choice and select the "Don't keep a local of messages" checkbox.

My account is already locked so I cannot create the forward myself.

1. There are 3 types of managing the members of a MailingLists. Choose one.
2. Think about a name. It must contain a Dash sign ( - ) to clearly distinguish it from user accounts that exist in the same name space.
3. Please write a ticket to request the mailing list.
4. IT might have technical objections about the name. Those would then be communicated via the ticket system.