SSL Certificate Analysis for webmail.kundenserver.de - Security Grade & TLS Configuration

Open Cached · just now

95/100 SECURITY SCORE

Certificate Information

Subject

C=DE, ST=Rheinland-Pfalz, L=Montabaur, O=IONOS SE, CN=webmail.kundenserver.de, UNKNOWN={:asn1_OPENTYPE, <<19, 20, 80, 114, 105, 118, 97, 116, 101, 32, 79, 114, 103, 97, 110, 105, 122, 97, 116, 105, 111, 110>>}, UNKNOWN={:asn1_OPENTYPE, <<19, 2, 68, 69>>}, UNKNOWN={:asn1_OPENTYPE, <<19, 15, 82, 104, 101, 105, 110, 108, 97, 110, 100, 45, 80, 102, 97, 108, 122>>}, UNKNOWN={:asn1_OPENTYPE, <<19, 9, 77, 111, 110, 116, 97, 98, 97, 117, 114>>}, UNKNOWN=HRB 24498

Issuer

C=DE, O=Deutsche Telekom Security GmbH, CN=Telekom Security ServerID EV Class 3 CA

Valid From

July 04, 2025

Valid Until

July 08, 2026 233 days

Public Key

RSA 3072 bit Adequate

Signature Algorithm

SHA256-RSA

SHA-256 Fingerprint

F1:49:D8:F1:61:28:1A:19:4D:DA:84:0F:0B:47:54:2A:BC:38:A2:B7:4D:9C:FC:0F:A9:36:7C:D4:83:74:A8:99

Alternative Names

4 domains

Security Configuration

TLS Protocols

TLS 1.2 TLS 1.3

Forward Secrecy

Supported (Modern clients use PFS)

HTTP Security Headers

Status

Strict-Transport-Security

Good

max-age=31536000 ; includeSubDomains

Content-Security-Policy

Strong

default-src; img-src; font-src; +8 more

X-Frame-Options

Good

SAMEORIGIN

X-Content-Type-Options

Good

nosniff

Referrer-Policy

Good

strict-origin-when-cross-origin

Permissions-Policy

Present

accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=*, geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(self), usb=(), web-share=(), xr-spatial-tracking=()

Recommendations

• Consider adding 'preload' to HSTS for maximum security

CAA Records (Certificate Authority Authorization)

CAA Records

Not Configured (Any CA can issue certificates)

CAA Issues

• No CAA records configured - any CA can issue certificates

Recommendations

• Implement CAA records to restrict which CAs can issue certificates for your domain
• This adds an extra layer of security against unauthorized certificate issuance
• Example: Add CAA record 'example.com. CAA 0 issue "letsencrypt.org"'
• Consider adding 'iodef' record to receive security incident reports

Subject Alternative Names

4 domains

email.kundenserver.de webmail.kundenserver.de webmailcluster.kundenserver.de webmailer.kundenserver.de