Posteo

from Wikipedia, the free encyclopedia
Globe icon of the infobox
Posteo
Website logo
Email: green, secure, ad-free
Email provider
languages Over 70
operator Posteo eK
user approx. 350,000 mailboxes (as of 2019)
On-line 2009 (currently active)
https://posteo.de/

Posteo is a company founded in 2009 in the legal form of a registered businessman with its headquarters in Berlin - Kreuzberg . The company offers e-mail services with a focus on security and encryption , contact management and calendars for a fee and without advertising.

The service was mentioned in the German media in 2013 after Edward Snowden's revelations about NSA surveillance fueled the debate about secure e-mail services and e-mail encryption and the US provider Lavabit closed has been. The Posteo website is available in German, English and French. The webmail interface offers a free choice of language for over 70 languages ​​for operating the mailbox.

By March 2015, the company had reached around 100,000 mailboxes. In 2016, the number of e-mail inboxes kept rose by around 40 percent. In 2019, Posteo operated around 350,000 mailboxes. At the end of 2016, Posteo had fewer than 20 employees.

Data economy and security

The company advertises with consistent data avoidance and data economy . Both registration and payment can be made anonymously ; IP addresses of users are not saved.

The data transfers between customers and the company are encrypted with TLS throughout . Posteo has been supporting the Perfect Forward Secrecy encryption feature since August 2013, as has been the case on the transport route to other providers - at the time, it was one of the first German providers for all e-mail protocols. Perfect Forward Secrecy means that a random, new key is generated for each connection, which is then used to encrypt the connection. A later decryption of tapped data is thus prevented. Posteo uses Extended Validation certificates to authenticate the servers . Posteo has been supporting the DANE / TLSA (DNS-based Authentication of Name Entries) technology since May 2014 , thereby eliminating various weaknesses in TLS encryption, especially when transporting mail between Posteo and other providers. In order to be able to benefit from the additional security provided by DANE when accessing with the browser, you need a corresponding browser add-on. All Posteo servers are located in Germany and their hard drives are AES- encrypted. Since October 2015, Posteo has been using the HTTP public key pinning technology , which is rarely used by websites , to secure the HTTPS connection between the web interface and the user.

Since November 2014, webmail access can also be secured using two-factor authentication based on the time-controlled TOTP standard . To prevent this from being undermined by access by e-mail programs via IMAP , POP3 or SMTP , customers can block this access on request. Since May 2015, customers have been able to optionally activate a crypto mail storage so that all e-mails stored at Posteo are individually encrypted with the customer's ( salted ) password. Since July 2016, customers have been able to activate the TLS dispatch guarantee on request , so that outgoing e-mails are only sent to the servers of other providers if an encrypted connection is possible. Since August 2016, the webmail interface has been showing whether the transport route is secured by DANE before e-mails are sent.

The company relies on open standards and free software , including the JavaScript codes used on the website and in the webmailer . The source code of software that Posteo helped develop is available under free licenses on GitHub . Against this background, Posteo criticized the E-Mail made in Germany initiative as a closed, isolated solution from the start.

In the 26th activity report published by the Federal Data Protection Commissioner Andrea Voßhoff at the end of May 2017 , Posteo was praised - without mentioning the company name. Posteo has "implemented data protection [...] really impressively". At the same time, Posteo published the test report on which this statement was based, which was created at the end of 2016. Are praised in it u. a. the in-house, independent data protection officer who also works in support ; the anonymous payment system through which Posteo “does not collect any inventory data”; the waiver of the storage of "IP addresses that can be obtained from customers" and the multi-layer encryption. In general, Posteo takes into account "the principle of data economy very comprehensively".

At the end of January 2019, the Federal Constitutional Court dismissed a constitutional complaint from the email provider Posteo and decided against Posteo’s practice of not storing IP addresses. According to this, an email provider such as Posteo must collect the IP address for the purpose of criminal prosecution when the judge requests it.

End-to-end encryption support

Since January 2015, the company has been offering automatic encryption of incoming emails with either S / MIME or PGP . To do this, the user has to send his public S / MIME or PGP key to the company. Each email is then encrypted with this after it has arrived. Real end-to-end encryption is no substitute for this process, as e-mails are only encrypted after they have arrived on the Posteo servers and not at the sender. Posteo can therefore also send e-mails with activated inbound encryption e.g. B. Check for spam .

End of December 2015, the company published open source - plug-in for the used in them web Gmail Roundcube , the PGP encryption in conjunction with the browser - Add-on Mailvelope relieved. Thereby u. a. public keys obtained from Posteo servers from various sources ( key server , in DNS as OPENPGPKEY ) are queried and offered for import. Private keys, plain text messages and cryptographic operations always remain in the control of the user. Posteo strictly rejects encryption solutions for which e-mail providers offer server-side support as they are in principle insecure.

Transparency report

In May 2014, the company was the first German e-mail service to present a transparency report on investigation and observation processes . In this, the company writes that in 2013 it received seven inquiries from law enforcement authorities , two of which were formally correct. On the political side, the company was supported by Hans-Christian Ströbele and Christian Lange , among others .

In July 2013 Officials had the state security searched the premises. According to the company, the officials had tried to “force the company into illegal cooperation and disclosure of data”. The company then filed a criminal complaint against the police officers involved. According to the company, the police said they had a resolution to search and confiscate all business records, but actually only had a resolution to hand over a single sheet of paper. The criminal police wanted the company to program a script that would have documented the IP addresses Posteo users use to access their e-mails when they log in. With this script it would have been possible to find out which e-mail addresses belong to the IP addresses known to the police.

In August 2015, the company published the transparency report for 2014, for the first time with blackened letters from the investigating authorities and key topics on manual inventory data information in accordance with Section 113 TKG , on the public control of the information procedure in accordance with Section 113 and Section 112 TKG and on the practice of judicial reservations .

The transparency report for 2016 (published in January 2017) states that the number of inquiries from the authorities has decreased from 48 (2015) to 35 (2016), while around half of the inquiries were still not formally correct and therefore answered negatively, as well as by complaints were made to the responsible data protection officer.

According to the transparency report for 2017, the number of inquiries from authorities rose again to 48 (as of 2015). However, since the number of mailboxes has doubled since then, the request rate per mailbox has fallen sharply, argues Posteo.

Others

sustainability

The company uses "real green electricity from Greenpeace Energy " for energy supply and, according to its own statements, only invests money with the GLS Community Bank and the Environment Bank . In addition, Posteo says it regularly donates to non-governmental organizations (NGOs) who are “active in environmental protection ” . Posteo users have the option of having the remaining credit donated to an NGO if the post office box is canceled. Posteo makes it clear on its website who it supports and the total amount donated per year.

Spam folder

Posteo uses a spam filter that cannot be configured or deactivated by the user. Only the creation of additional white and black lists is possible. If an email is classified as spam by the global filter, Posteo will refuse to accept it. The owner of the mailbox will not be informed about this and may therefore never know for whom they cannot be reached. However, the sender is informed, so that he is more responsible for ensuring that the mail is sent without errors. In the settings of the webmail it is possible to define a folder as a “special folder” for spam. However, this has no effect on the functionality of the spam filter.

Test results and discussion with the Stiftung Warentest

In the tests carried out by Stiftung Warentest in the test editions of February 2015 and October 2016, Posteo emerged as the test winner - in each case tied with its competitor Mailbox.org . After the test was published in February 2015, Posteo nevertheless complained to Stiftung Warentest - both about the test criteria and about errors in the accompanying article. The latter admitted the Stiftung Warentest, stopped direct sales of the magazine in the meantime and added a correction page. Corrections also appeared online and in the following issue.

During the test in 2016, the company published a blog entry before the test was published, in which it criticized errors in the pre-release version it received. The reason given for the early publication was that Stiftung Warentest had not responded to inquiries from Posteo. Posteo also criticized the fact that many of the security features used at Posteo were not considered in the test. After the test results were published, Posteo withdrew most of its criticism, as the deficiencies in the preliminary information about the provider had not been included in the final version. However, Posteo also emphasized that some of the security functions that Posteo offers were not taken into account in the test.

Web links

Individual evidence

  1. Green, secure, simple and ad-free e-mails - posteo.de - encryption. In: posteo.de. Retrieved December 13, 2015 .
  2. Svenja Bergt: Data protection in companies: Advertising more important than privacy. In: taz.de . August 1, 2013, accessed September 2, 2013 .
  3. Christof Kerkmann: USA put pressure: encryption services give up. In: handelsblatt.com . August 9, 2013, accessed September 2, 2013 .
  4. Marcus Engert: Good news: Posteo - a green and secure mail provider. Posteo: the better mail provider? In: detektor.fm Digital . March 26, 2015, accessed April 3, 2015 .
  5. Posteo team: Transparency report 9.1.2017. Retrieved December 29, 2017 .
  6. E-mail green, secure, simple and ad-free - posteo.de - transparency report. Retrieved June 23, 2020 .
  7. ^ A b Andrea Voßhoff: Consultation and control visit by email Posteo . Ed .: Federal Commissioner for Data Protection and Freedom of Information. December 30, 2016 ( posteo.de [PDF]).
  8. Posteo. Background ino - maximum data protection. Posteo eK, Berlin, accessed on September 30, 2016 .
  9. “Perfect Forward Secrecy” at Posteo. Posteo eK, Berlin, August 12, 2013, accessed on September 11, 2013 .
  10. Jürgen Schmidt: Encryption for mail in Germany insufficient. In: Heise News. August 13, 2013, accessed on October 16, 2015 : “However, Posteo was convincing. The small e-mail provider was the only German e-mail service to offer encryption with forward secrecy for all mail protocols. "
  11. Our new, extended certificate is installed. Posteo eK, Berlin, April 17, 2014, accessed on September 30, 2016 .
  12. a b Posteo supports DANE / TLSA. Posteo eK, Berlin, May 12, 2014, accessed on September 30, 2016 .
  13. Dusan Zivadinovic: Encrypted mail transport: Posteo is the first provider to use DANE. In: Heise News. May 12, 2014, accessed September 30, 2016 .
  14. Andrea Bernard: Posteo: a Berlin email provider as an alternative to Gmail & Co. At Posteo, data protection is paramount. In: akademie.de. August 20, 2013, accessed September 2, 2013 .
  15. Jürgen Schmidt: Posteo is testing certificate pinning. In: heise Security. October 16, 2015, accessed December 13, 2015 .
  16. New: Two-factor authentication in the webmail. Posteo eK, Berlin, November 12, 2014, accessed on November 12, 2014 .
  17. What is two-factor authentication and how do I set it up? Posteo eK, Berlin, accessed on October 1, 2016 .
  18. How do I activate the additional mailbox protection? Posteo eK, Berlin, accessed on October 10, 2016 .
  19. Crypto mail storage available to all customers. Posteo eK, Berlin, May 29, 2015, accessed on September 30, 2016 .
  20. New: TLS shipping guarantee for more security. Posteo eK, Berlin, July 13, 2016, accessed on September 30, 2016 .
  21. New: Webmailer shows servers with the highest shipping security. Posteo eK, Berlin, August 18, 2016, accessed on September 30, 2016 .
  22. Posteo. The mailbox - all services. Posteo eK, Berlin, accessed on September 30, 2016 : “For security reasons, our offer relies exclusively on open source software and free protocols. We also only use Javascript, the code of which is open source . "
  23. Zak Rogoff: FSF JavaScript guidelines picked up by Posteo Webmail. Free Software Foundation , February 6, 2015, accessed September 30, 2016 .
  24. Posteo on GitHub. Retrieved September 30, 2016 .
  25. Finally: connection encryption with other mail providers too. Posteo eK, Berlin, August 9, 2013, accessed on September 30, 2016 .
  26. "Data protection implemented really impressively": Federal data protection officer via Posteo. In: posteo.de. May 30, 2017, accessed May 31, 2017 .
  27. Forced to monitor. Investigators wanted IP addresses from Posteo. The mail provider does not save the data. But it has to, says the Federal Constitutional Court. In: taz.de. February 2, 2019, accessed February 15, 2019 .
  28. New offers for end-to-end encryption. January 28, 2015, accessed February 8, 2015 .
  29. posteo / mailvelope_client. In: GitHub. Retrieved December 28, 2015 .
  30. New: Posteo-Webmailer finds keys automatically. Posteo eK, December 22, 2015, accessed on December 28, 2015 .
  31. Update: Our preliminary information on the new test from Stiftung Warentest. In: posteo.de/blog. September 26, 2016, accessed on September 30, 2016 (with changes from September 28, 2016).
  32. Stefan Mey: Transparency report and investigation scandal: Mail service Posteo goes on the offensive. In: Heise News. May 5, 2014, accessed October 16, 2015 .
  33. a b Transparency Report 2013. Posteo eK, May 5, 2014, accessed on October 16, 2015 .
  34. Transparency report 2014. Posteo eK, August 20, 2015, accessed on October 16, 2015 .
  35. Maximiliane Koschyk: E-mail company criticizes investigators. Deutsche Welle , September 7, 2015, accessed October 16, 2015 .
  36. Transparency report: inquiries from authorities at Posteo have fallen significantly. Retrieved April 10, 2017 .
  37. Transparency report 2017: Posteo calls for obligations for telecommunications providers . posteo.de/blog. January 17, 2018. Retrieved February 12, 2018.
  38. Posteo. Background information - consistent sustainability. Posteo eK, Berlin, accessed on December 13, 2015 .
  39. Posteo. About us - Who we support. Posteo eK, Berlin, accessed on September 30, 2016 .
  40. How does the Posteo spam filter work? Retrieved October 16, 2018 .
  41. Only one person does not read: Mail services . In: Stiftung Warentest (Ed.): Test . tape 02/2015 . Stiftung Warentest, Berlin January 2015, p. 32–37 (Title had to be corrected later for the online edition in “E-mail provider: Mail services see everything”).
  42. Email provider: Mail services see everything. In: test.de. Stiftung Warentest , February 12, 2015, accessed on September 30, 2016 .
  43. Secure e-mails: e-mail services . In: Stiftung Warentest (Ed.): Test . tape 10/2016 . Stiftung Warentest, Berlin September 30, 2016, p. 52-57 .
  44. Email services: Very good protection only for small providers. In: test.de. Stiftung Warentest , September 28, 2016, accessed on September 30, 2016 .
  45. a b Patrick Beuth: Encryption: Stiftung Warentest praises Posteo and mailbox.org. In: Zeit Online . September 28, 2016, accessed September 30, 2016 .
  46. Markus Reuter: Stiftung Warentest tests mail providers: Mailbox.org and Posteo win, Google's Gmail comes last. netzpolitik.org , September 28, 2016, accessed September 30, 2016 .
  47. Corrections to Stiftung Warentest. Update3. In: posteo.de/blog. Posteo eK, Berlin, January 29, 2015, accessed on September 30, 2016 (with changes from January 30, 2015).
  48. ^ Stiftung Warentest: Further corrections. In: posteo.de/blog. February 3, 2015, accessed September 30, 2016 .
  49. E-mail provider: Mail services see everything - details for correction. In: test.de. Stiftung Warentest , February 12, 2015, accessed on October 3, 2016 .
  50. Email Services . Correction. In: Stiftung Warentest (Ed.): Test . tape 03/2015 . Stiftung Warentest, March 2015, ISSN  0040-3946 , p. 27 .
  51. Update: Stiftung Warentest corrects test article. In: posteo.de/blog. February 4, 2015, accessed September 30, 2016 .
  52. Email test: Stiftung Warentest stops magazine sales. In: golem.de . February 13, 2015, accessed September 30, 2016 .
  53. Lisa Hegemann: What happened to ... Posteo and the dispute with Stiftung Warentest? In: Wirtschaftswoche . December 26, 2015, accessed September 30, 2016 .
  54. Update: Our preliminary information on the new test from Stiftung Warentest. In: posteo.de/blog. September 26, 2016, accessed October 3, 2016 (with changes from September 28, 2016).
  55. (Update) Our preliminary information on the new test from Stiftung Warentest. September 26, 2016, accessed April 10, 2017 .