Tag: google

Leaving Google: Moving email and calendar to Zimbra

Note: This post is part of a series of posts I’m writing about migrating from Google to other service providers. Read Leaving Google: A preface to understand my motivation and goals for this project.

Aside from things like online banking and bill-pay, email and calendar are probably the most important aspects to my online life. They enable me to in touch, transact business and generally know what I am supposed to be doing when. As such, it took me a long time to find an alternative that would work for me.

The requirements and the search

Here are the requirements I defined in a calendar and email solution:

  • hosted and paid, yet affordable ($50-60 annually)
  • decent web interface
  • POP3 and IMAP access
  • ssl/tls enabled
  • ability to use own domain and to add user and domain aliases
  • multiple calendar support
  • ability to share calendars with internal and external users
  • ability to have private and public appointments
  • ability to subscribe to external calendars
  • reasonable disk space (5-10GB) and attachment quotas (>10mb)

Finding a stand-alone email provider was not an issue. Pobox (my favorite), Hushmail, Fastmail and Rackspace all provide reasonable email hosting and there are many others.

What these services lack are the robust calendaring features I need. Both Pobox and Rackspace include calendars with their email, and OwnCloud has a calendar feature. But all three are simple and lack the sharing and subscribing abilities I absolutely need.

Lack of strong calendar features continued to stall my search for Google alternatives until I realized that I was already using a great alternative at Mozilla! There we use Zimbra, a “collaboration suite” developed by VMWare that includes email and calendaring. VMWare offers open source and network editions of Zimbra. If you have sufficient courage, stamina and time to run your own mail server, you can download and install the open source edition for free (although it lacks some features of the paid version).

I have no desire to run my own mail server. Thus began the search for hosted Zimbra providers. I narrowed my list to three: ZMailCloud, MrMail, and Krypt CloudMail, from which I picked ZMailCloud.

The migration

Once my account was setup, the migration process was fairly straight-forward:

  • Update MX records for my chosen domain.
  • Start forwarding Gmail to new email addresses.
  • Add Gmail address as external account in Zimbra via IMAP and start copying messages.
  • Export main Google calendar and import into calendar called “Google” on Zimbra. Start copying relevant appointments to new main calendar.
  • Begin the tedious process of updating email address everywhere.

I had a couple of choices when migrating all of my email messages:

  • Use an email client like Thunderbird to copy via IMAP
  • Add Gmail address as an external account via POP3. The disadvantage to this approach is that you get zero folder information, which is only a problem if you were using folders/labels in Gmail.
  • Not copy messages at all and start with a clean slate!

Also, you might be wondering why I didn’t simply import my Google calendar into my new main calendar. I actually did this at first. Then I realized that all of the appointments were imported with the visibility set to public. This won’t work for me because I want to be able to share my calendar with the public, allowing them to see the details for some appointments (like office hours and public meetings) but not for others.

Progress so far

The migration, begun a couple of weeks ago, continues. Each time I log in to an account I check the email address and update it if need be. I update mailing list subscriptions as I read messages from those lists, and those hosted on Google groups are the most tedious to update.

I also haven’t figured out how to tell everyone who might need to know that I have a new email address. I can’t bring myself to spam my entire address book (and there are probably folks in it I don’t actually want to engage with). So, for the time being, I’m just replying from the new address and letting people or their email clients update my record on their own.

Other solutions?

I’m curious about other possible solutions. For those of you who have switched away from Google mail and calendar, or were never there in the first place, what do you use? Let me know in the comments!



Leaving Google: A preface

While I’ve never had all of my internet-eggs in Google’s basket, so to speak, I’ve appreciated many of their services and have become quite dependent on some.

I opened my first Gmail account in 2004. I switched from Bloglines to Reader sometime before the former was sold in 2005. My sanity, and probably my wife’s as well, depends on the appointments we track in Calendar. All of my correspondence has found its way to Google docs. All of my non-IRC chatting is done through gTalk with an xmpp client.

It’s never felt particularly good or prudent to be so reliant on one company, an advertising company, for some of my most important online needs. But when I would think of leaving Google, a sense of dread and panic would arise. I would think about how dependent on was on email, calendar and other services and how good alternatives seemed non-existent. Not surprisingly, I would come to the conclusion that I couldn’t live without Google, and that they weren’t that bad, after all. And then I’d move on to fretting about the next thing.

But the idea continued to percolate and re-surface in my mind. Each time Google made a decision to close a beloved product, take yet another step away from web standards, made a move that wasn’t outright evil, but wasn’t good either, I re-evaluated my reliance on their services. More and more I felt like I was the product first and the customer second, if at all. The final straw for me was in fact two: the end of full support for xmpp in Google talk and PRISM.

And thus, I’ve started the process of reducing my usage and reliance on Google services. I’ll document this process in a series of blog posts, roughly in order of priority:

  • Email and calendar
  • Search
  • Chat
  • Mailing-lists (for the groups I manage)
  • Document editing and sharing

A few services I don’t intend to find near-future replacements for include Google voice and Hangouts. Google Plus isn’t on either list simply because I hardly use it. Nor have I ever used Picasa (I’ve always preferred Flickr). I have no immediate plans to delete my Google account. Doing so effectively means you can’t interact with any of Google’s services, which would severely limit my ability to interact with many individuals and groups for which it is necessary that I do so.

My goal isn’t to purge my life entirely of Google, but rather to reduce my reliance on its services and to decentralize my online activity.

Securing Your On-line Life with a Password Manager and Two-Factor Auth

The Internet was ablaze last week with discussion of the hacking of Mat Honan. For those not up to speed about what happened, hackers were able to use social engineering and weaknesses in the security policies of Apple and Amazon to obtain access to Mat’s on-line accounts and to reset all of his Apple devices. Scary stuff!

With this incident on everyone’s mind, I thought it would be a good idea to share the techniques I use to secure my on-line life. I encourage you to adopt these practices if you haven’t already.

Use A Password Manager

My favorite password manager is LastPass. It’s cross-platform and cross-browser. There is a free version and a very affordable premium version at $12/year.

Other options include KeePass and 1Password.

With LastPass, your data is stored online in an encrypted format. To access your information, you unlock your “vault” with a master password. On the desktop, LastPass isn’t a stand-alone program. Rather, you use it as a browser plugin. On mobile platforms there is a stand-alone program that includes an integrated web browser. Because your data is stored online, it is synchronized across and available from multiple computers. This is great if you use more than one system, which I do. LastPass also offers the ability to access your vault when you’re off-line (though two-factor auth is limited in this case).

LastPass allows you to securely store:

  • passwords for all your sites
  • secure notes, which you can use to store misc information like server logins, credit card and bank account info, passphrases and more
  • form data, including credit card information (makes online buying a snap)

It also provides a password generator.

Here’s an example of what it looks like to retrieve passwords in LastPass:

Free Image Hosting at www.ImageShack.us

And here’s how I login to sites that I have saved with LastPass:

Free Image Hosting at www.ImageShack.us

Using a password manager, be it LastPass, KeePass, 1Password or another solution, allows you to easily follow the best practices I outline below.

Use a Unique, Strong Password for Every Site

You should never re-use a password. Use a unique password for every account that you create everywhere. This limits a security compromise from spreading to one site to another.

Make sure you pick a strong password. Better yet, use a computer generated password rather than one you make up on your own. Many password managers, including the ones I have mentioned in this post, have a password generator built in. Use it!

Here’s LastPass’ generator:

Free Image Hosting at www.ImageShack.us

How Do I Remember All These Unique Passwords?

At this point you might be asking, “how will I remember all these difficult passwords?” You won’t! The only password you’ll need to remember is the master password for your password manager.

Stand-Alone Password Generators

Don’t like or want to use the built-in password generator? There are plenty of stand-alone options.

My favorite password generator is actually the one that ships with OSX. It’s a bit difficult to get to, however, because you have to open the keychain and then click on some additional buttons. However, this app will call the password generate dialog directly.

If you’re on Windows, there’s pwgen-win. If you’re on Linux, try apg or pwgen.

Don’t Use Real Information in Security Questions

Security questions are those additional questions you fill out when you set up web accounts, especially for on-line banking. Some examples:

  • childhood nickname
  • name of first pet
  • first school attended
  • place where you met your spouse
  • favorite sports team

Most of the security questions I’ve encountered are absolutely terrible in that answering them honestly does nothing to protect your account. Why? Because we live in the age of social networking and answers to these questions are almost always readily available to anyone who’s willing to spend a few minutes searching on Google.

The solution is to provide bogus answers. Favorite Sports Team? The Bangalore Bananas. Or xFLXw99X62ONsPFU. There’s no way someone can use social engineering to come up with answers like these (unless you post them online for some reason). In order for this strategy to work, don’t rely on your memory. Instead, use your password manager to save the security questions and answers just as you do with unique, strong passwords. LastPass makes this particularly easy because on any webpage with a form you can use the “Save All Entered Data” to capture your questions and answers.

Enable Two-Factor (or 2-Step) Authentication Wherever Possible

Two-factor authentication means that in order to login to a site, you need to provide two pieces of information instead of just your password. Most two-factor authentication schemes involve providing your password and a unique code generated by a separate program, usually on a physical device.

For example, when I log in to Google, I first login the usual way and am then prompted for a verification code:

Free Image Hosting at www.ImageShack.us

And then I open Google Authenticator on my phone in order to retrieve a special code:

Free Image Hosting at www.ImageShack.us

Enabling two-factor authentication adds an extra level of security because it means a hacker can’t login to your account even if they have your password. They’d also have to have the physical device that generates the second authentication factor.

In this post I’ll cover enabling and using two-factor authentication with Gmail and with LastPass.

Enabling Two-Factor Auth for Google

To enable two-factor authentication for your Google account:

  • Login to your account and navigate to your Account page.
  • Navigate to security settings.
  • Click ‘edit’ next to 2-step verification.
  • If you haven’t already verified you’re phone, you’ll need to do so now.
  • After this, 2-step verification will be enabled.

Free Image Hosting at www.ImageShack.us

You should now set how to receive your verification codes. You can enable one or more of the following methods:

  • Mobile application (Google Authenticator, for Android and iOS)
  • Backup phone (not your Google voice number)
  • Print backup codes (keep in your wallet or somewhere else safe)

Free Image Hosting at www.ImageShack.us

I recommend setting all three, especially if you have a smart-phone or tablet. The method I use most often is the mobile application.

When you select mobile application, you’ll see the following screen. Scan the QR code with your phone or table. You’ll then be given a key to enter into the form to verify your device.

Free Image Hosting at www.ImageShack.us

Note: You can install Google Authenticator on multiple devices, but you  must do so at the same time. If you wish to add a device later, you’ll need to turn off 2-step authentication and go through the whole process again. You do not need to do this in order to add another Google account to Authenticator, however.

Generating Application-Specific Passwords

What happens if you want to use an email client like Thunderbird, Mail.app or Outlook? Or a chat client with your gTalk? You still can, but you have to generated application-specific passwords. What this means is that for each application you would like to allow to access your mail or chat, you generate a password for. This password is revocable at any time should you loose control of that application (e.g. you loose the laptop on which it’s installed) or suspect that the password has somehow been compromised.

Free Image Hosting at www.ImageShack.us

Enabling Two-Factor Auth in LastPass

LastPass offers a few options for two-factor authentication:

  • fingerprint reader
  • grid authentication
  • Yubikey
  • Google Authenticator

I selected Yubikey. A Yubikey is a USB device that generates a unique, one-time password. Once you link a Yubikey to your LastPass account and enable two-factor authentication, you need to use your Yubikey along with your regular password each time you want to log in (although you can specific which computers are trusted and therefore do not require secondary authentication).

I bought 2 Yubikeys and an additional year of LastPass service for $50. Because you can associate your LastPass account with multiple Yubikeys, I have one for regular use and one for a backup in case I loose the first.

Here’s what it looks like when I log in to LastPass with Yubikey authentication enabled.

First I’m prompted like usual for my LastPass email and password:

Free Image Hosting at www.ImageShack.us

And then prompted from my OTP from Yubikey:

Free Image Hosting at www.ImageShack.us

Have a Recovery Email That is Not Easy to Guess and Keep it Private

Both Google and LastPass allow you to specify a recovery email address. I strongly recommend that you setup a second email account that is dissimilar to your regular, public email address, keep it private and use it as the recovery email for your critical accounts (like Google and LastPass). The reason for using a private, separate email is so that hackers are less able to guess your recovery email and be able to launch an attack against it.

Also, if you are uncomfortable having all your on-line eggs in one basket like I am, consider paying for a backup email account from a service like FastMail, HushMail or Pobox.

Change Important Passwords Periodically

You should change the passwords on your critical accounts on a regular basis. Quarterly is probably a good target. Even twice or once a year will be better than never. For best results, link it to some other deadline. Self-employed? Change your critical passwords when you send in your quarterly estimated taxes.

What are critical passwords? Your Google account and password manager, certainly. Probably also your on-line banking, too.

Check Access Logs Frequently

Most systems provide access logs that you are able to check. You should periodically examine this information for anything that seems strange. Look for connections that don’t match your usage because this could be a sign someone is accessing your account without your permission or knowledge.

To see your Google access logs, log in to Gmail, scroll down to the bottom of your inbox and look for “Last account activity.” Then click on details.

Free Image Hosting at www.ImageShack.us

You’ll see a screen like this where you can see which IP addresses have been connecting to your account:

Free Image Hosting at www.ImageShack.us

Make Regular Backups

The above steps are not a guarantee against your data being compromised. You should make sure you’re regularly backing up any data that’s important to you, including your password information.