91 comments

[ 2.6 ms ] story [ 160 ms ] thread
Full disclosure: I'm a new user of mailbox.org, but not otherwise affiliated.

I find its approach to useable security features interesting, especially considering the entry-level price points.

edit: typo

I really hate the kind of “Privacy made in Germany” way of marketing, especially since I am german.

Mailbox.org seems decent from what I've heard but products advertised like this are mostly sheer bullshit. I don't know why transferring a “quality” label from (oldschool) engineering products to IT even works.

Also German and I agree, too. When all other arguments fail, slap a stupid country-based label onto your product.
I think they're referencing the fact that it's outside of the US, for privacy reasons. Not the quality of the software engineering.
Right, but at this point, German privacy laws are pretty horrible, too, and getting worse as we speak. The BND (German intelligence agency) also works closely with the NSA, and considering what's publicly known, it wouldn't surprise me, if the two exchange essentially all data behind closed doors.
What's more Interior Minister de Maizière is pushing an anti-encryption agenda.
Last Interior Minister who tried something like that did not got away with it unharmed [0]. De Maizère is one of the (or the, nobody likes von der Leyen) last remaining big shots of the CDU, Merkel has not killed yet. She is a funny silent killer and does it by stating that "X has her fullest [sic] trust" ("hat mein vollstes Vertrauen") after which they resign [1]. The German government consists entirely of people who are no thread to her: her own team (consisting of uncharismatic men), old men, younger woman, experts nobody knows, people from the smaller CSU and politicians from the SPD, who destroyed itself so badly that Merkel can even reap the rewards for the liberal policies they introduce. Underwood could learn so much from her, she killed two political parties and a generation of politicians in her own, while herself surviving one (world-scale) crisis after another.

[0] https://en.wikipedia.org/wiki/Stasi_2.0

[1] http://hatmerkelschonihrvertrauenausgesprochen.de/

The biggest risk to your privacy is your provider getting hacked, not the NSA.
There's a German law forcing telcos and email providers with more than 10.000 customers to provide access for law enforcements.

German wikipedia article about it: https://de.wikipedia.org/wiki/E-Mail-%C3%9Cberwachung

Makes sense for their point of view. Pro tip: if you don't want your government spy on you in the democracy you live in. Store your data in another less interested in you.
Just a reminder that if you choose a friendly/allied country - they will spy on you (a foreigner without privacy rights) and share data with "your" intelligence services (those to whom you might be more interesting). If you choose a hostile country they might spy on you and "your" intelligence services will try to hack your provider because spying on hostile countries is one of the things they do...
It resonates with me. I don't think it's just a reference to engineering quality, Germany is more privacy conscious than some other countries. Whether it's the cypherpunk & privacy-tech scene of Berlin, or the awareness of the consequences of surveillance resulting from the GDR days.

Even in little things: like Germans using cash because they don't want to create an electronic credit card trail of where they were, or walking through Munich train station and seeing Snowden in all the news headlines (in 2013), while back home he was getting nowhere near as much news coverage (and certainly not the front page headline).

I don't know if any of this applies to Mailbox.org, but as a marketing phrase it works for me.

[I'm Australian, but an 'aspiring German'.]

> like Germans using cash because they don't want to create an electronic credit card trail of where they were

... and then using their Payback loyalty cards at every opportunity.

Don't get me wrong: many Germans hold out on loyalty cards and some people may indeed use cash to avoid a paper trail, but you make us Germans sound like mythical privacy-minded creatures which the vast majority of us is decidedly not.

Oh you not know the 'vast majority' of Germans but how they live. Awesome, tell my cousin Sven he... never mind, I'll mail him with this new service.

Serious kid, stop talking out of your ass. Germans use cash to avoid a paper trail? Nothing to do with spending and saving? Because that's the first thing anyone would say. But a dishonest person who wants people to think of privacy as your having something to hid would say paper trail.

Some other retard said something about nothing to worry about? Ok, you're 15 and don't remember the STASI but you should heard have heard something.

Look at all the shills... You don't like the branding... and after that, let's talk about another service. This place is becoming Reddit.

It's a relative thing - I know most Germans don't see themselves as privacy-minded, but the bar is so low everywhere else that the little things in Germany add up & make it stand out.

One example is browsing Google Street View and seeing how many buildings & houses are blurred out in Germany due to people sending privacy requests. I don't think I've ever seen that in Australia, but I keep encountering it when planning my trips to Germany. 3% of Germans opted-out of their house being included in Street View - a low percentage of Germans, but still crazy high compared to the rest of the world:

https://googlepolicyeurope.blogspot.com/2010/10/how-many-ger...

Just in case the moderators aren't catching it, the name of the throwaway that posted the dead comment is literally "pluma is a cunt" (in German).

I would respond to their arguments but I'm not sure they're making any and I don't think they're actually disagreeing with me (or even understanding what I'm saying).

If you actually listen to the guy's talks (Heinlein) on youtube, you will see that he cares deeply about privacy. That's all it means, it doesn't mean that the whole German society cares more than others about privacy.
Don't France and Germany want to put backdoors in encryption? > http://www.wsj.com/articles/france-germany-push-for-access-t...
And Germany looked the other way for NSA surveillance for years...
A month or two ago I sent them an encrypted (gpg) mail to their support address but they replied in plaintext and even citing my original request in full.
(comment deleted)
How is it any better than ProtonMail? [0]

[0]: https://protonmail.com

I've been using Protonmail for a year now, and I'm very happy with it. I have several domains on it. The mobile apps are decent (I have iOS and Android), and the web app is fine. It's not perfect, but given their limited resources compared to Google I'm quite impressed.
Does ProtonMail have a feature similar to the "full inbox encryption" [1] mailbox has? Also, there are some nice features in mailbox, like only allowing to send email to other servers which support encryption [2].

I'm genuinely curious if ProtonMail has similar functionality on offer, especially since it appears to be free.

[1] https://support-en.mailbox.org/knowledge-base/article/the-en...

[2] https://mailbox.org/en/ensuring-emails-are-sent-securely/

edit: links

Mailbox.org runs http://open-xchange.com/, so besides email you also get a calendar and (rudimentary but functional) online word processor and spreadsheet, with team collaboration. You can try a demo of the software on the Open-Xchange site.

I've also been a happy customer for about a year now.

Funny they call themselves open exchange with the tag line 'stay open' and they are not actually open source.

edit: maybe they are? http://oxpedia.org/wiki/index.php?title=SourceCodeAccess Why is there no link on main website?

Definitely open source, although no public code development process (~GitHub) from what I gathered. Java backend, BackboneJS frontend.
You can't use their product commercially (Ie. As a company), because their UI is not open source - only their API is.

Also, the document editing is commercial license with 30-day trial license only.

Their commercial license start at 5000€

Better usability since you can have imap. Additionally card-dav, cal-dav.
I think we need more of these types of companies, or at least more competitors in this realm. I've also heard so many good things about FastMail too. We need more mail providers who are: * trustworthy * secure * reasonably priced * etc.

If running my own mail server was not so laborious and headache-inducing, i'd love to move away from google for apps/domain. I have no functional complaints of google; i am happy with their performance without a doubt. Its just that, as every day passes, I keep getting creeped out; its the "ick" factor. And for me it started well before the Snowden disclosures.

If you want to stop using Google for email, but want to keep the domain in Google Apps for whatever reason, you can set up a FastMail account and then configure Gmail to forward all of your email to FastMail. Yeah your email still goes through Google's servers so it's not completely ick-free, but at least you don't have to deal with using Google for email on a day-to-day basis anymore.
I have been using them for about a year and have been quite satisfied. They also support using your own domain at no extra cost.
2 years here, nothing to complain. While the service is relatively new, the people behind it have been in the business way longer. Years ago I set up my first own mail server using their books ;)
Some weeks ago, I was looking (again) for a privacy-oriented alternative email provider. I stumbled upon mailbox.org and some others (like protonmail, and startmail).

I decided to go for mailbox because 1) I know that Germany at the moment has still one of the best regulations about data protection (although I fear this is going to change in the next few years), 2) it provides some features others don't (like protonmail, and startmail). It was worth a try at least, so I decided to use the 30 days trial account.

It looked really good and promising: nice UI, clear documentation, cool domain name if you don't want to use your own. It provides also Office-like, calendar, and storage features. Therefore, I made up my mind, and I was determined to become one of their paying customers. So, I put 12 EUR(1 EUR/month) on the account. A few hours later I found out[0] that mailbox.org is offered by a politically motivated provider called JPBerlin [1]. I sent the cancellation request, and so far my account is still on hold - I could revoke the cancellation, though. An email received after the cancellation request says "please allow us a couple of days". Sure. It's just they took 1 EUR from the account, although I had the cancellation request sent like 10 days before the end of the trial period.

In the end, I would like to say that as a service it looks promising. However, until they stop with their political involvement, I think, not many people will use it.

[0]: http://www.emaildiscussions.com/showthread.php?t=68527 [1]: https://www.jpberlin.de

Might be better to link to the "www" sub-domain [1] of your second URL; otherwise getting SSL cert issues.

[1] https://www.jpberlin.de/

(comment deleted)
I would have recommended Posteo [0]. They are known for their efforts of keeping your stuff private.

[0]: https://posteo.de/en

Thanks for linking. The flexible pricing for additional GB storage and aliases looks interesting.
Regarding your mention of the "politically motivated provider", this [1] is relevant:

Using Google-translate + some tweaks by myself:

"What does political Provider mean?

Even if JPBerlin is a political provider, that does not mean that we ourselves are politically active.

We give politically and socially active organizations the technical infrastructure they need to enable them to work with modern tools such as groupware systems or mailing lists. They should be able to focus on their content rather than vexed with the technology and its implementation.

The JPBerlin itself represents no own political content or opinions. We see ourselves only as a reservoir and implements of the assets from [politically] left, environmental and social areas. And so it is not surprising that we accommodate almost all well-known organizations, foundations, communities and other groups from those circles. Of course we also have non-politically-motivated individuals and organizations as customers.

Our customers have no relationships to each other. The same applies to our position in relation to our clients and their views and work.

Our only position is to be clearly distinct from the [politically] right edge!!"

[1] https://www.jpberlin.de/hilfe/allgemein/was-bedeutet-politis...

Thanks for clarification. I am just worried about the possible implications. My main concern is the message you send whenever you share this email account online, e.g., on a résumé, with a job application, or with a government agency.

If this company has this history, or even worse, it recognizes itself as "kind of left-wing" (and not funded by a left wing party), you never know how people see that. We should have freedom of speech, yet you can't say certain things publicly.

Ah, I don't understand the downvotes in my parent comment. It would be great if people could clarify that.

Are you sure you understand what they mean by saying they are a political provider?
"Privacy oriented" is something I strive for in my own dealings, but centralized service privacy is and always will be lip service. What does "privacy oriented" actually mean? It must be very clearly defined.

Let me give an example. A government entity sends a subpoena to receive all data on an email account. If the service provider is legally mandated to respond with data or face prosecution, what happens? In this case, Google might actually be better for "privacy" because they at least have the economic capability to push back against Doe subpoenas. A small provider won't have the resources to defend against a frivolous subpoena and will hand over everything.

Something to keep in mind when considering this stuff. I really think the only way to at least control the option to defend your privacy is to run your own servers.

> In this case, Google might actually be better for "privacy" because they at least have the economic capability to push back against Doe subpoenas.

I'm pretty sure Google complies with subpoenas for data all the time. Given their scale, they probably even have employees whose full-time job is dealing with government subpoenas for data.

If Turkey ask data from Gmail Google says that the USA has rights for free speach so we cannot give this guy's real IP (who sweared to Erdoğan). On the other hand Hotmail immediatly gives this kind of data to the Turkish prosecuters. Why? Because Government of Turkey is the customer of Microsoft but Google is not. So if you live in Turkey who you would trust? If you live in USA who you would trust? If you live in X who you would trust?
The country where the company and servers are located makes all the difference IMHO. Many things that government can push in US under Homeland Security and similar acts, they can't in Germany. Their privacy laws are much more protective against mass and/or unsubstantiated surveillance, legal services are not that ridiculously expensive as in US, etc.
for now
Currently there are no plans to to extend the jurisdiction of US law to Germany.

But if you ask nicely, the German intelligence service might give you the information you seek.

> Many things that government can push in US under Homeland Security and similar acts, they can't in Germany.

Many of the controversial things done by US intelligence/security services domestically in the "War on Terror" are just things they have long done (and are overtly charged with doing) overseas, but which are controversial (and in some cases outright illegal, either under statute law or the Constitution) when done domestically.

> Their privacy laws are much more protective against mass and/or unsubstantiated surveillance

The NSA is not exactly known for respecting privacy laws in its conduct of global mass surveillance, particularly foreign privacy laws.

You might have a point if you compare FastMail and Google on intrusions for example - FastMail (ie, any small service provider) may not have the same calibre security team Google does.

All providers respond to subpoenas, IIRC. Even if it's just to say "we don't log anything".

After the fastmail fiasco (they increased prices, and now old packages no longer have access to the newest features), I started looking for an alternative and came across mailbox.org... I've been trialing for a few days and they do seem interesting.

I just wish we could use an unlimited number of aliases in our own domain, it doesn't make sense to me otherwise..

They do have some interesting features, such as mailbox encryption as well as calendar/contacts encryption. It's client-side encryption, though it's in the browser.

An alternative to mailbox.org is mailfence.com.

I was about to move from Google to Fastmail (been looking to move away from Google for a while) and then I read your comment. Now rethinking the decision.
Make the move. FastMail is great. I didn't even know there was a fiasco (I knew they changed their pricing structure to make it much simpler, but it doesn't really affect me in the slightest as a normal user). I switched from Google to FastMail a while ago and I haven't had a single regret.
Seconded - the only hiccup I have seen with FastMail in the last 3 years was a recent DDoS attack [1] (and that was minimal). If you are willing to pay a small monthly fee, I think FastMail is an excellent alternative to Google.

[1] https://blog.fastmail.com/2015/11/11/ddos-attack-may-lead-to...

I remember reading about that, though I don't remember if I even noticed it happening at the time. I just want to highlight something from that page that I think is awesome:

> We do not respond to extortion attempts, and we will not pay these criminals under any circumstances.

> it doesn't really affect me in the slightest as a normal user

What is a "normal user"? Previously, FastMail customers could get a Family plan that supported custom domains for as low as $10/user/year. New customers who require custom domains must now pay at least $50/user/year. A 400% price increase is a fiasco.

I think they now offer one extra domain per user and same space, which I think was not the case earlier (I could be wrong here).
For reference, the $10/year plan came with a paltry 250MB of space and no CardDAV or CalDAV access to contacts/calendars. Nobody in my family would be able to use such a plan. The $20/year plan came with a fairly low 1GB of space, and still no CalDAV. It's possible that maaaybe one member of my family might get away with this plan, but I'm guessing that everyone in my family probably has over 1GB of email. The $40/year plan came with 15GB of email, which would probably be sufficient for my family, though I can't state that with 100% certainty. $10 extra per year is not that big of a deal, especially when you realize it comes with even higher limits (25GB, and 10GB for file storage as opposed to the 5GB that the old $40/year plan offered).
It's probably worth clarifying that you have a business account with multiple users, and FastMail have recently implemented a new setup that changes how their business accounts work.

I've used FastMail for my personal mail for about 10 years, and the changes have made no difference to me at all.

I also have a business account with multiple users. I have no idea what OP is talking about. Can you clarify?
What are the new features old packages don't have access to?
Do you have some citation for this "fiasco"? They did change the plans but I was unaware of any significant unhappiness. (And existing users can keep their old plans anyway.)
I think they abandoned a lot of their "freemail" style services but grandfathered existing users in some cases and those grandfathered plans now aren't updated for obvious reasons?

I really can't recall a major negative fallout from that and I'm fairly certain I joined right around the time that happened (the docs were still a mess because a lot of it hadn't been updated yet and referred to the now non-existent plans).

I think they abandoned a lot of their "freemail" style services but grandfathered existing users in some cases and those grandfathered plans now aren't updated for obvious reasons?

I really can't recall a major negative fallout from that and I'm fairly certain I joined right around the time that happened (the docs were still a mess because a lot of it hadn't been updated yet and referred to the now non-existent plans).

There was a fiasco? And I'm not aware of any features that old plans don't have access to. AFAIK the only difference that would be made by me moving to the new plan structure would be paying $50/year for 25GB instead of paying $45/year for 15GB.
It gets a lot more complicated for "Family" and "Business" accounts.

Previously, it was possible to mix users with different plans in the same family or business, so heavy users would get the $40 plan while light users would get the $10 plan. Now it seems that everyone in the family or business needs to have the same plan (usually the $50 plan because of the custom domain requirement). This can increase the cost by up to 400% for some users.

Individual users aren't affected much, especially since they will continue to be billed at the previous price until and unless they decide to change plans.

> An alternative to mailbox.org is mailfence.com.

Do they also use on Open-Xchange?

> your data kept safe by systems compliant with German data protection law.

If everyone you communicate to via email is using either Gmail or Yahoo Mail, then US has your data too right?

I'm a mailbox.org user since a few months.

I like the product it supports open standards, imap, caldav, carddav. If you want you can lock down pretty much everything with pgp. Data is in Germany/EU and the pricing is really fair stars with 1€/month with 3 mail aliases and 2 GB.

The guys behind it seem to be IT people with Linux/open source mindset and good ethics as far as I can judge.

I feel very comfortable with mailbox.org

I use them as well, they have custom domain and two factor authentification support. The only complain is that sharing in their online Office can be buggy, i hope Open-Xchange will fix that, but that's more of a side feature for me. At least their business model seems more honest than Proton Mail.
I am not sure if having my data in mailbox.org is any more private that Microsoft or Google. My gmail doesn't even show any ads.
If you use gmail and don't pay google for Apps account, you are not their customer, that's the difference. How much does Microsoft charge for its email service?
I've been using mailbox for about two years and am now switching to fastmail. The UI is vastly better and works great on mobile. It's also the base for the mobile app which mailbox doesn't have (well, the OX one). And that's the other thing. Having a dedicated app with search integrated and push notifications on iOS is awesome.
If so, and german data protection laws apply, why isn't the TLD .de?
What kind of argument is that? The TLD has nothing to do with privacy laws.
Because TLDs mean nothing? You don't see every US service use .us either. Plus .org has certain connotations (at least in Germany): non-commercial, activism, open source, etc. It's a bit ingenious considering this is a paid service, but they were probably proud they were able to get such a premium domain name.

Also, at least to Germans .de generally implies it's primarily German language and/or limited to a German (speaking) audience.

Actually, your choice of TLD has a huge impact on jurisdiction.

The USoA asserts super-jurisdiction [1] over .com/.net/.org and will seize such domains at will [2], and therefore personally I will never use those TLD's as a non-US citizen. What legal recourse do non-Americans have in such a situation? They would probably have to fight it through US courts which significantly raises the bar for non-American entities.

Another thing to consider is DNSSEC when it comes to TLD's. Domain records are signed top-down.

The ccTLD's fall under the jurisdiction of their respective countries.

I don't even know under what jurisdiction the other/new TLD's fall under, it's probably based on where the owning company is headquartered?

[1] https://yro.slashdot.org/story/12/03/06/1720230/us-asserts-s...

[2] https://en.wikipedia.org/wiki/Domain_name#Seizures

You can use your own domain with mailbox.org and not be affected by any .org issues you may think exist.
People in this discussion are mentioning subpoenas and compliance with same. Are we talking civil as well or just criminal? If I'm sued in Nevada civil court for defamation or something does a German company give a shit?
E-Mail privacy in a 14 eyes country ?
Oh, it's bullshit made in Germany again.

>> When e-mails go unnoticed because of being redirected to a spam folder that you never check, you are in fact still legally liable for such e-mails – as you cannot disprove having knowledge of them. This is a danger that our users can safely ignore: We check for spam and viruses before the e-mails are accepted and reject anything that looks suspicious. This way, you always know exactly what e-mails you have received and read.

How does that even work when they GPG encrypt content. Are they escrowing the private keys?

what a timing of this post. Just as I was ranting about this old 30C3 talk[0] and pointing out what a scam "DE-Mail", "e-brief" and "Trusted-Cloud", etc. is, ... then this is trending on HN. Hilarious.

[0] https://www.linkedin.com/hp/update/6175253192402563072 - or:

[1] http://www.amara.org/en/videos/y1Gk3maFbvNQ/info/bullshit-ma... (select English subs)

Please show me an e-mail SPAM / Virus that is sent GPG-encrypted to you. I do not think that this will ever happen.
I've been customer of mailbox.org for just over a year now. I can't assess the quality of their security, or the lengths they'd go to protect customer privacy, though they seem to know what they're doing. We had a Linux consultant from Heinlein Support at the last place I worked for, and he did his job very well.

I'm also pretty happy with the Card+CalDav-offerings from mailbox.org.

With their customer support, however, im rather disappointed:

mailbox.org offers what they call "Familienaccounts" (non-commercial accounts, meant to share, among other things, calendars and contacts with one another [0]).

Grouping existing accounts into "Familenaccounts" by means of contacting their support team used to be a feature that was offered (and advertised) by mailbox.org, and a feature that I've used for two of my family members in the past.

For some technical reason or other, mailbox.org is unable to convert existing accounts into Familienaccounts any more. This wouldn't be that much of a problem (workaround was to backup data, cancel one account, get that account's credit refunded, ask them to remove that account from their list of blocked accounts, recreate that account as a "Familienaccount", pay for the new account and restore the backed up data).

What rubbed me the wrong way was that it took a month of to and fro emailing with mailbox.org support just to get that information (while they still advertised being able to convert accounts on their website).

When we decided to implement the workaround, it took another month from cancelling the old account to getting the new one working, with my wife unable to receive emails for some time inbetween.

I will continue to use mailbox.org, but in my opinion they really need to improve their support.

[0] https://support.mailbox.org/knowledge-base/article/familien-...