Fastmail security upgrade

Fastmail is always looking for ways we can help you keep your account secure. On 25th July 2016, we upgraded how you log in to our system from your devices, whether that's via a browser, a phone, your desktop computer or a tablet.

Unless you are using our "alternative logins" system, there is no immediate change to your account. The features are active, but you can choose a time convenient for you to upgrade your account security.


What's changed?

How do I use the new security features?

You do not need to upgrade straight away. All existing logins will continue to work for some time, but we will gradually migrate users to the new system as we encourage the use of the new security for everyone.

All new security features can be viewed and configured on the Password & Security screen. You will need to type in your password at the top and unlock the screen to make any changes.

Login security

We strongly encourage you to set up two-step verification, for logging in over web browser or through the Fastmail mobile app. You can have multiple devices configured, whether it's an app on your phone or a dedicated security key.

Even if you don't usually use the web interface, attackers do. Configure 2FA to stop them from gaining access.

Client security

If you use any non-Fastmail clients to access your Fastmail account, you can upgrade your security by reconfiguring them with an app password. We have detailed guides on how to set up your client. Please be aware we have new server names to support the new features.

We recommend deleting your current account in your client, and then creating it again following the instructions. This will result in your client downloading your messages again, so it is best done over wifi, not mobile data.

The Fastmail mobile app does not need an app password: it works with your two-step verification settings.

Account recovery

Add your mobile phone number(s) and backup email address to the recovery options on the Password & Security screen. If you get locked out, we can use this to help verify your identity and restore access to your account.

As always, we take your privacy very seriously and will only ever use these details to keep your account secure. We never share them with anyone else.

Please regularly review these recovery accounts to make sure they're still current.

Summary of new server names

ServiceOld serverNew server
Incoming mailmail.messagingengine.comimap.fastmail.com
(note no path prefix)
Sending mailmail.messagingengine.comsmtp.fastmail.com
Calendar accesscaldav.messagingengine.comcaldav.fastmail.com
Contacts access (CardDAV)carddav.messagingengine.comcarddav.fastmail.com
Contacts access (LDAP)ldap.messagingengine.comldap.fastmail.com
Incoming mail (POP)mail.messagingengine.compop.fastmail.com
File access (FTP)ftp.messagingengine.comftp.fastmail.com
File access (WebDAV)dav.messagingengine.comwebdav.fastmail.com

Troubleshooting

Common issues reported with the new features.

Can't log in via Fastmail mobile app

You don't need to use an app password: regular password works with your existing two-step verification configuration. On a mobile device, as you can't use a security key, this means using an authentication app.

If it still doesn't work, we recommend you uninstall the app and reinstall from the app store.

Can't log in via non-Fastmail clients

Many apps are still auto-discovering our old servers when you add your account profile. Once you've added your account profile, check the settings (it may be found under "manual config") and make sure it's using the new server settings, not the old messagingengine.com servers.

Push unavailable on iOS

This issue tends to surface just after setting up a new profile/updating a profile. Push actually is available. You may need to force-quit the mail app, and/or force-quit the iOS settings app in order to encourage it to recognise how push-y we really are.

New 2FA isn't working, but my old 2FA still works

The most common reason for this problem is using a base password (which belongs with your original 2FA configuration) instead of your master password.

Not sure which is which? Your master password unlocks the settings on the Password & Security screen. Your base password is ineffective.

With the old two-step verification, you could use your base password with your 2FA to let you log in or you could use the master password on its own. The new two-step verification requires that you always use your master password with your verification key or authentication code; the base password is not used.

I want to remove my alternative logins

With alternative logins being removed on August 31st, 2016, now is the time to remove them and consider migrating to the upgraded authentication options.

The link for alternative logins is at the bottom of the Password & Security screen in the web interface.

If you see the error message "Screen is only available to master login", it means you are currently using an alternative login. Check you know what your master password is by using it to unlock the settings on the Password screen, then log out of your current session and log back in with your master password. The alternative login screen will now be accessible.

Once there, delete all the logins and recreate them if necessary as app passwords, or new 2FA entries. Don't forget to update the passwords on your non-Fastmail clients to match!

I never received the verification code via SMS for my recovery phone

Our SMS support is provided by Twilio and there are a few carriers around the world they don't yet integrate with (Along with the 1000 or so that they do). Raise a ticket and our support team can help you get two-step verification set up without verifying your recovery phone.

You must set up a recovery backup email and print out or write down your recovery code if your recovery phone doesn't receive SMS from us, otherwise you won't be able to regain access to your account if you lose your two-step verification device.


If you're interested in reading more about why these changes were implemented and what they mean for you, our blog has a series on security: