Posteo Crypto Mail

[caulfield87]

Just received this to my inbox today:

Quote:

Dear Posteo users,

We have news:
Today we have introduced a new encryption option for you: Posteo crypto mail
storage. The new function was already made available to users this morning. In
the coming weeks, we will progressively make crypto mail storage available for all
accounts. With crypto mail storage you have the ability to personally encrypt all
email data you have saved with Posteo at the click of a button. The encryption
is comprehensive. It encompasses the content and attachments of all emails
saved at Posteo as well as their corresponding metadata (for example, the
subject and email header). As well as your existing email storage, all
newly-arriving emails will be encrypted.

We are making this new encryption feature available to you at no additional
charge. It is important to us that all Posteo users obtain maximum security.
You don’t need any special technical knowledge, either: the encryption is
activated at the click of a button. It occurs in the background without you
needing to do anything.

The data within the crypto mail storage is no longer readable by us. We can
not deactivate the encryption; only you can do this yourself. You can see
whether this new encryption option is already available for your account
via “Encryption” -> “Posteo crypto mail storage”. If it is not yet available,
we ask for your patience. Crypto mail storage will be made available to all
users in the coming weeks.

Encryption at the click of a button - with the help of your password
As soon as you have activated crypto mail storage in the settings of your
account, Posteo creates a personalised key pair for you. Using this, we
encrypt all the email data (content, attachments and metadata). This
occurs with the part of your key that is responsible for “encrypting”. Each
email is encrypted individually. The key that can make an email “readable”
again is stored in the Posteo database, protected by your password. Thus,
only you can access your encrypted email storage. Nothing changes in the
workflow in your account: if you click on an email when crypto mail storage
is activated, it is made readable for you in the background – and only for
the moment of access. You manage your emails just as simply and
conveniently as before.

Password must be taken special care of
When you have activated crypto mail storage, you need to take special
care with your password. The password is the key to your data. If crypto
mail storage is activated and you forget your password, you will lose
access to your encrypted email storage. The password reset function is no
longer available to you, as your data is encrypted using your forgotten
password. Posteo support can no longer reset your password or deactivate
the encryption.

Crypto mail storage is a plug-in we developed for the open-source email
server Dovecot. Asymmetrical encryption occurs with the help of RSA;
symmetrical encryption and authentication happens with AES and HMAC.
Hashing occurs with bcrypt.

Further information can be found on our encryption info page:
<https://posteo.de/en/site/encryption#kryptomailspeicher>

Comprehensive tests and external security audit
Your personal email data is a sensitive commodity and worthy of
protection. For this reason, extensive preparation work has been done
prior to making crypto mail storage available. We not only comprehensively
tested our encryption plug-in internally: the feature was also submitted to
an external, multi-level security audit (by Cure53).

Transparent code and legal check
In addition, we had the legal situation clarified in advance. The result
was that in Germany, email providers can not be compelled to “break”
encryption.

We have implemented the crypto mail storage such that from a technical
standpoint, the encryption initiated by Posteo users can not be removed
by Posteo. In addition, the code for the encryption is openly viewable for
reasons of transparency. This conforms to our open-source strategy and
is an essential trust-building measure in the post-Snowden era.

Can be combined with all other encryption options
Posteo crypto mail storage can be combined with all other Posteo
encryption features without issue. Thus, you can encrypt all your calendar
and address book data at the click of a button. Posteo inbound encryption,
which encrypts all newly-arriving emails with OpenPGP or S/MIME, can also
be combined with crypto mail storage without issue.

If you already use inbound encryption, we recommend also activating crypto
mail storage, as crypto mail storage encrypts not only newly-arriving emails
but also all emails in all folders of the account as well as their corresponding
metadata.

If you already use end-to-end encryption, you will also profit from crypto
mail storage. The end-to-end process such as OpenPGP will generally only
encrypt the content of individual emails, and not your saved emails or the
emails’ metadata. Our password-based crypto mail storage constitutes
comprehensive encryption, which distinctly increases the security level at
Posteo. For maximum security, we recommend securing access to your
crypto mail storage with Posteo two-factor authentication. Then, at login,
not only your regular password will be required, but also a current one-time
password. Such is the overall security level further increased. If you create
local, insecure copies of your email data, we recommend securing all
devices used for this.

We have made numerous pages with information and help instructions on
Posteo crypto mail storage and our other encryption options available on
our website:
<https://posteo.de/en/help/how-do-i-activate-posteo-crypto-mail-storage>

Best regards,
The Posteo team

[17pm]

This is a really good move in my opinion.

Posteo.de is becoming a really good e-mail provider. Sadly, they do not support own domains and do not plan to do it. That allied with the rather slow/weak webclient has not made me purchase an account, but that might change soon.

[jl66]

Thank you for these news

[caulfield87]

Quote:

Originally Posted by 17pm

This is a really good move in my opinion.

Posteo.de is becoming a really good e-mail provider. Sadly, they do not support own domains and do not plan to do it. That allied with the rather slow/weak webclient has not made me purchase an account, but that might change soon.

Don't know what you mean with slow/weak webmail (maybe you're not from Europe, so it's slower?) but on my side, it works really fast. What I like is that they're commited to using only open-source clients, that they branded them accordingly (it's by far the prettiest roundcube iteration to date).

They've added another grey theme for it, and are adding more, so there'll be more to choose soon.

But functionality is fantastic.

And what i like most is that a business can be conscious, and still be sustainable, and well, business.

And the yearly transparency report is really a humongous + in my book.

[17pm]

Quote:

Originally Posted by caulfield87

Don't know what you mean with slow/weak webmail (maybe you're not from Europe, so it's slower?) but on my side, it works really fast. What I like is that they're commited to using only open-source clients, that they branded them accordingly (it's by far the prettiest roundcube iteration to date).

They've added another grey theme for it, and are adding more, so there'll be more to choose soon.

But functionality is fantastic.

And what i like most is that a business can be conscious, and still be sustainable, and well, business.

And the yearly transparency report is really a humongous + in my book.

I agree with everything you said but I need my own domain. It would be near perfect if we could use our own domain. Their explanation of why they don't support it doesn't make much sense to be honest, not to me at-least.

About the webclient:

It's not that it's slow, but it's not as fluid as FastMail's. Nothing is as good as FM's webclient though. I might have made a bad move by buying an account with FM. I am now used to them and it's very very hard to find an alternative...

EDIT: They should also allow the use of more aliases for free.

[jl66]

I am moving to them, I like the new features.
I understand what 17pm is saying, FM is very fast and Posteo is slow with Roundcube but not all is about being fast, and I prefer Posteo, FM has dissapointed me.
Posteo offers great features if you love security, but yes: only 2 free aliases.
I love encryption in servers, Dane, plugin to use pgp, real 2FA and many other features

[Eireannach]

Posteo is a very interesting provider. I looked at them a little while back and thought the interface was indeed a bit slow and clunky ( I am in Europe) . This latest addition though raises the bar again and I may take another look.

One thing that has been bothering me a bit recently as I read more and more of the contributions here at Email Discussions is the whole privacy thing. With more providers (not just Posteo) providing encryption , anonymous payment, setup etc I wonder whether the "bad guys" are naturally going to be attracted to these providers. I do not really want to be rubbing shoulders with the bad guys . By supporting these "extreme" privacy providers , albeit for perfectly legitimate "normal" privacy concerns, are we in fact facilitating the bad guys by providing them with a tool for nefarious purposes ?

[jl66]

No, because authorities can always get the future data if a judge considers there are enough proofs against some person, this is normal and good. What it's not: monitoring all people emails even without a subpoena, as other email providers do or allow. These features are against attacks sniffing connections while you are online (man in the middle attacks), against bad people reaching the server to get your data, etc and this is always good.

[caulfield87]

What jl66 said.

If you read through the transparency report, you'll see Posteo had to comply with some subpoenas.

[vazwaz]

This is good news. I have just activated it on my account. I moved to Posteo from Runbox because I have given up on Runbox ever implementing 2FA this century and their webmail is the worst.
For 1€ per month Posteo is unbeatable in my view.

[jl66]

Quote:

Originally Posted by vazwaz

This is good news. I have just activated it on my account. I moved to Posteo from Runbox because I have given up on Runbox ever implementing 2FA this century and their webmail is the worst.
For 1€ per month Posteo is unbeatable in my view.

I did it too!, and waiting for Runbox until I finish my subscription at the end of this year to decide if I continue or not... I love posteo

[17pm]

Quote:

Originally Posted by jl66

I did it too!, and waiting for Runbox until I finish my subscription at the end of this year to decide if I continue or not... I love posteo

I am doing the same in regards to runbox. See if they give something worthwhile until september.

I am thinking about joining posteo but without supporting the use of our own domains, I don't think I will.

[jl66]

Quote:

Originally Posted by 17pm

I am doing the same in regards to runbox. See if they give something worthwhile until september.

I am thinking about joining posteo but without supporting the use of our own domains, I don't think I will.

They say they do it for privacy reasons:


Can I use Posteo with my own domains?

No, this is not possible. We certainly understand that having your own domain is very important in the commercial industries. But a domain needs to be registered to the name and address of an individual. If we offered this, we would need to save the registration details of everyone who uses their own domain with Posteo and to provide these to the Federal Network Agency to be provided on request to the authorities.
This would still be the case even if only the MX record pointed to us. We have therefore decided not to offer this possibility and instead to use data economy. It is, however, possible to add various other email addresses with external domains as senders in the webmail interface and thereby to send emails with Posteo using external domains. In order to be able to read replies to these messages, you need to set up forwarding to Posteo for the external address.

[17pm]

Quote:

Originally Posted by jl66

They say they do it for privacy reasons:

I know that, but I find their stance a bit hypocrite. Privacy is not binary, it's a spectrum.

They accept payments made by paypal/credit-card. For the same reasoning they use to reject the use of own domains, shouldn't they allow only payments by bitcoin/money?

They're not forcing people to encrypt the emails, they're however forcing people not to use their domains.

Sure using my own domain might not be perfect, privacy wise. But I would still get to encrypt my e-mails and so on. I'd be better off using posteo with my own domain then any other provider..

Also, domains for business is pretty much a must.

[jl66]

Well, they don't link payments to particular accounts to ensure privacy, and with domains I understand that it's an obligation to provide the personal data. I don't know very much about it anyway.