RETRACTION
In 2019, mailbox.org stopped accepting Bitcoin after Bitpay shutdown its operations in Germany. I hereby retract my review, which is left unedited below, for the record.
This was insightful:
Very interesting article nullius, thanks. I think the one Negative bit is just too much to overcome at the moment (BitPay). The issue with wanting a good service, especially one so important as a pseudonymous email, isn't with the price but with the ease of maintaining it. BitPay is impossible for me to use (and I want to avoid it anyway).
Bitpay is is commonly known as “Shitpay”, for a reason—actually, for many reasons. Do you want to rely on it for your business?
For business owners, including Heinlein Support GmbH (owners of mailbox.org), I suggest the following:
- Best: In-house Bitcoin competency. However, I understand that not all businesses have this.
- Better: BTCPay Server, an open-source drop-in replacement that is API-compatible with Bitpay. It is almost like having an in-house Bitcoin expert set up your payment processing, but without the in-house Bitcoin expert.
- If you really cannot handle being your own bank: Use some outsourced Bitcoin payment acceptance that is not Bitpay.
mailbox.org users who needed Bitcoin payments have been left in the lurch.
I should know. Don’t do that to your customers—your
paying customers, who want to pay you money! In today’s Internet world, where freebies are demanded (and oft given under “you are the product” schemes à la Google), it is both common decency and business savvy to show your
loyal paying customers the respect of not suddenly yanking Bitcoin payments out from under them.
Unedited original post follows:
This review is neither solicited, nor compensated. I have no affiliation with mailbox.org, other than as a happy customer.
It is no secret that I use
mailbox.org: Their mailer hostnames are in the MX and related records for nym.zone, plus in the headers of all mail received from me (including by publicly archived mailing lists).
Although mailbox.org is popular on some other “crypto” forums, the only discussion I could find here is a
German thread from 2015. Thus, I wish to tell Bitcoin Forum users of my experience with this service. Rather than writing a wall of prose, I will reduce the major points to three separate bulleted lists:
Positive, Neutral, and
Negative.Note: mailbox.org offers a plethora of features, most of which are unused and untested by me. I can only review their core service: E-mail, sent from/downloaded to my own localhost.
TL;DR: Overall, highly recommended for pseudonymous users who want reliable service and strong anti-spam for €1/month, payable in Bitcoin.
Positives:- Friendly to anonymous/pseudonymous customers. They explicitly state that “anonymous registration at mailbox.org is absolutely possible”. The only information they ask at signup is a name—which they explicitly hint that they cannot verify—plus a country for VAT reporting purposes (also unverifiable), and a language for the Web app user interface.
- Excellent anti-spam protection. The company which provides this service, Heinlein Support GmbH, does antispam as their bread and butter. I have been freely spreading my address nullius@nym.zone around the Web and on mailing lists, with no attempt to obfuscate it. I receive very little spam; and whatever spam I have recently received seems to be targeted to Bitcoin Forum users (ICO spam).
- Anti-spam system properly rejects with SMTP 5xx. No junk folder to silently eat false-positive messages! (I think they may (?) have recently added a “junk folder” option; but if so, it is optional and opt-in. Avoid.)
- .onion site, kqiafglit242fygz.onion, for access to POP, IMAP, and XMPP services—albeit not for the Web interface, which is necessary to control account settings and payment. They also run their own Tor exit, which can be pinned; I myself don’t do this. Their Tor information page discusses both their exit and their .onion.
- Reliable service. In my time as a customer thus far, I have never seen the service go down, or show any other signs of unreliability.
- Located in Berlin, Germany, without connection to the Land of the
Free NSL. Servers physically located in Berlin. Subject to German data protection laws. Clear Data Privacy Statement. - Well-established company. mailbox.org was started in 2013; but the people running it have been providing some form of network services since 1989 (!). The providing company has existed since 1992. In an era fraught with flaky startups, I feel more comfortable knowing that my e-mail will not likely disappear due to dumb hipster “founder” kids either flaking out, or getting “acqui-hired” by Google.
- TLS certificates verifiable through DANE. (Untested by me, since DANE does not work through Tor; I’d need to make as special effort.)
- Network-level communiations privacy between servers can help lessen the exposure of metadata (not protected by PGP) to network observers. To this end, mailbox.org attempts to use TLS for all incoming and outgoing SMTP sessions with other MXes. They also provide an option through which you may refuse all mail not sent over TLS; however, this can cause you to be unable to communicate with people who use incompetently managed mailservers.
All mailbox users also have a special alias which can only receive mail via SMTP over TLS; mine is <nullius@secure.mailbox.org>. If you want to test whether your mailserver can do outgoing TLS properly, try sending me a “hello” at that address, and see if it gets rejected! - Use your own domain. No extra charge. If you set up a domain with a catch-all alias, you can download mail, filter on envelope-recording headers, and inject it into your own local mail system.
- Reasonable prices. For those who download and delete mail, unless you need lots of aliases for domains, it should never be necessary to buy more than the €1/month service level with a 2 GB mail quota. Webmail users who need more space (or those who use the “Office” features I have not tested) have many other service options, all of which seem cost-effective for the resources provided.
- Paid service. Yes, that’s a positive. So-called “free” e-mail never is: If you’re not the (paying) customer, then you are the product. I am a mailbox.org customer.
- Payable in Bitcoin (but see negative below: Bitpay).
- 30-day free trial.
Neutral characteristics:- Webmail “Guard” PGP features. I myself do not use this, and have not tested it. I think that overall, against real-world threats, it looks about as trustworthy as Protonmail; yet it has the significant advantage that unlike Protonmail, you can use it to communicate with all PGP users in the world, not only local users of the same service. I think that this is a good “medium security” solution for people who need userfriendly webmail. I would recommend that paid Protonmail users switch, and save some money: For 5GB of quota, mailbox.org costs €2.50/month, whereas Protonmail costs €5/month (€4/month if paid annually). Those who need or desire high security MUST always use private keys which never in any way leave their own hardware. This German-language discussion seems savvy.
Side note: I myself would prefer to correspond with security experts who use their own keys on their own hardware. However, knowing one’s correspondent is integral to opsec; and I know that I can only assess the expertise of a correspondent by evaluating the human element. I would rather suggest that n00bs use mailbox.org Guard from their malware-infested PCs than try to tell them how to manage PGP private keys on the same computers from which their bitcoins get stolen.
Negatives:- Last-minute addition: Bitpay is currently broken in a way which will effectually prohibit Tor users.
- Bitpay. #NO2X, “WE WILL NEVER FORGET.” I don’t totally boycott all Bitpay services; but a service must be truly excellent for me to endure grinding my teeth whilst sending precious bitcoins to a Bitpay address. @mailbox.org, please consider setting up your own node!
- Even for POP/IMAP users, the Web interface must be used for account settings and payment purposes; and the Web interface requires Javascript, lots of Javascript. Besides being unfriendly to people who disable Javascript for security reasons, the gobs of Javascript are slow to download over Tor.
- Google CAPTCHA required (only) at signup. (They actually apologize for this on the signup page.)
- “Guard” PGP features (untested/unused by me) require some level of trust in mailbox.org. As said above, I think overall their setup looks about as safe as Protonmail. With Protonmail, the server could perform a targeted attack by provoding Javascript which phones home the decrypted private key; with mailbox.org Guard, the server decrypts the private key, and could keep it that way if desired. Really, what’s the substantive difference?
I will update this review if/as necessary from further experience with mailbox.org.
Version history:
2018-03-11: Initial post.
This thread is self-moderated for reason that due to experience with spam and trolls, I self-moderate all threads started by me unless there be a good reason to do otherwise.
