I am not an expert by any means, but I can see one problem: you are serving the login page over http and not https. This potentially exposes any of the form data to sniffing.

Compare to my site:

https:/secure.eton.ca/surgeweb

I am not sure I would agree with your "security checking site" either. Qualys gives you an "A" SSL report:

https://www.ssllabs.com/ssltest/analyze.html?d=webmail.premieronline.net

AFAIK, Qualys ONLY checks an https connection.

Your server has both http and https open. My SurgeWeb server runs behind an Apache proxy where I have set up a redirect to force http to https. (Try http:/secure.eton.ca/surgeweb to see it switch.)

There should be SurgeMail settings that will force logins over https, but NetWin can give you those. (My proxy setup means I don't need to use or know them.)

Neil

I just became aware of this new �security checking� site, and I see that our webmail doesn�t score so well:

https://securityheaders.io/?q=webmail.premieronline.net

Is there some low-hanging fruit that Netwin can add to improve the default webmail site�s security?

Frank

--
Neil Herber