Grizzled long-time Tor user here. I seek basic, reliable POP/IMAP/SMTP
service with an option to use my own domain (to avoid lock-in with a
provider), from a well-established provider who will not likely disappear
*and* will never block my account for Tor logins, demand selfies with
gov-id, etc. I am willing to pay a reasonable amount, because TANSTAAFL. I
will NOT use credit cards, Paypal, or any such horrible monstrosity.
Here is what I found so far. The following list is not in any way
intended to be comprehensive. I've spent many hours searching the web,
winnowing things down. I invite discussion.
Observed TLSA (DANE) implementation status is listed, due to this being
(unfortunately) the only standardized means to prevent STARTTLS downgrade
attacks.
When multiple currency-of-account options are offered, I list prices
in the currency most favorable to the user at current exchange rates.
Much as I can, I try to list the effective *actual* cost to the user,
per month, if paid on an annual basis. This may differ from the
advertised price.
I am not affiliated with any of the below-listed companies; I receive
no compensation if you sign up for any of them.
Without further ado, here is my current shortlist:
# https://mailbox.org/en/
- Effective price: €1.01/month (€1 + 1% Bitpay fee; prepay annually)
- By: Heinlein Support GmbH
- Jurisdiction: Germany (EU; Fourteen Eyes)
- .onion site (POP3/IMAP/SMTP/XMPP; no web): kqiafglit242fygz.onion
- Working DNSSEC/TLSA: https://dane.sys4.de/smtp/mailbox.org
I found this through the Tor trac,[0] which is probably the very best
advertising for them. Everything looks pretty good from a technical
perspective. Price is reasonable.
I like how the signup form asks for a name, but explicitly says it does
not need to be your "real name".
Though I have not yet tested this, it looks like you can attach one domain
to the account for each alias; and the €1/month account provides three
aliases. This could make a cost-effective home/work identity solution
for an individual with a limited budget.
A 30-day trial account limits features, but allows POP/IMAP/SMTP access.
I will give this a spin, and pay them money if it works out.
I do wish that they were not in a Fourteen Eyes country.
[0] https://trac.torproject.org/projects/tor/wiki/org/projects/WeSupportTor
# https://mailfence.com/
- Effective price: About $3.25/month (prepay annually)
- By: ContactOffice Group sa
- Jurisdiction: Belgium (EU; Fourteen Eyes)
- .onion site: Promised, but not actually existing.[1]
- No DNSSEC, thus no TLSA: https://dane.sys4.de/smtp/mailfence.com
Before I found mailbox.org, I signed up for this and almost paid for an
account. For the most inexpensive account, I was offered payment options
of €2.50/month or $2.77/month, both paid annually. That exchange rate
is moderately favorable to USD; so I selected $2.77/month.
*Then*, I saw the amount of Bitcoin they demanded: 0.005142968 BTC,
allegedly for $33.30. That works out to a Bitcoin exchange rate of
$6474.86/BTC. At that exact moment, my desktop ticker was showing an
average exchange rate of $7591.24/BTC. Thus, they offered me a HORRIBLE
exchange rate, almost 15% under market! This makes the effective account
price $39.04/year, or $3.25/month.
How many people use a desktop calculator to check the exchange rate? Well,
you need to wake up pretty early to fool me.
Mailfence's free accounts do not offer POP/IMAP/SMTP access; so I am
unable to fully test their services without paying. I prefer Mailbox's
arrangement with a time-limited trial account. I am totally uninterested
in webmail; how am I supposed to test a service without POP/IMAP/SMTP
access?
[1] https://blog.mailfence.com/send-email-anonymously-mailfence-tor/
Text: "Note: we also plan to release an onion domain for Mailfence
in the future." Comments: "Yes, we do plan to provide a Tor
hidden service. However, this currently is not in our priority
list." (2017-02-27)
# https://protonmail.com/
- Effective price: $4.00/month (prepaid annually)
- By: Proton Technologies, SA
- Jurisdiction: Switzerland
- Standard PGP, standard algorithms: No homebrew crypto!
- Can communicate with GPG users.
- POP/IMAP/SMTP access requires "Bridge" proxy software.
- .onion site (mail login only): https://protonirockerxow.onion/login
- DNSSEC, but no DANE/TLSA: https://dane.sys4.de/smtp/protonmail.ch
Ok, everybody knows Protonmail. As a longtime PGP/GPG user, I love
Protonmail 3.14 because I can direct n00bs to it as a user-friendly
PGP mail solution[2] which Just Works. However, it does not meet *my*
needs. I need my local GPG. I need a dropbox which can be accessed
through POP/IMAP and polled from my crontab, with sending via SMTP. No
web browsers, no "Bridge".
Also: The price is reasonable for the full-featured service they offer;
however, it is way too high for the services I myself need.
If Protonmail offered a no-frills POP box on their Swiss servers for
$2/month, or even $3/month for a Swiss price premium, I would jump for
that in a heartbeat.
**PSA: Non-technical people, PLEASE sign up for Protonmail and STOP
SENDING UNENCRYPTED PERSONAL COMMUNICATIONS.** Seriously. Die-hard Gmail
fans I unsuccessfully badgered about this for years have fallen in love
with Protonmail. It is that easy.
[2] "Introducing Address Verification and Full PGP Support" (2018-07-25)
https://protonmail.com/blog/address-verification-pgp-support/
# Hushmail (beneath linking)
If you compromise your allegedly encrypted mail service even once, *ever*,
even for the account of an alleged heinous criminal, then I will not even
look at you. That just shows all your fancy software is so much security
theater -- a waste of CPU cycles. AVOID.
Mentioned only because a disturbing number of sites are still linking to
this as "private e-mail". No, thanks. I would rather use Gmail and have my
privacy raped openly, without illusions.
[3] Many sites/articles, example: "Encrypted E-Mail Company Hushmail
Spills to Feds" (2007-11-07)
https://www.wired.com/2007/11/encrypted-e-mai/
# https://runbox.com/
- Effective price: About $3/month (prepaid annually), including a stamp
- By: Runbox Solutions AS - Jurisdiction: Norway (EU; Nine Eyes)
- No Bitcoin payments (they do accept cash in the mail)
- No .onion site
- No DNSSEC, thus no TLSA: https://dane.sys4.de/smtp/runbox.com
Mentioned because I have experience with them. Some good, some bad.
According to their support@, "Using Tor is no problem at all"
(2017-03-01). User report: I never had any problems with Torified logins.
They do have very good support.
# https://unseen.is/
- Price: High
- Jurisdiction: Iceland
- Apparently custom crypto protocol (?)
- Apparently no POP/IMAP/SMTP
- No DNSSEC, thus no TLSA: https://dane.sys4.de/smtp/unseen.is
Mentioned because Iceland. Does anybody know a reliable, well-established
Icelandic company offering no-frills POP boxes for €1/month? I have
searched...
# (lots of results for search query "swiss e-mail")
- Price: High
- Jurisdiction: Switzerland (allegedly)
- Other characteristics: ???
I stopped looking when I saw the price. I am willing to pay for e-mail;
but my needs are very basic, and I do not want to be ripped off for a
simple POP box. I listed this just to demonstrate a point: I searched
for Swiss e-mail (to get outside E.U./Fourteen Eyes territories), and
found a bunch of sites offering basic e-mail for $10-20/month. WTF? I
know Switzerland is expensive; but it is not 10x as expensive as Germany!
----
Any good ones I missed? Please tell me, before I commit to something!
Sent with ProtonMail Secure Email.