
Mailbox.org – Privacy made in Germany - galaktor
https://mailbox.org/en/
======
kyledrake
"Privacy oriented" is something I strive for in my own dealings, but
centralized service privacy is and always will be lip service. What does
"privacy oriented" actually mean? It must be very clearly defined.

Let me give an example. A government entity sends a subpoena to receive all
data on an email account. If the service provider is legally mandated to
respond with data or face prosecution, what happens? In this case, Google
might actually be better for "privacy" because they at least have the economic
capability to push back against Doe subpoenas. A small provider won't have the
resources to defend against a frivolous subpoena and will hand over
everything.

Something to keep in mind when considering this stuff. I really think the only
way to at least control the option to defend your privacy is to run your own
servers.

~~~
ivanhoe
The country where the company and servers are located makes all the difference
IMHO. Many things that government can push in US under Homeland Security and
similar acts, they can't in Germany. Their privacy laws are much more
protective against mass and/or unsubstantiated surveillance, legal services
are not that ridiculously expensive as in US, etc.

~~~
plg
for now

~~~
okket
Currently there are no plans to to extend the jurisdiction of US law to
Germany.

But if you ask nicely, the German intelligence service might give you the
information you seek.

------
sternenseemann
I really hate the kind of “Privacy made in Germany” way of marketing,
especially since I am german.

Mailbox.org seems decent from what I've heard but products advertised like
this are mostly sheer bullshit. I don't know why transferring a “quality”
label from (oldschool) engineering products to IT even works.

~~~
SyneRyder
It resonates with me. I don't think it's just a reference to engineering
quality, Germany is more privacy conscious than some other countries. Whether
it's the cypherpunk & privacy-tech scene of Berlin, or the awareness of the
consequences of surveillance resulting from the GDR days.

Even in little things: like Germans using cash because they don't want to
create an electronic credit card trail of where they were, or walking through
Munich train station and seeing Snowden in all the news headlines (in 2013),
while back home he was getting nowhere near as much news coverage (and
certainly not the front page headline).

I don't know if any of this applies to Mailbox.org, but as a marketing phrase
it works for me.

[I'm Australian, but an 'aspiring German'.]

~~~
pluma
> like Germans using cash because they don't want to create an electronic
> credit card trail of where they were

... and then using their Payback loyalty cards at every opportunity.

Don't get me wrong: many Germans hold out on loyalty cards and some people may
indeed use cash to avoid a paper trail, but you make us Germans sound like
mythical privacy-minded creatures which the vast majority of us is decidedly
not.

~~~
SyneRyder
It's a relative thing - I know most Germans don't see themselves as privacy-
minded, but the bar is so low everywhere else that the little things in
Germany add up & make it stand out.

One example is browsing Google Street View and seeing how many buildings &
houses are blurred out in Germany due to people sending privacy requests. I
don't think I've ever seen that in Australia, but I keep encountering it when
planning my trips to Germany. 3% of Germans opted-out of their house being
included in Street View - a low percentage of Germans, but still crazy high
compared to the rest of the world:

[https://googlepolicyeurope.blogspot.com/2010/10/how-many-
ger...](https://googlepolicyeurope.blogspot.com/2010/10/how-many-german-
households-have-opted.html)

------
0XAFFE
A month or two ago I sent them an encrypted (gpg) mail to their support
address but they replied in plaintext and even citing my original request in
full.

~~~
mottosso
Thanks for sharing that.

------
paste0x78
Don't France and Germany want to put backdoors in encryption? >
[http://www.wsj.com/articles/france-germany-push-for-
access-t...](http://www.wsj.com/articles/france-germany-push-for-access-to-
private-internet-messages-in-terror-probes-1471976815)

~~~
secfirstmd
And Germany looked the other way for NSA surveillance for years...

~~~
madez
For decades.

------
terraforming
After the fastmail fiasco (they increased prices, and now old packages no
longer have access to the newest features), I started looking for an
alternative and came across mailbox.org... I've been trialing for a few days
and they do seem interesting.

I just wish we could use an unlimited number of aliases in our own domain, it
doesn't make sense to me otherwise..

They do have some interesting features, such as mailbox encryption as well as
calendar/contacts encryption. It's client-side encryption, though it's in the
browser.

An alternative to mailbox.org is mailfence.com.

~~~
LeoPanthera
Do you have some citation for this "fiasco"? They did change the plans but I
was unaware of any significant unhappiness. (And existing users can keep their
old plans anyway.)

~~~
subsection1h
There's a 17-page discussion here:
[http://www.emaildiscussions.com/showthread.php?t=72032](http://www.emaildiscussions.com/showthread.php?t=72032)

------
binaryanomaly
I'm a mailbox.org user since a few months.

I like the product it supports open standards, imap, caldav, carddav. If you
want you can lock down pretty much everything with pgp. Data is in Germany/EU
and the pricing is really fair stars with 1€/month with 3 mail aliases and 2
GB.

The guys behind it seem to be IT people with Linux/open source mindset and
good ethics as far as I can judge.

I feel very comfortable with mailbox.org

~~~
type0
I use them as well, they have custom domain and two factor authentification
support. The only complain is that sharing in their online Office can be
buggy, i hope Open-Xchange will fix that, but that's more of a side feature
for me. At least their business model seems more honest than Proton Mail.

------
hiq
How is it any better than ProtonMail? [0]

[0]: [https://protonmail.com](https://protonmail.com)

~~~
tga
Mailbox.org runs [http://open-xchange.com/](http://open-xchange.com/), so
besides email you also get a calendar and (rudimentary but functional) online
word processor and spreadsheet, with team collaboration. You can try a demo of
the software on the Open-Xchange site.

I've also been a happy customer for about a year now.

~~~
newsat13
Funny they call themselves open exchange with the tag line 'stay open' and
they are not actually open source.

edit: maybe they are?
[http://oxpedia.org/wiki/index.php?title=SourceCodeAccess](http://oxpedia.org/wiki/index.php?title=SourceCodeAccess)
Why is there no link on main website?

~~~
tga
Definitely open source, although no public code development process (~GitHub)
from what I gathered. Java backend, BackboneJS frontend.

------
mxuribe
I think we need more of these types of companies, or at least more competitors
in this realm. I've also heard so many good things about FastMail too. We need
more mail providers who are: * trustworthy * secure * reasonably priced * etc.

If running my own mail server was not so laborious and headache-inducing, i'd
love to move away from google for apps/domain. I have no functional complaints
of google; i am happy with their performance without a doubt. Its just that,
as every day passes, I keep getting creeped out; its the "ick" factor. And for
me it started well before the Snowden disclosures.

~~~
eridius
If you want to stop using Google for email, but want to keep the domain in
Google Apps for whatever reason, you can set up a FastMail account and then
configure Gmail to forward all of your email to FastMail. Yeah your email
still goes through Google's servers so it's not completely ick-free, but at
least you don't have to deal with using Google for email on a day-to-day basis
anymore.

------
DyslexicAtheist
Oh, it's bullshit made in Germany again.

>> _When e-mails go unnoticed because of being redirected to a spam folder
that you never check, you are in fact still legally liable for such e-mails –
as you cannot disprove having knowledge of them. This is a danger that our
users can safely ignore: We check for spam and viruses before the e-mails are
accepted and reject anything that looks suspicious. This way, you always know
exactly what e-mails you have received and read._

How does that even work when they GPG encrypt content. Are they escrowing the
private keys?

what a timing of this post. Just as I was ranting about this old 30C3 talk[0]
and pointing out what a scam "DE-Mail", "e-brief" and "Trusted-Cloud", etc.
is, ... then this is trending on HN. Hilarious.

[0]
[https://www.linkedin.com/hp/update/6175253192402563072](https://www.linkedin.com/hp/update/6175253192402563072)
\- or:

[1] [http://www.amara.org/en/videos/y1Gk3maFbvNQ/info/bullshit-
ma...](http://www.amara.org/en/videos/y1Gk3maFbvNQ/info/bullshit-made-in-
germany/) (select English subs)

~~~
gurubert
Please show me an e-mail SPAM / Virus that is sent GPG-encrypted to you. I do
not think that this will ever happen.

------
hypercluster
I've been using mailbox for about two years and am now switching to fastmail.
The UI is vastly better and works great on mobile. It's also the base for the
mobile app which mailbox doesn't have (well, the OX one). And that's the other
thing. Having a dedicated app with search integrated and push notifications on
iOS is awesome.

------
galaktor
Full disclosure: I'm a new user of mailbox.org, but not otherwise affiliated.

I find its approach to useable security features interesting, especially
considering the entry-level price points.

edit: typo

------
mk89
Some weeks ago, I was looking (again) for a privacy-oriented alternative email
provider. I stumbled upon mailbox.org and some others (like protonmail, and
startmail).

I decided to go for mailbox because 1) I know that Germany at the moment has
still one of the best regulations about data protection (although I fear this
is going to change in the next few years), 2) it provides some features others
don't (like protonmail, and startmail). It was worth a try at least, so I
decided to use the 30 days trial account.

It looked really good and promising: nice UI, clear documentation, cool domain
name if you don't want to use your own. It provides also Office-like,
calendar, and storage features. Therefore, I made up my mind, and I was
determined to become one of their paying customers. So, I put 12 EUR(1
EUR/month) on the account. A few hours later I found out[0] that mailbox.org
is offered by a politically motivated provider called JPBerlin [1]. I sent the
cancellation request, and so far my account is still on hold - I could revoke
the cancellation, though. An email received after the cancellation request
says "please allow us a couple of days". Sure. It's just they took 1 EUR from
the account, although I had the cancellation request sent like 10 days before
the end of the trial period.

In the end, I would like to say that as a service it looks promising. However,
until they stop with their political involvement, I think, not many people
will use it.

[0]:
[http://www.emaildiscussions.com/showthread.php?t=68527](http://www.emaildiscussions.com/showthread.php?t=68527)
[1]: [https://www.jpberlin.de](https://www.jpberlin.de)

~~~
galaktor
Regarding your mention of the "politically motivated provider", this [1] is
relevant:

Using Google-translate + some tweaks by myself:

"What does political Provider mean?

Even if JPBerlin is a political provider, that does not mean that we ourselves
are politically active.

We give politically and socially active organizations the technical
infrastructure they need to enable them to work with modern tools such as
groupware systems or mailing lists. They should be able to focus on their
content rather than vexed with the technology and its implementation.

The JPBerlin itself represents no own political content or opinions. We see
ourselves only as a reservoir and implements of the assets from [politically]
left, environmental and social areas. And so it is not surprising that we
accommodate almost all well-known organizations, foundations, communities and
other groups from those circles. Of course we also have non-politically-
motivated individuals and organizations as customers.

Our customers have no relationships to each other. The same applies to our
position in relation to our clients and their views and work.

Our only position is to be clearly distinct from the [politically] right
edge!!"

[1] [https://www.jpberlin.de/hilfe/allgemein/was-bedeutet-
politis...](https://www.jpberlin.de/hilfe/allgemein/was-bedeutet-politischer-
provider/)

~~~
mk89
Thanks for clarification. I am just worried about the possible implications.
My main concern is the message you send whenever you share this email account
online, e.g., on a résumé, with a job application, or with a government
agency.

If this company has this history, or even worse, it recognizes itself as "kind
of left-wing" (and not funded by a left wing party), you never know how people
see that. We should have freedom of speech, yet you can't say certain things
publicly.

Ah, I don't understand the downvotes in my parent comment. It would be great
if people could clarify that.

------
msh
I have been using them for about a year and have been quite satisfied. They
also support using your own domain at no extra cost.

~~~
detaro
2 years here, nothing to complain. While the service is relatively new, the
people behind it have been in the business way longer. Years ago I set up my
first own mail server using their books ;)

------
caspianplover
I've been customer of mailbox.org for just over a year now. I can't assess the
quality of their security, or the lengths they'd go to protect customer
privacy, though they seem to know what they're doing. We had a Linux
consultant from Heinlein Support at the last place I worked for, and he did
his job very well.

I'm also pretty happy with the Card+CalDav-offerings from mailbox.org.

With their customer support, however, im rather disappointed:

mailbox.org offers what they call "Familienaccounts" (non-commercial accounts,
meant to share, among other things, calendars and contacts with one another
[0]).

Grouping existing accounts into "Familenaccounts" by means of contacting their
support team used to be a feature that was offered (and advertised) by
mailbox.org, and a feature that I've used for two of my family members in the
past.

For some technical reason or other, mailbox.org is unable to convert existing
accounts into Familienaccounts any more. This wouldn't be that much of a
problem (workaround was to backup data, cancel one account, get that account's
credit refunded, ask them to remove that account from their list of blocked
accounts, recreate that account as a "Familienaccount", pay for the new
account and restore the backed up data).

What rubbed me the wrong way was that it took a month of to and fro emailing
with mailbox.org support just to get that information (while they still
advertised being able to convert accounts on their website).

When we decided to implement the workaround, it took another month from
cancelling the old account to getting the new one working, with my wife unable
to receive emails for some time inbetween.

I will continue to use mailbox.org, but in my opinion they really need to
improve their support.

[0] [https://support.mailbox.org/knowledge-
base/article/familien-...](https://support.mailbox.org/knowledge-
base/article/familien-accounts-alle-fragen-antworten)

------
Bino
If so, and german data protection laws apply, why isn't the TLD .de?

~~~
pluma
Because TLDs mean nothing? You don't see every US service use .us either. Plus
.org has certain connotations (at least in Germany): non-commercial, activism,
open source, etc. It's a bit ingenious considering this is a paid service, but
they were probably proud they were able to get such a premium domain name.

Also, at least to Germans .de generally implies it's primarily German language
and/or limited to a German (speaking) audience.

~~~
noinsight
Actually, your choice of TLD has a huge impact on jurisdiction.

The USoA asserts super-jurisdiction [1] over .com/.net/.org and will seize
such domains at will [2], and therefore personally I will never use those
TLD's as a non-US citizen. What legal recourse do non-Americans have in such a
situation? They would probably have to fight it through US courts which
significantly raises the bar for non-American entities.

Another thing to consider is DNSSEC when it comes to TLD's. Domain records are
signed top-down.

The ccTLD's fall under the jurisdiction of their respective countries.

I don't even know under what jurisdiction the other/new TLD's fall under, it's
probably based on where the owning company is headquartered?

[1] [https://yro.slashdot.org/story/12/03/06/1720230/us-
asserts-s...](https://yro.slashdot.org/story/12/03/06/1720230/us-asserts-
super-jurisdiction-over-dot-com-dot-net-and-dot-org-domains)

[2]
[https://en.wikipedia.org/wiki/Domain_name#Seizures](https://en.wikipedia.org/wiki/Domain_name#Seizures)

~~~
gurubert
You can use your own domain with mailbox.org and not be affected by any .org
issues you may think exist.

------
HugoDaniel
E-Mail privacy in a 14 eyes country ?

------
civil534
People in this discussion are mentioning subpoenas and compliance with same.
Are we talking civil as well or just criminal? If I'm sued in Nevada civil
court for defamation or something does a German company give a shit?

------
nullcipher
I am not sure if having my data in mailbox.org is any more private that
Microsoft or Google. My gmail doesn't even show any ads.

~~~
type0
If you use gmail and don't pay google for Apps account, you are not their
customer, that's the difference. How much does Microsoft charge for its email
service?

