Let’s cut the bull and be clear about what’s going on and why:
Before the new Open-XChange app suite rolled out, mailbox users were immediately signed out of Guard when they signed out of their account. This was an intentional programming decision to promote security and was communicated as such.
After the new Open-XChange app suite rolled out, mailbox users were no longer signed out of Guard when they signed out of their account. No one was notified. This left customers with the illusion of security, believing they had signed out of Guard when in fact that hadn’t.
No one at mailbox or Open-XChange noticed, fixed, or publicly addressed this security vulnerability. Instead, a customer did their job for them. That customer (me) framed this as a serious security problem, NOT a minor bug meriting yet another feature request to the crippled OX App Suite.
When this vulnerability was brought to mailbox’s attention, the team refused to publicly acknowledge that both they and Open-XChange had dropped the ball. Admitting fault from either party is considered bad optics. At the time of this post, it’s been 17 days since my initial report was filed, and not a single mailbox customer has been officially warned about this security risk (via blog post, in-app notification, sign-in notice, or email). Excuses forthcoming.
According to this mailbox knowledge base article (see attached screenshot) the mailbox Guard signing out the same time a user signs out is a SECURITY PROMISE, not a FEATURE REQUEST. In this case, it’s a broken promise.
Meanwhile, mailbox boasts of its latest audit awards from BSI. “These certificates confirm our high security standards, especially for cloud services, through independent testing agencies and demonstrate our consistent commitment to protecting your data.”
This latest embarrassment is just one of many examples over the past year of mailbox over-promising and under-delivering. The forums are full of unhappy customers. My support inbox is overflowing with unanswered requests for Open-Xchange to fix problems they created.
All of this would be bearable if the tenor of mailbox moved FROM blame shifting, rudeness to their most loyal customer base, and public relations management TO one of accepting responsibility, taking accountability, and acknowledging the elephant in the room: Open-Xchange is beginning to do more harm than good.
As I’ve said before, I’d like to migrate from Mailbox elsewhere but I don’t know of any other privacy-friendly provider out there that:
Is reputable / not brand new
Supports IMAP in some form
Supports CardDAV (or otherwise syncs with phone contacts)
Supports custom domains
IMAP is the one I could be flexible on, especially if there’s a bridge situation, but Proton and and Tuta don’t support CardDAV either.
If we remove Mailbox (which I’d be okay with) we need to figure out what the next best option is. Proton, Tuta, and Posteo are great but are not ‘plug and play’ for many general use cases due to missing at least one of the common, widely used, often necessary features listed above.
Very interesting, thanks. But sadly also very typical. A user wrote a detailed post in the mailbox userforum about Open X change with valid critique but it was deleted by mailbox..
Can any Tuta users speak to whether it’s totally reliable across Android/iOS/Desktop? I already got burned by eteSync and don’t want to risk messing everything up again.
And while that may work for me I still feel that PG should put some standards compliant email option up if Mailbox.org is removed, even if it’s recommended with a caveat.
My Spidey sense tells me there’s a possible merger or acquisition in the works. If mailbox is being acquired, it would explain so much. The massive push to sign up new customers. The play it safe public image. The rebranding and fresh coat of paint. The suppression of negative customer experiences and opinions. Ignoring and downplaying and delaying resolving the litany of problems introduced by the latest Open-Xchange release. A lack of motivation to work on long-term solutions. If mailbox is getting acquired, the name of the game is numbers, image, and above all, zero negative press. Avoid admissions of failure about anything whenever possible. It’s about driving the valuation up as high as you can.
It’s like someone getting ready to put their home on the market. They update the kitchen, make a few minor cosmetic changes, and increase the curbside appeal while hoping no one notices the plumbing, foundation, HVAC, mold, or termite issues. I’m fine if I’m wrong, but so far it tracks.
Sometimes when a company stops caring about existing customers, it’s because they no longer need to. The founder sees the paycheck and the exit and is already mentally on vacation. You don’t usually bring in a new CEO when you plan on sticking around. That’s a transitional move.
I suppose it’s also possible that their business and government contracts are large and lucrative enough that they have no incentive to give a rip about the private side of things. But this seems less likely.
Hope its ok to post this here, just lurked till now.. I wanted to ask about emails because I was under the impression that mailbox was a better alternative than gmail so been using it for a few months now for anything non banking/gov.
From the recent threads about it I’m having second thoughts especially about moving to it fully.. but I’m new to learning about this stuff and not very technical so a lot of the discussion goes right over my head. I’m not sure which stuff applies to my use case and what I should be worried about.
I guess what I’m asking is do I stick with it or switch? My use case is very minimal, just something secure and non-invasive and I can easily access on phone.
If you are not very good at technical details and want sane defaults for secure email. You shouldn’t be using mailbox. Guard, mailbox’s encrypted inbox implementation requires you to at least know what is PGP(or S/MIME if your company uses it), and set up manually on the phone.
If you only care about having a mailbox that the provider won’t snoop around, you can stay. If you also want more security but do not want to figure out the details, I would recommend ProtonMail or Tuta instead.
The caveat using them though, is that the way they encrypt your mails, contacts and calendars mean you have to use their clients/apps, and you cannot use other apps to manage those accounts because this requires CalDAV and IMAP/SMTP integration. (but Proton offers IMAP/SMTP bridge for paying customers) If you are also looking to manage other accounts under 1 app (say company emails, alternate mailboxes), you are out of luck.
Ty for response. Its just for personal use for now and not managing other accounts but.. I would like to “future-proof” if possible.
My main worry is losing access to important emails but I don’t know what the chances are of something like the service going down.
If I were to use it with custom domain for ex: a small business, am I better off learning how pgp works and using thunderbird?
I admit I’m overwhelmed looking at the guides they’ve set up especially with aliases, but does the benefit of using it outweigh the time it would take to set up in my use case?
For “low threat model” meaning things like business tied to my name but still needing security, I’m unsure what I do risk by sticking with defaults. That and if people have had trouble with how the service/customer support is..
My main worry is losing access to important emails but I don’t know what the chances are of something like the service going down.
It’s all the same. Regardless of their security and privacy implications, your e-mail are in all three’s servers. You do not ultimately control where your data resides. So if they go down suddenly, they are all gone, save for the mails already downloaded onto your device.
If I were to use it with custom domain for ex: a small business, am I better off learning how pgp works and using thunderbird?
You misunderstood PGP here. To use a custom domain is unrelated to encryption. Almost all mailbox providers allow you to bring your own domain, even G-mail or iCloud Mail.
I admit I’m overwhelmed looking at the guides they’ve set up especially with aliases, but does the benefit of using it outweigh the time it would take to set up in my use case?
Using aliases do take a bit of work, but it’s one of the first few things you can change to detach your online identities. Do not use an alias for operating a business (unless your businesses are not so legal), it will make you look less credible. You may have confused using an alias with using a custom domain.
An alias is supposed to be an alternative to your mail address, it’s like giving a callsign to a soldier, it is to protect your main identity. Using custom domain for e-mail alias instantly stands out because it is unique - even if you decide to share the domain with your relatives and friends. It’s horrible for privacy in my opinion. Using a custom domain for personalization and business identity is great though.
I’m unsure what I do risk by sticking with defaults. That and if people have had trouble with how the service/customer support is..
I don’t know which default you’re referring to. But using any of the three providers you mentioned already is better than staying with Google.