

Ask HN: Fair and decent email providers? - ics

Fair and decent– well priced, solid data policies, easy to use or configure...<p>I&#x27;ve self-hosted in the past and would <i>consider</i> doing it again for privacy reasons, however a solid email provider would certainly save a lot of work on the spam&#x2F;delivery side of things and could potentially make up for it in the general case. One of the things I&#x27;m concerned about though is finding a solution that would allow me to create&#x2F;destroy aliases on the fly and add addresses across multiple domains (one user&#x2F;mailbox) without paying exorbitant amounts, but other features like full IMAP support, two-factor authentication, and a fast interface are also desirable.<p>So far I&#x27;ve looked at: Rackspace, Fastmail, and Namecheap but I&#x27;m curious to see what people here (especially DevOps) are using and would recommend. Even though price is a controlling factor for me, I thought the discussion might be valuable since I&#x27;m sure the recent news is just one more reason why some people might feel uncomfortable relying on their Gmail accounts.
======
tptacek
It's funny that people would flee from Gmail to other third-party mail
providers out of privacy concerns, because it suggests they think their
biggest privacy concerns are the NSA. But that's not true; in practice, you
have much more to fear from criminals than the government; you can use simple
means/motive/opportunity reasoning to arrive at this conclusion.

Meanwhile: no mail provider in the world has invested more resources in
security than Google Mail. Google spends millions of dollars to ensure the
security of the Google Mail platform. It also runs a public-facing bounty
program --- one of the oldest and most reputable --- to solicit more
vulnerabilities. It staffs a large and extremely well-regarded software
security team to keep up with vulnerability classes and to research new ones.

Can you say the same thing about Fastmail.fm?

~~~
ics
Admittedly I was asking this here primarily for small business suggestions– I
certainly wouldn't expect a simple provider switch to pull the wool over the
NSA's eyes. It's a silly thought for a business anyway, where the only people
you might be trying to hide from are your competitors. As you said, for
practical security Google's offerings are likely top notch and it gives me no
qualms having some accounts with them. That being said, I think there's still
room for someone to bring almost as much to the table security wise through
focus and perhaps a tighter codebase, but beat them out for clear ("fair and
decent") terms in regards to privacy and data handling.

Regarding Fastmail, as far as I can tell the new interface is one of the
better ones around and it's a big help that they provide Yubikey
authorization. I've been using Google Authenticator for a while now but in
recommending it to others I've found people taking advantage of just about
every opportunity to undermine its usefulness (i.e. backup codes not protected
or used regularly when their phone is dead, disabling two-factor auth for a
few days because they forgot their charger, or sharing app-specific keys...).

~~~
tptacek
How do you know that you aren't some trivial but obscure SQL injectable HTTP
POST away from losing all your mail on that provider? Because I gave you a
reason to believe you don't have to worry about that on Google Mail.

~~~
ics
First off, I can't really fathom why anyone (businesses!) wouldn't keep good
offline backups of their email of all things. But it's a fair point– data loss
isn't the only threat and Google is not lacking in engineering talent or
money. Still, wouldn't their threats scale with their services and number of
users? I don't care for any of the features that come with a Google account
(really, just mail) but if an attacker found an exploit in any of the services
attached to an account things wouldn't be so swell. To some degree the only
reason I asked this question in the first place is because admittedly I cannot
provide any specific counterargument to what you just stated. I was hoping
others might, but I certainly appreciate your weighing in either way. If you
really think that Google is the best way to go for practical security (do you
use them for Matasano/Cryptopals/...?) then I'll keep them on the top of my
list, but it's still out of my price range without significant restructuring.
Perhaps I was too hopeful about finding the tarsnap of email or something.
Ahh, well.

~~~
tptacek
_Still, wouldn 't their threats scale with their services and number of
users?_

No! This is almost never true!

~~~
ics
No? I didn't mean that they're just a bigger target. Are you saying there is
no additional threat (whether XSS, HTTP, SQL or whatever) to the system when
YouTube, Google+, Gmail, etc. are all being developed by different teams with
different timelines etc? Of course they must have pretty sound security
practices in addition to frequent coordinated reviews, but I can't imagine
that makes things any _easier_.

~~~
tptacek
Yes, I am saying that you are at vastly less risk of losing your data to an
SQLI flaw on Google Mail than you are on some small competitor to Google Mail.
I am saying exactly the thing you seem to be surprised I'm saying, and if you
ask any 5 other software security practitioners the same question, at least 4
of them will say the same thing (I'd actually be surprised if 5 didn't).

~~~
ics
Very well then. Practically speaking I'm much more concerned with spear-
phishing on Google services than what we're discussing, but I'm glad you took
the time to make your points. I won't hold my breath for them to introduce
more flexible plans any time soon though... (As a sidebar, MS Office365 looks
to be about the same thing, but not much different than Google on
price/plans.)

------
skram
THis has been asked several times.. but I'll go ahead and say I've been using
Fastmail.fm for my personal email for several years now and have not had a
problem with it.

For work, I've used self-hosted exchange (I didnt manage it), Rackspace, and
most recently Microsoft Office 365 for my current startup. We're liking MS
O365 but I wouldn't pay that much for my personal email hosting at this point.

------
workhere-io
I don't understand why people often suggest FastMail when it comes to privacy.
FastMail's "servers are located in New York City with a backup in Norway"
according to
[http://en.wikipedia.org/wiki/Fastmail](http://en.wikipedia.org/wiki/Fastmail).

------
rdouble
fastmail.fm is great. I've used them for a decade.

The downside to me is their spam filter is not as good as gmail.

I read my email in a local client so I can't comment on the web interface.

That said, far less of my communication is done via email these days. Like,
almost nil. It's almost gotten to the point where I don't need email at all.
It's mainly a repository for online receipts. I'm toying with the idea of
killing my fastmail account and just using my gmail account for receipts.

------
nodata
Fastmail has earned its name recently - it's freaking fast now. Much faster
than gmail.

------
lifeguard
Doesn't gmail do everything you ask for? $50 a year? It is the best if you
don't care about control/privacy.

~~~
ics
But I _do_ care about control and privacy. I have a few clients who I likely
will be moving to Google Apps but it's not really what I'm looking for. That's
$50/year _per user_ , which is a fine price for the amount of space you get
but far too much for me when I would much rather divide that 30GB into 30x1GB
mailboxes. That being said, it looks like their alias features are very
agreeable (30 addresses, 20 domains).

~~~
lifeguard
Ahh, I did not understand you wanted service for multiple users. It sounds
like price is your main requirement.

>>Rackspace, Fastmail, and Namecheap

These are slightly lower quality than gmail IMO.

