Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Secure email provider
3 points by drKarl on Aug 27, 2017 | hide | past | favorite | 9 comments
I was looking for a secure email address. After some research, Protonmail, although it looks good, and has a A+ SSL rating, can't be used with POP3/IMAP, only with their proprietary API with their web client or mobile client, and that is a deal breaker for me.

Countermail allows to upload your public key so that any non-encrypted incoming email es encrypted in the inbox. A few others also looked good for one or another reason including some in offshore locations for extra privacy/anonimity. Then I tested them on Qualys SSL tool and some other tools and the rating of most was terrible. Countermail had a C rating, what a dissappointment.

PFS = Perfect Forward Secrecy DANE = DNS-based Authentication of Named Entities

My findings where: - Germany based posteo.de has an A+ SSL rating, incuding PFS and DANE, can encrypt incoming email with your public PGP key, problem is you can't use your own domain, although they do have many domains you can choose from. - Germany based mailbox.org has an A+ SSL rating, including PFS and DANE, can encrypt incoming email with your public PGP key and you can use your own domain. - Belgium based mailfence.com has an A+ SSL rating including PFS, but no DANE. Can encrypt incoming email with your public PGP key and you can use your own domain.

Please note both Germany and Belgium are 14 eyes countries. They have good privacy legislation but if a court warrant was served to give information about a user they would have to comply.

Posteo.de claims that they don't provide possibility of using your own domain so that they don't know anything about you, so they have privacy in mind. In my case it was for a business email so I wanted security and being able to use my domain.

Mailfence donates to Electronic Frontier Foundation and Digital Rights Foundation but doesn't support DANE for now. Is DANE that important?

Any other service on par with these that you know? What are your thoughts?



If you care about security in the sense that the EFF does, you should not be seeking out providers that rely on DANE for security. DANE is a tree-structured PKI, like the SSL/TLS web PKI, where world governments have de facto control over the tops of the tree. The overwhelming majority of email domains we see on HN every day are in DNS zones controlled by Five Eyes governments.

There is a reason most secure providers don't use DANE.

https://sockpuppet.org/blog/2015/01/15/against-dnssec/


Very good read, thank you!!


https://runbox.com/ from Norway has been around for quite some time. Don't know if they meet your requirements.


Have you looked into building your own mail server?

It's certainly a bit of work but it may be worth your effort.

Check out https://mailinabox.email


I know about self hosted solutions like mailinabox and mailpile, and sure, it would be fun to set them up to try them out, and they're much easier than going low level with dovecot or postfix and put all the pieces yourself, it still requires maintenance, update the os and the software, keep your server secure from intrusions and so on. I could do it, and I understand the reasons why someone would do it, but I think it's time consuming, and I'd probably not do such a good job in keeping the server secure as a dedicated team.


MIAB installs OS updates automatically and the Admin tools alert you when updates have been installed and prompts you to restart the server. You can configure it to auto install updates to the MIAB install, or not. I've set mine up to not install them. This allows me to make a snapshot before installing them in case they break something.

The biggest downside I've run into with MIAB running on DigitalOcean is being being blacklisted by AOL. Other services like Gmail and Outlook might send emails to a users spam folder until they mark them as "Not spam". It took me a bit of fine tuning on my end to get my "Spam Score" down to less than a point or two but that was really a good exercise to go though.

There were other benefits I hadn't considered though, like the built-in DNS server that comes with MIAB. I ended up moving the DNS records for most of my sites over to it. And it manages SSL certs automatically for domains running on it, or that use its DNS server.

It was time consuming to get it set up right though. I went through the process 3 times before I began to understand what was needed.


fastmail blog post on dane from last december:

https://blog.fastmail.com/2016/12/20/dnssec-dane/


I heard good things about fastmail too but it's hosted in a five eyes country...


wasn't suggesting it, just pointing you at an article about dane.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: