
Mailfence: Secure and Private Email Service - jtanderson
https://mailfence.com/
======
Sytten
I made the switch a couple of days ago. Here is my experience so far: \-
interface looks better than a few years ago. It is still gwt based though
which is notably insecure (I got a NPE in a warning the other day). \- they do
support multiple domains but with a limit on aliases which is quite low (10
for the base plan) \- plus addressing is nice but managing where each go
(folder) is a pain. \- no subdomain addressing \- privacy feels better with
servers not in the US \- my threath model doesnt include the NSA so I am fine
having unencrypted emails if I can have IMAP instead of browser based. \-
calendar is very well done and simple to use \- combined with Nine on android
I replaced google calendar, contacts and gmail.

Overall I am happy with the switch.

~~~
stilisstuk
Gwt? Npe?

I am happy with mailfence. Miss yubikey and real twofactor (only in browser
are two factor needed, imap etc just rely on normal password).

I have catchall enabled and can use both my mailfence and my own domain
interchangeable.

I think I signed up with a 10 minute free mail. Paid with Bitcoin. Didn't
provide any personal info (as principle, didn't use VPN etc).

Set up dmarc etc. Helpful support.

Really happy overall.

I use fairemail for email and simplecontacts + davx5. Works really well.

~~~
chrisweekly
not op but iiuc: gwt = google web toolkit npw = null pointer exception

~~~
stilisstuk
Thanks. How can I detect if gwt is used?

~~~
Sytten
You will see gwt transfers in network explorer.

------
cik
I've been all in on secure email, and friends the last week or so since buying
yet another domain. It's really a painful world. The tradeoff continues to be
that Google and Microsoft both provide a tonne of value (and security) for
$5/month/user. At the same time the obvious tradeoff on privacy and anonymity
is made :(.

The secure email services provide far less product-based value, though clearly
the security and lack of ad tracking is there.

Ultimately the market will declare - but currently people overwhelmingly
choose brand (Google) and feature-based value, whilst giving up their privacy.
It's quite frustrating.

~~~
cartoonworld
>The secure email services provide far less product-based value, though
clearly the security and lack of ad tracking is there.

I have thought about this as well. What do you think could be added to secure
email services to make the value more appealing?

In the dark distant past, ISPs of old would include email as a side effect of
their data services including shell accounts, user file hosting, and maybe
even CGI-BIN, if you paid.

The only thoughts I have had were to bundle some kind of VOIP/SMS package
along with the secure email offer. Perhaps some startup MVNO could also
include secure email and other advanced features along with their mobile data
services.

All of this seems pretty far fetched, as email looks to be as niche of a
product category as Premium IRC.

~~~
cik
I think you're bang on, except that VOIP is even more niche than secure email.
Ultimately I think the problem is that email is effectively a commodity -
domain providers, hosting providers... well they pretty much give it to you
for free.

Google and MSFT seem to be competing on a value proposition like the full
suite of office needs, even if it's for your person. I may be wrong, but I
don't think that the average facebook using, instagram reading person even
cares about email.

------
rndbit
I recently switched to Mailfence after briefly using Mailbox.org. My issue
with Mailbox.org was getting IMAP mail, calendar, and contacts synchronized
across Mac and IOS. Mailfence worked perfectly with Exchange ActiveSync for
IOS and IMAP/CardDav/CalDav for MacOS.

My requirements were:

1\. Support my own domain

2\. Support IMAP, CardDav, and CalDav

3\. Privacy friendly country

Some alternatives I looked at and rejected were:

* _Posteo_ \- Doesn't allow domains

* _Fastmail_ \- The Assistance and Access Bill of 2018 makes Australia a privacy unfriendly country (also part of the Five Eyes)

* _Protonmail_ \- Doesn't support standard protocols and IMAP bridge was flaky

------
dbtx
They want a minimum 7-character login, and first & last name-- then it seems
you can't just type your desired actual address's _name@mailfence.com_ ,
instead you have to select from a short list of varied combinations of login,
first, last. I just changed my first name to the short name I wanted and went
back to that list, and as expected, it appeared as an option. I picked it, I
restored my real name, everything is OK AFAICT. Still, I wish vivaldi.net and
mail.com would get on the 2FA train... especially the former.

------
tptacek
This seems like yet another "secure email" provider where the cryptographic
security is cosmetic, because it's delivered over HTTP requests that can with
every individual backend fetch silently override the encryption or exfiltrate
keys.

Also, their "we take software security" blurb is weak:

 _We use operating systems and open source software that take security
seriously. However, software have bugs. In most cases, an update for a
security problem will be available within minutes /hours of the original
report. We perform the update as soon as it is available and validated._

Applying patches is table stakes. What portions of their stack, including
their own code, have they actually had audited? Do they have software security
engineers on staff? Is there a /security page somewhere on this site that
explains where to report vulnerabilities?

~~~
stilisstuk
If browser based are there anything better than https? Imap + pgp?

My own take: you can't trust any web-based solution. But you can choose a
provider which plays nice with open standards, supports eff and openpgp etc.

I don't let mailfence handle my keys, but I liked that they on every level,
let me do what I want.

And I like that they let other people trust them to handle their pgp keys.
Thus helping that ecosystem.

~~~
lucb1e
> If browser based are there anything better than https? Imap + pgp?

I guess Electron might be a reasonable application to quickly move your crypto
code from the website to a local client so that a compromised server can't
simply backdoor it. But then you want it to auto-update for security issues
and you're back to square one. And if someone inspects the source code of each
update (they won't), they'll just be slower updating and either run the old
(vulnerable) code for longer, have forced and unscheduled downtime (while
looking at the diff), or run the new code before it has been vetted.

------
stevehawk
Security/privacy aside - it's a bummer that it doesn't mention multiple
domains per account. I have ~20 diff domains tied my sole fastmail account.

~~~
jammygit
I didn’t know you could do that with fastmail

~~~
stevehawk
you're probably not alone. I just noticed that they don't list it on their
pricing plans either. So either I'm grandfathered into it or they're messing
up their marketing.

------
jammygit
How do you evaluate the security or privacy of providers like this one? I
think years ago they or one of their fans went all over Quora and Reddit
saying good things about it, but I wasn’t sure in the end how to evaluate
their claims or find independent reviews and ended up Switching to ProtonMail.

While I used it, it was good at least. Setting up a custom domain at the time
required sending the company an email iirc?

~~~
stilisstuk
I think catchall and dmarc required an email. Yes a bit odd maybe. But hey; a
human responded within 15 minutes.

------
chrisweekly
Can anyone highlight differentiators vs [protonmail, fastmail, ...]? What
advice for someone busy but technical, looking to get off gmail?

------
cobbzilla
I read the title too quickly and saw "Mailfeasance"

It would be a great name for an email service catering to spammers and
scammers.

------
RiOuseR
Wants an email... to sign up for email? Lolwut?

------
paulryanrogers
Claims to be "browser-based" so I'm going to guess Electron. Also mentions
OpenPGP and Belgium HQ for legal protections. Though I'd guess they'll also
need to only hire Belgium developers to maintain the claim that they're
outside the reach of other governments.

~~~
tecleandor
Are Belgian developers immune to _insert-evil-country-of-choice_ bribing,
extortion or just being plain evil?

Are we still doing this "Oh, they are _nationality_ so they are spies!" thing?

~~~
paulryanrogers
> Are we still doing this "Oh, they are nationality so they are spies!" thing?

Stereotyping is counterproductive. Still, based on recent changes in
Australian law I can see why some organisations may pause before using
services based there, or which rely on Australian contractors who may be
compelled to compromise systems. So any companies boasting of their
jurisdiction should not be immune to skepticism about how robust that
distinction is in practice.

