Interview with Jonas Falck, CEO of Halon.io
Few people know email and email security as well as Jonas Falck - or that's my impression anyway. He started a business in firewalls that evolved into a full fledged SMTP software solution that meets high demand customers, and they're doing a great job in the marketplace. It was a pleasure sitting down with Jonas and learning more about the offerings by Halon.io, and I can sense his enthusiasm in really serving the needs of all of us out there who are using Halon's services behind the scenes.
Can you tell us a bit about what Halon does?
We built is a scriptable SMTP software solution, a toolbox for everything within email. It has a bunch of security on top of that, antivirus, encryption, signing, etc. It's built for high demand types of customers. Some say SMTP Server, others use MTA Software to describe some functionality we offer, but as we are capable to do much more than just one single task, we call it Halon the SMTP Software Solution, due to the flexibility of usage.
When and why would someone use Halon services? Our focus is on creating unparalleled solution for high demand types of customers who want to create a competitive service, within a short development timeframe and at the same time at a low cost. We have built the software server ourselves specifically for the hosting space (service providers, ISPs) that have the need to build email infrastructure with reliability and service offerings. When they have that type of need for a high demand type of infrastructure, that's when they use Halon.
How did you start the company? Please tell us how your consulting group evolved.
I started it in 2002, and believe it or not, we started building firewalls. The firewall was built on OpenBSD, which was big in Sweden in 2002. In that time, more and more services were added into typical firewall devices, like unified threat management, so we built an SMTP proxy for anti-spam within the firewall, and we had more and more customers using the firewall specifically for that UTM proxy. That's how it started for us to decide to create a dedicated SMTP Software server. Today, the company is not working with firewalls but we are fully dedicated to evolving our SMTP software.
You're a serial entrepreneur, Jonas. Tell us more about the companies you've worked with. Well I thrive on new opportunities and technical challenges and I have been working with a numerous local companies in Sweden. I guess I didn’t get my real buzz until we founded Halon, my brother and I. Now I could really focus on what I love; engaging people within the technical space and developing products that really work. I have a background as a network engineer and I did start consulting firms within the networking space, back in the days. But then I was a developer, also part of my background, naturally that's history now :)
You have a background in security. Let's say someone wanted to work in cybersecurity. What advice would you recommend he follow and what should he learn to be a great online security expert?
First of all, you definitely need to be interested in the subject. You have to dig deep into it. Also, having a developer background makes a lot of sense - you will be doing engineering around a lot of code and need to know how the system works and how the hardware and software functions. You should do a lot of analyzing packets, behavioral code etc. There could be a lot of reverse engineering too.
It's not just a defense mechanism but it's an offense mechanism that you want to study and practice. Read security forums, technology forums, security lists, etc. We do that all the time and we're part of those forums as well. So, most importantly, participate in these forums as you will learn a lot from the community.
Can you tell us about the backend interface of Halon? (Please send pictures too!) What options are available to administrators and end users?
The whole software server is sort of a backend and frontend. The backend is part of our IP or secret sauce. The backend is a scriptable engine where you can do pretty much anything within the context of email/SMTP. Additionally, within the backend you can also interconnect to external systems to fetch data, make decisions on how traffic goes, work with APIs, etc. - and this whole backend can be tailored and utilized through APIs or through the scripting engine.
Within this backend, there are mechanisms within SMTP that can help do things like signing messages, routing, doing queue handling, deliverability options, analytics, data loss prevention, review MIME types of messages, etc.
The engine we’ve build allows you to do very cool stuff within the transmission of the message. For instance, you can make decisions based on the different layers of the transport, more on the connection level or on the server level, decisions on the receiver, who is the sender of the message, the content of the message, and also on where you should deliver and queue and transport, and the mechanism after you send the message as well.
I think about it like different layers or transmission where you do different interactions and capabilities during the transmission of the message. It enables the customers to do a lot of exciting decision making depending on the layer of the message and that data. If it wasn't delivered, what should we do? What happens if another server isn't handling it? Do we queue or send it to another server? We also provide different tools and user interfaces where the admin or end users can control this as well. The admin interface controls the whole platform, but end users can handle archiving, logging, etc. We've built a bunch of different Github open source projects and tools and interfaces to the whole SMTP servers that we provide to customers.
I noticed you have an API. What unique integrations have you seen used with Halon?
That's a loaded question. Where to start? You can check things like if a user exists, or doing something very dynamically like routing to several different mail servers, that could also be a way of using the API. Querying more of the external sources to do decision making from that result is also done.
It could be from decision making from authentication, messages and fetching data for that, etc. We have integrated with different vendors like cPanel as well. It's a very open API.
Can you explain the importance of mail security?
Email is the go-to form of business communication. It's convenient, well-adapted, and so on, but it need to become trusted and confidential which it isn't today. But mechanisms like DMARC and DKIM+SPF and query farming the signature of the message will help secure the communications. That's very important to add to security aspects and push these types of technologies. DMARC has become more known and adapted, and has been most recently an official standard that customers will start to use. You don't want your email to be read by someone, and today, that's the issue. But it doesn't have to be - there are methods like authentication and using additional security like DANE is something we push to our clients and the industry in general.
Gmail just started showing if emails are signed. What do you think about this?
We've actually spent time on it. When they announced it, we made a contributing blog post - our CTO wrote about what this TLS icon really means. In Gmail's case, it's good for the industry, but TLS is opportunistic. MTAs/SMTP servers don't have to use TLS. You can always go back and send a message via cleartext. There's no standard for checking the certificate, which is why we're pushing DANE. It's good to get more awareness about it, but it doesn't solve everything, so it's where we want to push DANE and DNSSEC to solve the issue.
How do you evolve in the marketplace, knowing that there are always new vulnerabilities and exploits that are being distributed across the board?
It's all about participating in forums and studying ongoing threats, visiting open source forums, security forums, etc. That's how we evolve in the marketplace from a security and technology perspective. We're not talking about weekly or daily - we're talking about real-time. We do participate behind the scenes, so we have patches and fixes when these vulnerabilities come out publicly. We have short cycles of releases - 6-8 weeks of new releases of our software - but when there are vulnerabilities, we are extremely fast to have new patches for that. We're also open and transparent about it.
Can you tell us about your open source projects and commitment to that space?
Since we started building firewalls, we were initially on an OpenBSD platform and then on FreeBSD and back to OpenBSD, so we're close to that community and developers. When we saw things that needed to be fixed, we added additional features that may not have been in the original package and made those open source--we contributed back. We have also built open source tools for our SMTP software, such as testing tools. For instance, we have built a DKIM library for spam messages and it is a lib that is known for many mail servers today. It's open source on github and maintained by us. We also have a lot of toolsets like logging, archiving, a control mechanism, etc.
What are your plans for the next 24 months?
Of course, a strong engagement in the security industry, and continued advocating for DANE, DNSSEC, DMARC among all. For the company, we want to grow our worldwide presence as a leading SMTP standard for the hosting and service industries.
Is there anything else you would want to tell us that we may have missed?
I normally like to ask people I meet about their email, “What would you do if your email stopped working?” They'd probably blame the technology and at some point change their provider. Funny enough, email has become one of the most unpopular ways to do business or communicate and at the same time it is by far the most common go-to form of business communication. How does that sum-up, I guess compare it to a love & hate relationship? The common knowledge is, don’t trust email senders you don’t already know. People still think emails disappear, but there are still ongoing successful phishing attacks, and we still get our accounts hijacked and so forth.
There are technologies to stop all of this and make email safer; it’s a matter of consolidating those techniques and working alongside the community. If we do that, we sure can make email perfect.