Yes except they recycle their domain.
Further reason to remove Mailbox.org is its weird implementation of 2FA. It requires you to change your password to a four character pin, and then add the 2FA code to the end of the password when logging in.
A couple months of ago they released a BETA version with normal 2FA. But this was 5+ years of demands for change, during which, the CEO responded to users in a most dismissive, arrogant, and unprofessional way, saying
Iâm sorry, but itâs not equal secure. Itâs much much much more INsecure. It is. It is. It is insecure. It is. Totally. Really. Yes. It is.
It seems Posteo is more trusted and respected in German forums. Their communications are far more transparent and clear.
There is no justification for the inclusion of Mailbox.org but not Posteo. The only significant thing separating them is the custom domain feature. It Mailbox.org isnât implementing it in a secure way, it needs to be removed. Posteo may be right in refusing to implement it to maintain their high privacy/security standards.
Anyway, custom domain only provide agency to the user if they purchase a domain themselves, rather hire it from a proxy. This necessarily involves sacrificing anonymity. Privacy and anonymity are not the same, but much of the site is catered toward anonymous use of internet/services, and therefore readers of the guide should be aware of this limitation of custom domains, and providers which do not provide this feature should not, by default, be excluded.
All things considered, I think all anti-spoofing measures of all the privacyguides email recommendations need to be tested, for both generic and custom domains.
If Mailbox.org fails, then it must be removed. If all fail, the recommendation to use custom domains must be adjusted, and the requirement must be waived (and equally private/secure providers included in recommendation).
I just want to point out, that according to the reddit link you shared, It was (at least until 2018, dont know if they fixed it) possible to gain access to the debuglog because of some broken sql-query. This is a claim that I cant verify, so make your own opinion about it.
For me this one is unlikely to make too much of a difference as Iâm the only user of the domain.
So basically anyone who uses your custom domain can impersonate other users of the custom domain? This is far less significant than the claim made in the Mailbox forum, that users of a Mailbox can impersonate other users of Mailbox.
But I donât understand how this emailspoofing test is testing for this. It seems more like a test for detecting how a provider detects spoofed mail, rather than a providers capability in preventing its users from spoofing the identity of other users.
I wonder how other providers we recommend compare.
I setup a separate thread to compare this (as comparisons in this thread were removed my moderator).
I have a custom domain with them. I have SPF, DKIM, and DMARC records set with DMARC p=quarantine. I also have DNSSEC enabled for my domain. Mail-tester gives me 10/10 so sending e-mails with my custom domain are highly unlikely to be considered spam. However, emailspooftest.com gives me F in 2 vectors. It seems like mailbox.org doesnât respect SPF and DKIM failure and consequently, DMARC misalignments. Itâs very easy for someone to impersonate my e-mail domain because of this. DMARC p=quarantine should flag the e-mails that have failed SPF or DKIM, and should put them in the junk folder. I also agree that mailbox.org should immediately address this issue.
These are the results of emailspooftest:
|Deliverability test - Validated:|Grade: A|
|Fake subdomain protection - Enforced:|Grade: A|
|BEC fake insider protection - Vulnerable|Grade: F|
|Look-a-like protection - Enforced:|Grade: A|
|Domain attack protection - Vulnerable:|Grade: F|
|Subdomain attack protection - Enforced:|Grade: A|
Thank you for this. So, to be exact but non-technical, which of the following does this mean:
- Those with an account with mailbox can send mail from your (@example) domain, without permission?
- Anyone can send mail from your (@example) domain, without your permission?
- Those with an account with mailbox can send mail from your full email address (mymail@example) without your permission?
- Anyone can send mail from your full email address (mymail@example) without your permission?
- Those with an account with mailbox can send mail from your full email address (mymail@example), and those without an account can send mail from your (@example) domain, without your permission?
I hope this is exact enough LOL. The various tests and technologies are a bit confusing so I want to spell things to out make things easier to understand.
Additionally, does Mailbox generic domains suffer with any of the same problems?
And finally, if somebody does any of 1-5, will the receiving email provider be more likely to mark it as spam than if you legitimately use your own account/domain?
No Mailbox.org user can send an email with a sender address of another Mailbox.org user (no matter if own domain or not). The mail server says: Sender address rejected: not owned by user ...@example.com
In this case I donât know what the problem is, if any.
Whatever the specifics, Mailbox is not transparent about its DMARC policy:
Additionally, SPF settings are being honored and DMARC settings are a huge factor in our spam recognition. While we donât honor DMARC at a 100% right now, we do take it into account
It also seems their open PGP support is limited to the main account, not aliases and custom domains:
Note: The mailbox.org Guard is designed to work with your main email address. It is not intended to be used in combination with aliases.
And
Users need to hand over their private PGP keys to be stored on our servers.
âŚ
However, one might argue that encryption keys, which remain password-protected as they sit on our infrastructure, are probably stored more safely and securely with us than on a private PC or smartphone.
Security experts like M. Cardwell have explicitly warned users to not store or use their private OpenPGP keys on devices that are not secure (like smartphones).
Who the f*ck is M. Cardwell? It could be Edward Snowden for all I care, it is still an appeal to authority rather than actual reasoning.
Their guide/FAQ is ridiculously long-winded and complicated, packed with pointless sentences like the above.
According to their user forums, their support often does answer emails, or are very slow.
As mentioned already, their CEO sometimes answers users in the forums, and in a way which absolutely does not give me a sense of trust and professionalism. This was his response to the unanimous call from his clientelle to use standardized 2FA instead of his confusing alternative:
Iâm sorry, but itâs not equal secure. Itâs much much much more INsecure. It is. It is. It is insecure. It is. Totally. Really. Yes. It is.
âNew users can only put 2 links in a postâ - wouldâve been great to know before I wrote all this. I just post the source then. Ban me or whatever if this is against the rules. After all this work I really donât care
<mod edit: restored original post below>
@d2d and others already said most of what Iâm going to write, but just to try to summarize and clarify the situation in relation to the initial post of this thread:
Outgoing mail of mailbox.org users (the not existing problem)
Sending via mailbox.org mail server
- It is not possible for a mailbox.org user to send mails as another existing user via mailbox.orgâs mail servers.
-
("As another user" meaning FROM address being mail address of the other user)
-
- It is not possible for a mailbox.org user to send mails from another userâs custom domain via mailbox.orgâs mail servers.
-
(âfrom another userâs custom domainâ meaning FROM address being xyz@another-users-custom-domain.com)
-
Source: I have a mailbox.org account with custom domains set up and created a second mailbox.org account to test the two scenarios. (Also other people in this thread stated this already)
My SMTP logs (censored)
Sending mail via mailbox.orgâs mail server with FROM-address being another existing userâs mail address
$ openssl s_client -starttls smtp -connect smtp.mailbox.org:587 -crlf -quiet
Connecting to 185.97.174.196
depth=2 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
verify return:1
depth=1 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1
verify return:1
depth=0 CN=*.mailbox.org
verify return:1
250 CHUNKING
EHLO mailbox.org
250-smtp202.mailbox.org
250-PIPELINING
250-SIZE 143699726
250-ETRN
250-AUTH PLAIN LOGIN XOAUTH2 OAUTHBEARER
250-AUTH=PLAIN LOGIN XOAUTH2 OAUTHBEARER
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
AUTH LOGIN
334 VXNlcm5hbWU6 (== âUsername:â in base64)
[account2-user] (base64-encoded)
334 UGFzc3dvcmQ6 (== âPassword:â in base64)
[account2-password] (base64-encoded)
235 2.7.0 Authentication successful
MAIL FROM:account1@mailbox.org
250 2.1.0 Ok
RCPT TO:my-gmail-account@gmail.com
553 5.7.1 account1@mailbox.org: Sender address rejected: not owned by user account2-user@mailbox.org
Sending mail via mailbox.orgâs mail server with domain in FROM-address being another existing userâs custom domain
$ openssl s_client -starttls smtp -connect smtp.mailbox.org:587 -crlf -quiet
Connecting to 185.97.174.196
depth=2 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root G2
verify return:1
depth=1 C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte TLS RSA CA G1
verify return:1
depth=0 CN=*.mailbox.org
verify return:1
250 CHUNKING
EHLO my-custom-domain-of-account1.com
250-smtp102.mailbox.org
250-PIPELINING
250-SIZE 143699726
250-ETRN
250-AUTH PLAIN LOGIN XOAUTH2 OAUTHBEARER
250-AUTH=PLAIN LOGIN XOAUTH2 OAUTHBEARER
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 CHUNKING
AUTH LOGIN
334 VXNlcm5hbWU6 (== âUsername:â in base64)
[account2-user] (base64-encoded)
334 UGFzc3dvcmQ6 (== âPassword:â in base64)
[account2-password] (base64-encoded)
235 2.7.0 Authentication successful
MAIL FROM:mail@my-custom-domain-of-account1.com
250 2.1.0 Ok
RCPT TO:my-gmail-account@gmail.com
553 5.7.1 mail@my-custom-domain-of-account1.com: Sender address rejected: not owned by user account2-user@mailbox.org
Mailbox.orgâs support of SPF, DMARC and DKIM
- SPF, DMARC and DKIM for outgoing mail of mailbox.org users are working as intended.
- If other people will receive emails spoofing/faking your email address depends on the mail server of the recipient.
Source: SPF, DMARC/DKIM working for outgoing mail I verified a lot when setting it up maybe 1 or 2 years ago, I also verified a few times since then, and itâs been working as expected ever since.
Incoming mail to mailbox.org users (the actual problem)
- It seems like mailbox.org often does not respect dmarc policies like quarantine (set by the sender or senderâs mail provider) and still delivers to mailbox.org usersâ inbox - as multiple other users here I can also confirm this. They say they do take it into account though:
Additionally, SPF settings are being honored and DMARC settings are a huge factor in our spam recognition. While we donât honor DMARC at a 100% right now, we do take it into account. [mailbox.org Support, 2023-06-28]
- It seems to me they decided to not fully honor DMARC policies, but still take it into account when âcalculatingâ if incoming mail is spam or not.
- It seems like they err a bit too much on the ânot spamâ-side when SPF, DMARC/DKIM come into play. As far as I know that is not unique to mailbox.org though? But I donât have proof for that
- I wonder why they say SPF settings are being honored (in comparison to dmarc being ânot honored 100%â). The emailspooftest.com results seem to indicate SPF fails also donât lead to mails being delivered to junk folder. I dunno, the linked post is not very clear on that.
I think they should honor dmarc âmoreâ (maybe even 100%, but letâs not get crazy here). While it obviously doesnât affect outgoing mail, it makes mailbox.org users a lot more susceptible to phishing and similar attacks.
I hope this post helps people that are not that deep into this topic. To the other ones: feel free to correct me if I got something wrong
@d2d and @Finerdly make clear that initial problem I highlighted is not a problem. Do people think its safe to say that it is resolved? My only doubt is that both accounts seem to have been setup specifically to respond to this post. I think a reproduction of Finerdlyâs tests by somebody equally knowledgeable and who is already a contributor to PG would put this issue to bed. (I mean no disrespect @Finerdly thanks for the contribution)
In which case the anti-spoofing problem is merely the following:
-
Mailbox.org does not send some mail to spam which should be sent to spam
-
Mailbox.org are poor at communicating. As stated in OP, I didnât make up this problem - somebody claimed it in their forum, mailbox.org confirmed it, and never said it was fixed.
This issue was confirmed by Mailbox.org four years ago, with unfulfilled promises to fix it since.
itâs not just a dmarc problem, mailbox.org servers donât verify either spf or dkim
just try a tool like emkei.cz
on my address @mailbox.org and on my adress @mycustomdomain.com (hosted on mailbox.org) i can receive mail from any domain.
mailbox.org does not only offer a webinterface (like other services!) where we can restrict access and we can forbid any login with password-only. We also offer different/many different services and protocols like SMTP, XMPP and much more (and much more will be added in the future) that must still be open for password-logins. For that, a stolen/sniffed password CAN be used to gain access to different services and accounts.
then use fucking oauth oh my god
They are rolling that out now.
Good point. So far Iâve had no reason to create an account here. In another forum (where Iâve been active for a while) this topic was linked. And because information is missing here that is available in the other forum, I registered here. The message I mentioned from the outgoing mail server can be checked by anyone with an account, so itâs not a secret.
Yes, the communication is not good. To be fair, itâs a forum by users for users (users helping other users) and not a classic support forum.
I use Mailbox.org, Posteo and tuta and havenât had a bad experience with any of them. Good support (not much contact) and no problems with spam (none or very few and my emails have always arrived including from my own domain. I think all three are good enough to recommend. Of course there is always something to improve here and there, but where is that not the case?
I suggest Mailbox is an example of a poorly structured (and therefore less trustworthy) team.
Also, the size of a team may not matter if the leader doesnât involve others in the decision making processes. I know Iâve been quite critical of Mailbox, but I think they may be an example. Their guide seems written by one very well knowledgeable guy (Sir Mr expert Heinlein) but not proofread by the people who need the guide (causing A LOT of confusion). Their news lists his media appearances, but no sign of other staff. And he responds to people in the forums, often in quite a dismissive manner to reasonable criticism of the service. Unlike its competitors, their website does not reveal the identity of any employees besides the leader. Proton lists many many directors and managers. Posteo has three people (two of which a couple). Tutanota has a paragraph on the whole team, but the hierarchy is unclear.
I mean to no harm to Mailbox or to Peer Heinlein, who I feel like Iâm criticizing when I criticize Mailbox, which in itself I consider to be criticism of Mailbox (but I hope not Heinlein). But trust is too important in the case of email for me to ignore my doubts about Mailbox.
To be fair, it is good that Peer Heinlein is willing to respond to users, both in their community forums, and on Reddit (maybe he can join us here too one day). I said he âoftenâ responds in âquite a dismissive mannerâ which Iâm not sure is true. He did in relation to the 2FA issue - an issue on which he eventually his mind, though it took about 5 years.
Iâm very curious about how Mailbox is perceived in the German tech/privacy world. Can any non-Heinlein sources attest to Heinleinâs prestige? I mean, did he really invent âthe fully encrypted inboxâ?