Service Notices

If you are here because your email app just stopped working, we have been trying to reach you by email and notices for a while now. In short, your webmail password no longer works for regular email clients, you now need a separate password for them. To create this:

*** You should not create any app passwords if you only use the webmail ***

Go to Settings -> App Passwords in the CodaMail web interface.

Click Create App Password button.

Give it a name and set whatever restrictions you want or just leave them all as they are.

Click the Save button

Copy the new password

Next, check email with your email app, it should prompt you for a new password. Paste it in (also click the save password checkbox).

Then send a mail to yourself, you should be promted again for the SMTP password. Paste it again, click the save password checkbox.

That's it. Your mail app should work as normal again. Nothing else needs to be changed, not servers, not username, not email addresses, not ports, only the password changes.

We will be shutting off the ability for your webmail passwords to be used by third party email apps this evening EST. After this, only app passwords will work for third party email client access and your webmail password will only work for logging into webmail.

We have introducted a text mode that is very basic, like 1995 basic, html. It has been optimized for screen readers and terminal browsers like lynx. It is not full featured, but it is functional for reading and replying and can access necessary settings, including app passwords, masked aliases, account aliases, personal domains, catch-all management, block list management, ability to upload public keys and set up pgp auto-encryption, and more.

So, those who could not set up app passwords before, now have a way. To enable the hidden mode of vanilla html without script, css, or even frames, use this url: https://codamail.com/mail/?text. To shut text mode off, click the link in the footer or use this url: https://codamail.com/mail/?notext.

...and yes, TOTP 2fa works in the hidden text mode, even with lynx.

We will switch completely to app passwords for third party mail clients this coming weekend Dec 27 or Dec 28. those who have not set up app passwords by then will need to do so for third party email apps to work.

The switch over to app passwords has been delayed by a day or two. We will be releasing a skin for the webmail that is plain vanilla html only, without any script or frames, for some specific use cases, such as screen readers. We will switch the app passwords over after this is released.

Manage Catch-alls Enhancements

We've added new features to Settings → Manage Catch-alls that provide more granular control over your domains and aliases.

Previously, blocklist and whitelist modes applied to all of your domains equally. If you wanted one domain to operate in whitelist mode while keeping another domain as a catch-all, it wasn't possible. All were in whitelist mode or all were in blocklist mode.

Now it is possible. Two new exception formats are supported:

- @example.com — Create a domain exception
- ! prefix — Create an alias exception

Examples:

Blocking an alias across all domains with an alias exception for one domain:
When in block mode, enter sales to block sales@anything, across all your domains. Then, additionally, you add !sales@example.com (or !sales@alias.example.com) to allow delivery to just that one domain while keeping the block in place everywhere else.

Operating in whitelist mode while keeping catch-all domain(s) with a domain exception:
When in whitelist mode, add @example.com (or @alias.example.com) to exclude that domain/catch-all from the whitelist. Everything else remains in whitelist mode, but that domain continues to accept all mail as a catch-all. Then, if you further want to block one alias in @example.com, enter another exception, for example !sales@example.com. This then leaves the catch-all domain exception @example.com accepting everything but sales@example.com.

These two exceptions now let you mix blocklist and whitelist catch-all behavior across your domains as needed.

Both Manage Catch-Alls (this controls To addresses) and Block List (this controls From addresses) features will cause mail to be rejected prior to being accepted by our servers. In other words, blocking happens during the SMTP handshake, instead of just silently accepting the mail and deleting it, which causes the sender to believe it is still active.

Anyone who sends mail to anything blocked by either of these two features receives a User Unknown response, indistinguishable from an address that does not exist. This does decrease future unwanted mail because many bulk mail senders will automatically remove "User Unknown" rejections from their mailing lists (they call this list cleaning). They do this so they don't get terminated by their bulk mail service for too many bounces (most bulk sending services terminate when bounce rate is too high).

We resolved an issue with accessing the filters. This caused logins to fail for a short period during the resolution. All is again functional.

There have been a few cotse.net users who have contacted helpdesk that seem to believe that logging into the new webmail interface means your email address must change, this is not true. Cotse users can log into the new webmail and keep your cotse address. Your email address is not tied to the old webmail interface.

Those with Cotse addresses can use either webmail. Both display the exact same email, when you log into the new webmail you will see the same email you see in the old interface in the same folders. It is no different than using the webmail sometimes and other times using something like Thunderbird, Apple Mail, or other to read your mail. The new webmail is nothing but a different client (a much improved client) for the same mail.

You also don't have to keep using it, you can continue using the old webmail once you have created your new password for your third party mail clients (you just won't see all the new added features in the old webmail). The old webmail client doesn't support the new features and so some of them can only be accessed through the new webmail client, like app passwords.

We have disabled accounts that expired last month and were not renewed. If yours was one and you would like to renew it, you can do so here. Expired paid accounts that go 90 days without renewal are deleted and the account name cannot be used again, not even by the original owner.

App Passwords Now Available - Bridge Mode Active

This only affects third party e-mail clients (like Thunderbird, Apple Mail, Outlook, etc.). If you only use the webmail then no changes are needed.

We have enabled app passwords in a bridge mode. During this transition period, your regular password will continue to work with third-party email clients (Outlook, Thunderbird, Apple Mail, etc.) until you create an app password.

Once you create an app password for IMAP, POP, and SMTP, your webmail password will no longer work for third-party email clients and you don't have to do anything more, you'll be all set when we switch December 21.

Sunday, December 21 app passwords will be required for all third-party email clients. After that date, your regular password will only work through the webmail interfaces and will no longer work for your third party email client.

How to Create an App Password:

1. Log into the CodaMail web interface. (the legacy webmail does not support this feature)
2. Go to Settings → App Passwords
3. Click Create App Password
4. Select your protocols (IMAP or POP, plus SMTP for sending)
5. Optionally set IP or network restrictions (CIDR format) and/or an expiration date
6. Click Save
7. Copy the displayed password immediately, it is not stored by us and it will not be shown again
8. Paste this password into your email client (your username and server settings remain the same)
9. Click Done

Typically, once you do this and try to check mail, your email client will prompt you for the password and you can just paste in the new one (and don't forget to try to send mail, too, so the SMTP also prompts for new password).

If you lose an app password, simply delete it and create a new one. As always, send any questions you have to Helpdesk.

This is only for existing third party email setups, if you are setting up your email client for the first time prior to Dec 21, you must contact helpdesk first. This is because new setups will require helpdesk support during this period.

We are performing some maintenance in preparation for the pop and imap changes, during which there may be a brief periods where the service is temporarily unavailable (under 5 min).

Just to answer some common questions about the "application passwords" that will be implemented. First, if you only use webmail nothing is going to change for you, this only affects those who use a third party email client via pop or imap.

The "application passwords" will be nothing more than a separate password for imap/pop/smtp access. You will log into the CodaMail web interface, generate a password for pop/imap/smtp, set whatever permissions you want it to have, then copy and paste it into your email application as the new password.

This separates your full account from the email client in the event your email client is ever compromised by password stealing malware. If this was to happen, the attacker will not be able to log into your webmail account. It will also help protect against bot attacks on our services, which are getting smarter with AI.

When you generate a password you will be able to assign priviledges to it and also be able to set a date when that password will stop working (if you desire). You will also be able to restrict which IP addresses or network ranges are allowed, again, if you desire to restrict it even further. You will be able to delete and create them at will. You will have more control and it is a much safer way for us to allow pop/imap, and smtp.

Again, this is not active yet. We are just providing early notice. We will be sending out more mail regarding the change before implementation.

After the express1 outage, which was a full restore, some have reported being unable to log in to the express1 proxy. If you are one, please contact helpdesk so we can resolve it.

We are experiencing an outage with our ssh server express1, this is being worked on and it will return asap.

Express1 is back up

We will be implementing Application Passwords for imap, pop, and SMTP using a variation of our DAV authentication. These will replace our existing protections while still incorporating the CIDR restrictions and allowing granular selection of services and multiple separate imap/pop/smtp logins. Webmail will not be able to be logged into using app passwords, this only affects IMAP, POP, and SMTP access..

This change will require everyone (Cotse and CodaMail users) to log into the CodaMail web interface to create their app passwords for regular email clients to work. No changes will be necessary for webmail only use. This is not active yet, this is just early notice. Please check here for further updates.

Please note, that these are developed, tested, and ready to implement. The delay is to give people a chance to see the Notices and for us to send out some e-mail informing people to read the notice.

We updated the Enable/Disable IMAP/POP feature to give you the ability to click a button to add your current IP to your allowed list. This makes it easier to quickly enable pop or imap just for your current IP address.

New blog post: The Truth About Zero Knowledge / Zero Trust

Follow-up Blog Post: How to Use CodaMail in the Most Secure Fashion Possible

New blog post: A beginner-friendly guide to evaluating website security

We have updated our Notes app so that now if you upload a pdf or odf file as a Note you can click the icon representing it and it will display in a viewer/editor, as it does for attachments in mail, calendar events, and tasklist entries.

An important note, especially for existing subscribers. We do not recycle usernames. This includes masked aliases and it is for your protection because it prevents someone else from signing up for an account you left. However, it also means that if your account expires, is not renewed, and ends up past the 90 day mark where it gets deleted, you can never get it or any of your aliases back.

We have disabled accounts that expired last month and were not renewed. If yours was one, and you'd like to reactivate it, you can renew here: https://codamail.com/renew.html

We are performing some regular patching that will require periodic reboots. We expect any downtime to be minimal.

Tomorrow we will be disabling accounts that expired last mo that have not renewed. You can check your account status under Settings -> Account Information or renew here: https://codamail.com/renew.html

We have pushed our latest update to caldav/carddav into production. This update adds additional functionality and resolves a few more client based nuances for better compatibility with more clients.

FYI: We do take requests for color combinations to be able to be selected within webmail. Unfortunately, due to the static nature of these, we are currently unable to just provide color pickers. Instead they must be individually compiled. However, we do take requests.

Please note that if you delete a masked alias, you cannot get it back without contacting helpdesk (and even then, they will only be reactivated for the account, they cannot be reactivated for a new account). Masked aliases cannot be reused.

We will soon be disabling accounts that expired last month or before that have not yet been renewed. Please note that we do not auto-rebill any service but month-to-month billing as our goal is to be both easy to onboard and off-board with us. This means any subscription that is not month-to-moth must be manually renewed each time at the end of it.

We resolved an issue some were having where attempting to display the tasklists caused an internal server error message.

We have resolved an issue with MKCALENDAR VTODO (ie. creating a task list from your phone or other device) when you have granted the authentication pair (token) the create tasklist permissions. Prior to this fix, creating a tasklist from a remote device was rejected even if you had granted the permissions to do so. This is a regression bug that was reintroduced with our last update.

Just an early note, we will soon be disabling accounts that expired last month and have not been renewed. To check your account status go to Settings -> Account Information, you can renew there as well or at https://codamail.com/renew.html

A recent change to the site's security headers affected the paypal button, which caused it not to forward to paypal for payments. This has been corrected.

Note: Calendar, Contacts, and Tasklist syncing via CalDAV/CardDAV is only available in the new webmail. It is not available in our legacy webmail.

We resolved an issue with the Apple Reminders App and tasklists. Taskslists will now update via the Reminders App.

We had an issue with our SMTP that caused it to be unavailable for a bit due to abuse, it has been resolved.

WebDAV/CalDAV/CardDAV Update:

I don't speak tech, in layman's terms please:

You can sync your calendars and contacts with all of your favorite devices like your phone, tablet, watch, or favorite email app. You can also share with your family, friends, business contacts, or groups, all privately.

I want the tech:

Our proprietary WebDAV server, built from the ground up for privacy, now supports (updated 11/2):

RFC 3253 WebDAV Versioning (expand-property REPORT, protected properties)
RFC 3744 WebDAV ACL (Access control, privileges, owner, acl properties)
RFC 4791 CalDAV (Calendar properties, REPORT, calendar-query, free-busy)
RFC 4918 WebDAV (Core properties, PROPFIND, PROPPATCH, collections, COPY, MOVE, Class 1/2/3 compliance)
RFC 5397 WebDAV Current Principal (current-user-principal discovery)
RFC 5545 iCalendar (ICS/VCS format for events/tasks, ORGANIZER/ATTENDEE, CATEGORIES)
RFC 5689 Extended MKCOL for WebDAV (creating collections with properties in single request)
RFC 5842 WebDAV Bindings (resource-id for unique resource identification)
RFC 6350 vCard Format (VERSION property ordering, REV property injection, property preservation)
RFC 6352 CardDAV (Addressbook properties, vCard handling, addressbook-query, addressbook-multiget)
RFC 6578 WebDAV Sync (sync-token, sync-collection REPORT with allprop compatibility)
RFC 6638 CalDAV Scheduling (calendar-user-address-set, schedule-inbox-URL, schedule-outbox-URL)
RFC 7617 HTTP Basic Authentication (proper realm and credential caching)
RFC 7809 CalDAV Time Zones by Reference (calendar-timezone property with UTC default)
RFC 8144 Use of the Prefer Header Field in WebDAV (return-minimal for PROPPATCH optimization)
RFC 9110 HTTP Semantics (ETag, If-None-Match, 304 Not Modified, conditional requests)
CalendarServer Extensions (calendar-proxy, notification-URL, dropbox-home-set, email-address-set, getctag)
Apple Extensions (calendar-color with 8-char ARGB alpha channel preservation, calendar-order, calendar-enabled, calendar-transparency with PROPPATCH support)

The above properties which would normally contain identifying information are returned with privatized data. Randomized principals properly map. ACLs also properly map to our own unique method level dynamic permissions.

This ensures out-of-the-box compatibility with clients such as Apple Calendar, iOS, macOS Contacts, Thunderbird, DAVx5 with Android, Outlook with DAV plugins, and others, all without requiring protocol extensions or proprietary modifications.

We have updated the troubleshooting section for setting up DAV clients (ie. syncing your phone or other device calendar to the webmail calendar, contacts, and tasklist/todo). You can find this at the bottom of https://codamail.com/dav-setup.html. Specifically, things to check if it doesn't sync or only syncs one way.

We have updated our whitepaper on our unique privacy protecting CalDAV/CardDAV/WebDAV server with method level dynamic permissions. You can read it here: https://codamail.com/render.php?file=dav_reimagined.md.

We have disabled access to accounts that expired in Sept and were not renewed. If your account was one and you would like to renew it, you can do so here: https://codamail.com/renew.html

We resolved an issue with exporting private pgp keys today that was caused by a routine system update, so if you had difficulty exporting a private key (and possibly other pgp key management, though we are only aware of the private key export) this was why.

Just a reminder for those just checking notices, we completely rebuilt our VPN network in July. If you have not downloaded new configs since and cannot connect to a VPN, this is why. You will need to download the new configuration files from our Support section.

We also retired our Denver site this week and in doing so moved our Denver VPN and Socks5 servers to Chicago.

Please note: Our support section is well fleshed out, please take a moment (if you have not already done so) and check out https://codamail.com/support.html. You just might find that the service is capable of a lot more than you are aware.