Mailbox.org: German email provider offering full inbox encryption
Mailbox.org is a new email service by the German company Heinlein Support GMBH which features several interesting security and privacy related features, and based on Open-Xchange version 7.4.2.
The homepage of the service is entirely in German, but the actual web mail interface is not. It is available in several languages including English, Spanish, Dutch, French and Italian. The only part of the web interface that is not available in other languages yet is the Settings > Mailbox.org page.
This is the page were you change your account type, your password, or force the encrypted sending of emails to recipients who do not use PGP.
The first thing that you need to know is that the service is not free. It starts at €1 per month for three email aliases, 2 Gigabytes of mail storage and 100 Megabytes for Office documents.
The company notes that you do not have to worry about advertisement -- there is none -- and that emails won't be scanned, analyzed or transmitted to third-parties.
When you create an account -- you do not have to pay directly, as you can use it as a limited account for 30-days -- you are only asked to provide the company with your username and password, and with your first and last name. All other fields are optional and do not need to be filled out if you do not want to.
The privacy protection page lists all data that is stored by the company and for how long it is stored. The page is only in German right now. Here is a short summary:
- Web server: IP access, but no linking between IP addresses and accounts. Stored for 4 days.
- Mail Server SMTP: Sender and recipient, Message ID and size. Stored for 7 days.
- Mail Server Pop3/IMAP: IP address and account log in. If mails are deleted, the message ID and size. If mail is moved, message ID and size, and the originating and destination folder. Stored for 4 days.
- Administration: First and last name, optionally other data if entered during account registration. If administrative changes are being made, the IP address of the user who made those changes is logged for 7 days.
Data is stored mostly for verifiability purposes, to find out if an email has been delivered to a user if the user claims that it was never received.
One of the interesting features of Mailbox.org is the option to encrypt the mail inbox. This is done using PGP which account owners need to install on their computer systems first.
It is then a matter of opening Settings > Inbox encryption on the Mailbox.org website, to activate the feature.
Emails are encrypted using PGP. Subject, sender and recipient emails won't be encrypted due to limitations of how emails work.
Technically speaking, all plain incoming emails will be encrypted using your PGP public key once they hit your inbox.
Those mails can only be read with your private key afterwards. Even mailbox.org cannot access them anymore.
It is theoretically still possible to gain access to those emails, but only before they hit the inbox. Emails that are not encrypted by the sender can be read by anyone listening in on any of the servers it is passing through.
If you enable the encryption, only emails will be encrypted. The address book, calendar and tasks that are also available on the mail portal are not. It is planned however by the company to introduce encryption to these areas as well.
Mailbox.org offers another feature in this regard. You can force the use of SSL/TLS encryption. The consequence is that emails will only be delivered if the receiving provider accepts SSL/TLS encrypted connections. If not, no emails will be transferred.
Drive and Office access
Another interesting feature is the built-in Drive module. You can save attachments to Drive to view or edit them directly on the webmail interface.
This works similar to how Google Drive or Microsoft OneDrive works.
All saved documents are displayed when you open drive. You can click on any to display a preview -- if available -- or select additional options that include editing right on the page.
You can then print those documents, save them to the local system, or send them to email recipients.
Here is a list of all account types that Mailbox offers currently:
- Mail for €1 - 3 Email aliases, max 10,000 emails per day, 2 GB email storage, 100 MB Office document storage.
- Mail XL for €2.50, 25 Email aliases, max 10,000 emails per day, 5 GB email storage, 100 MB Office document storage.
- Mail XXL for €3,50, 25 Email aliases, 50,000 emails per day, 25 GB email storage, 100 MB Office document storage.
- Office for €4,50, 25 Email aliases, 50,000 emails per day, 25 GB email storage, 25 GB Office document storage.
- Office XL for €10, 25 Email aliases, 50,000 emails per day, 50 GB email storage, 100 GB Office storage.
- Office XXL for €25, 25 Email aliases, 50,000 emails per day, 50 GB email storage, 500 GB Office storage.
You can make payments using PayPal, Bitcoin, bank transfers, by sending money directly to the company, or bank draft.
Mailbox.org improves email security in several ways without reinventing the wheel. To make use of the encrypted inbox feature, it is necessary to install PGP and create a key pair. If you already have one, you simply add your public key in the settings and are good to go.
The privacy protection of the service seems to be excellent, with data only being stored for as long as it is needed before it is automatically deleted again.
The Drive component with its document editing option adds even more value to the service.
The one thing that is problematic right now is the frontpage which is only available in German, and the mailbox.org settings page which is also only available in German at the time of writing.
It is however likely that this will change over time.