Mailbox.org: German email provider offering full inbox encryption
Mailbox.org is a new email service by the German company Heinlein Support GMBH which features several interesting security and privacy related features, and based on Open-Xchange version 7.4.2.
The homepage of the service is entirely in German, but the actual web mail interface is not. It is available in several languages including English, Spanish, Dutch, French and Italian. The only part of the web interface that is not available in other languages yet is the Settings > Mailbox.org page.
This is the page were you change your account type, your password, or force the encrypted sending of emails to recipients who do not use PGP.
The first thing that you need to know is that the service is not free. It starts at €1 per month for three email aliases, 2 Gigabytes of mail storage and 100 Megabytes for Office documents.
The company notes that you do not have to worry about advertisement -- there is none -- and that emails won't be scanned, analyzed or transmitted to third-parties.
When you create an account -- you do not have to pay directly, as you can use it as a limited account for 30-days -- you are only asked to provide the company with your username and password, and with your first and last name. All other fields are optional and do not need to be filled out if you do not want to.
The privacy protection page lists all data that is stored by the company and for how long it is stored. The page is only in German right now. Here is a short summary:
- Web server: IP access, but no linking between IP addresses and accounts. Stored for 4 days.
- Mail Server SMTP: Sender and recipient, Message ID and size. Stored for 7 days.
- Mail Server Pop3/IMAP: IP address and account log in. If mails are deleted, the message ID and size. If mail is moved, message ID and size, and the originating and destination folder. Stored for 4 days.
- Administration: First and last name, optionally other data if entered during account registration. If administrative changes are being made, the IP address of the user who made those changes is logged for 7 days.
Data is stored mostly for verifiability purposes, to find out if an email has been delivered to a user if the user claims that it was never received.
Inbox encryption
One of the interesting features of Mailbox.org is the option to encrypt the mail inbox. This is done using PGP which account owners need to install on their computer systems first.
It is then a matter of opening Settings > Inbox encryption on the Mailbox.org website, to activate the feature.
Emails are encrypted using PGP. Subject, sender and recipient emails won't be encrypted due to limitations of how emails work.
Technically speaking, all plain incoming emails will be encrypted using your PGP public key once they hit your inbox.
Those mails can only be read with your private key afterwards. Even mailbox.org cannot access them anymore.
It is theoretically still possible to gain access to those emails, but only before they hit the inbox. Emails that are not encrypted by the sender can be read by anyone listening in on any of the servers it is passing through.
If you enable the encryption, only emails will be encrypted. The address book, calendar and tasks that are also available on the mail portal are not. It is planned however by the company to introduce encryption to these areas as well.
Mailbox.org offers another feature in this regard. You can force the use of SSL/TLS encryption. The consequence is that emails will only be delivered if the receiving provider accepts SSL/TLS encrypted connections. If not, no emails will be transferred.
Drive and Office access
Another interesting feature is the built-in Drive module. You can save attachments to Drive to view or edit them directly on the webmail interface.
This works similar to how Google Drive or Microsoft OneDrive works.
All saved documents are displayed when you open drive. You can click on any to display a preview -- if available -- or select additional options that include editing right on the page.
You can then print those documents, save them to the local system, or send them to email recipients.
Here is a list of all account types that Mailbox offers currently:
- Mail for €1 - 3 Email aliases, max 10,000 emails per day, 2 GB email storage, 100 MB Office document storage.
- Mail XL for €2.50, 25 Email aliases, max 10,000 emails per day, 5 GB email storage, 100 MB Office document storage.
- Mail XXL for €3,50, 25 Email aliases, 50,000 emails per day, 25 GB email storage, 100 MB Office document storage.
- Office for €4,50, 25 Email aliases, 50,000 emails per day, 25 GB email storage, 25 GB Office document storage.
- Office XL for €10, 25 Email aliases, 50,000 emails per day, 50 GB email storage, 100 GB Office storage.
- Office XXL for €25, 25 Email aliases, 50,000 emails per day, 50 GB email storage, 500 GB Office storage.
You can make payments using PayPal, Bitcoin, bank transfers, by sending money directly to the company, or bank draft.
Verdict
Mailbox.org improves email security in several ways without reinventing the wheel. To make use of the encrypted inbox feature, it is necessary to install PGP and create a key pair. If you already have one, you simply add your public key in the settings and are good to go.
The privacy protection of the service seems to be excellent, with data only being stored for as long as it is needed before it is automatically deleted again.
The Drive component with its document editing option adds even more value to the service.
The one thing that is problematic right now is the frontpage which is only available in German, and the mailbox.org settings page which is also only available in German at the time of writing.
It is however likely that this will change over time.
Advertisement
The service will be multilingual in due time. The mailbox.org Office software Open-Xchange already offers a selection of over 20 languages.
Robert that is great, thanks for letting us know about it.
My solution to the whole NSA mass collection issue is not to keep my email in the cloud, encrypted or otherwise. Thanks to near-ubiquitous POP3 access (IMAP is crap), I can download and delete my messages from Yahoo, Hotmail, GMail, AOL, etc. It also allows me to keep my GPG keys in my TBird client and not in a third-party server. Lastly, my TBird is portable and is installed in a Truecrypt volume.
But doesn’t those services carry backups and records of every email sent or received?
Only encrypted if you add your key.
1) They keep backups but from what I’ve read they keep it for at best six months, more if given a court order.
2) They keep records (metadata) much longer, maybe even indefinitely. That’s the trade-off in using a third party email provider, and it’s one I’m willing to accept rather than running my own email server.
Given the above, my solution is still preferable than the alternatives (other than staying offline). My exposure to NSA bulk collection is limited. The NSA is all-seeing but they cannot keep my data forever (given that I’m not a person of interest). If I keep my data in GMail/Yahoo/Hotmail, then the NSA can potentially data-mine and analyse it forever. Six months vs forever is not even close.
The key point that the Snowden leaks makes is that the NSA can get the info it wants legally or illegally, but it is still limited by the laws of physics and information theory. If we move as much of our data offline while still functioning normally online, then we can at least mitigate our exposure to a large extent.
Please keep in mind, that mailbox.org is a political motivated emailprovider (leftwing supporting). I would
never ever give my data to any political motivated (left- or rightwing driven) company!
The service is now fully available in english: https://mailbox.org/en/
Hi Martin,
maybe time for another look at mailbox.org. I am trialling it at the moment and so far (just started) it seems like a very nice option