Alternative, privacy focused email providers similar to Gmail and 'promotional' mail

Max Roscoe

Pelican
Orthodox Inquirer
Setting up a raspberry pi mail server is a one time cost of around $35. You will also need to pay yearly for domain registration (the @.com address where you will receive mail).



However, there are 2 changes that makes this much more difficult:

1) Many ISPs block port 25 (the mechanism used to send email) in order to cut down on proliferation of spam. If anyone with an internet connection and $25 raspberry pi can send spam right out of their house, you can imagine how much worse the situation would be.

2) Also,due to the proliferation of spam, you may need a static IP address or running something called DDNS (Dynamic Domain Name System( which is a workaround to assign a permanent name to a rotating IP address, in order to send OUTGOING mail . Otherwise, your messages could be tagged as spam by the recipient. With the proliferation of spam, spam filters now view non-static IP address (the vast majority of internet connections) as potential spam and therefore your messages may never arrive. A static IP, which allows port 25, will be an ongoing monthly cost for you (it looks like AT&T charges $35 monthly).

It may be better to use a virtual shared computer, like mentioned in the post above (note this is also a monthly ongoing fee, but probably cheaper than a static IP address will cost you). This is just having login credentials to a computer elsewhere that will run as your individual mail server. It looks like this can cost as little as $5 monthly (plus the annual domain name fee).

The other alternative is just paying for a private email company you trust like protonmail, tutanota, etc.)
I think PGP is the best alternative, but it requires the people you are communicating with to also use PGP.
 

Stadtaffe

Kingfisher
Orthodox
Gold Member
A good setup imho is Ubuntu Server (or whatever Linux distro you prefer) with Postfix, PostfixAdmin, DCC, Razor, Pyzor, PostGrey, SPF, DKIM, SpamAssassin, DNSRBL, Amavis, ClamAV, Dovecot, Apache (or Nginx), sqlite, PHP, RoundCube, UFW (iptables), and Fail2Ban. There are some good tutorials out there that show how to set everything up. Most guides suggest MySQL but I prefer sqlite because it's simpler and uses less resources. My server with all the stuff listed above runs nicely on a single core with only 1GB memory and about 10GB disk space.
Have you set it to strip metadata such as sender IP out? That might just be a setting in a config file somewhere, but not sure if all of those can do it. I think RoundCube can. Have set up dynamic websites and a matrix server before but never an email server. Actually, those experiences have almost scared me off something like setting up my own email server, just the myriad of config files, firewall settings and things which in the end work but have some peculiar bugs lingering. My matrix server experience was also a stress.

Setting up a raspberry pi mail server is a one time cost of around $35. You will also need to pay yearly for domain registration (the @.com address where you will receive mail).
It is tempting to try, but I fear one day I will be somewhere and and someone will need to push a button on the raspberry pi, but I'm miles away. So would rent an instance on a suitable free speech server somewhere probably if I were to do this.

Yes, as needed will swap public keys and use pgp.
 

ZmbHntr

Chicken
I've been using Yandex for 3 years and found it to have great usability. Not sure how private it is, but it's based in Russia. The only downside I've found is that a few government departments have put all emails from Yandex on their spam list, so on the odd occasion I've had to use an alternate email address to send from.
 

joost

Kingfisher
Biggest name in ”email privacy” is ProtonMail. They probably don’t scan your emails but if they get a subpoena, expect Them to cooperate with law enforcement. If you want privacy, Signal is the way to go. If you want anonymity, use a burner phone to receive the SMS code for registration.

I moved all my email needs to ProtonMail (family, banks, gov, work, etc). I don’t expect anonymity but I’m certain it gives me more privacy than other big names (including Apple).

ProtonMail works with Android and iOS so you don’t have to be concerned about getting locked. What I like is the domain they have @pm.me. It’s short and you can receive emails to your free account. I decided to pay $80 for 2years of service so I can SEND from that domain. So your email shows as [email protected]

Another benefit is getting Proton Calendar. It’s available only for Android for now.
 

soli.deo.gloria

Woodpecker
Orthodox Inquirer
Gold Member
Have you set it to strip metadata such as sender IP out? That might just be a setting in a config file somewhere, but not sure if all of those can do it. I think RoundCube can. Have set up dynamic websites and a matrix server before but never an email server. Actually, those experiences have almost scared me off something like setting up my own email server, just the myriad of config files, firewall settings and things which in the end work but have some peculiar bugs lingering. My matrix server experience was also a stress.


It is tempting to try, but I fear one day I will be somewhere and and someone will need to push a button on the raspberry pi, but I'm miles away. So would rent an instance on a suitable free speech server somewhere probably if I were to do this.

Yes, as needed will swap public keys and use pgp.

When I use RoundCube the email session is coming from the same server aka "localhost" so there is nothing to strip and I don't have to worry about encryption/security between the client and MTA. Of course your setup may differ and if you use an IMAP/POP client like Thunderbird or an app on your phone or whatever that's a different story. I do employ various security measures such as stripping HTML and not displaying remote images by default, etc. If you ever need help setting up a system feel free to ask.

Biggest name in ”email privacy” is ProtonMail. They probably don’t scan your emails but if they get a subpoena, expect Them to cooperate with law enforcement. If you want privacy, Signal is the way to go. If you want anonymity, use a burner phone to receive the SMS code for registration.

I've used Proton and it's good for what it is but just don't kid yourself that you have any kind of real privacy or security. If they want to find out what you are up to they have lots of ways of doing that. Of course the easiest way is to just tie you to a chair and beat you with a $5 wrench until you tell them the password. :)
 

joost

Kingfisher
^^
I don’t rely on their encryption much since nobody I communicate with thru email uses PGP or another ProtonMail account. Nor any of the services I receive email from (companies). I’m just counting they’re not going to share my information to advertisers. Like I said previously, Signal is my private communication method. And I used a burner phone to register since those bastards promised usernames years ago.
 

Max Roscoe

Pelican
Orthodox Inquirer
I've posted before, possibly in this thread, why I do not trust Signal.
I installed Signal on a tablet using an anonymous burner phone in a foreign country. I used the same phone # to register a different device for facebook messenger. Somehow the accounts were linked, which means Signal is sharing or selling your registered number.

Of course, if you care about privacy you should already be confused that Signal would want or need a phone #. Totally unnecessary step that does nothing but open you up to exploits.

I understand Ed Snowden trusts signal, but I believe this trust is misplaced. His rationale is "I use it and I'm not dead yet." I don't believe Signal was around when Snowden worked for the feds, , but based on my experience with them, I do not trust Signal. Perhaps it is a honeypot where even the employees do not realize it is a honeypot. But anyone can see the phone registration is a huge exploitable weakness. If they mislead you about phone registration, are the messages really secure?

 

EndlessGravity

Pelican
Protestant
Protonmail seems to be lying about their logging.


End-to-end encrypted email service provider ProtonMail has drawn criticism after it ceded to a legal request and shared the IP address of anti-gentrification activists with law enforcement authorities, leading to their arrests in France.
On its website, ProtonMail advertises that: "No personal information is required to create your secure email account. By default, we do not keep any IP logs which can be linked to your anonymous email account. Your privacy comes first."
 

Stadtaffe

Kingfisher
Orthodox
Gold Member
Protonmail seems to be lying about their logging.

This is their own article on it - https://protonmail.com/blog/climate-activist-arrest/

Maybe these email sites don't log it or delete it every few days, but when the police come along with a warrant and say "log this person", they start logging it. Actually, there is a lesson to take from this, as they recommend in that article. They are basically saying how that guy could have avoided getting caught. Does anyone know exactly what he did that triggered such a reaction?

I previously worried only about the headers in emails containing too much personal information which is a point and for most use probably enough. That is, the recipient of an email can't link it back to you. But of course every time you log into webmail or thunderbird connects through imap / smtp, the email host is seeing your IP. So the host can link it back to you if there is a court order or police warrant. It is possible to mitigate this with software and measures described elsewhere in these technical threads. All that most of us on this forum are doing anyway is connecting with likeminded people and enjoying freedom of speech but there is more and more abuse of constitutional rights, such as free speech, searches without a warrant so it may be worth starting to use these extra measures.
 

joost

Kingfisher
^^

Protonmail posted something in their blog explaining they will work with authorities since it’s required by law. They say technically they can’t read your email but don’t expect them to not work with authorities if they get a subpoena (in Switzerland).

They say the activist should’ve used the TOR version of the website to mask its location. Even then I wouldn’t trust an email service for certain tasks.

Nothing unexpected.
 

Max Roscoe

Pelican
Orthodox Inquirer
Well it was surprising enough that Protonmail has changed their privacy policy to no longer claim what it used to about logging your activity.


The main point is only trust what is possible, not what is promised. IE use a protocol or technique that protects you. Don't rely on the word of a corporation, particularly one that is not independently audited.
 

Valentine

Kingfisher
Catholic
Gold Member
Hosting your own email isn't that hard. Buy a domain name, then use some off-the-shelf solution like Mailcow, Maddy or Mail-in-a-Box on your own server. Or use a GUI-based web app like Nextcloud or cPanel that also allows deploying an email inbox.

The real difficulty comes in when you want to send emails, not in receiving them. For that you either need to spend a long time building up the reputation of your server's static IP address, or you have to use a 3rd-party to deliver emails for you. Mailgun, SendGrid, Amazon SES, etc have great delivery rates, but it does mean your email content is now exposed to an additional party. I don't know of another good workaround for this, it's just a result of how broken email is as a protocol.
 

Stadtaffe

Kingfisher
Orthodox
Gold Member
For that you either need to spend a long time building up the reputation of your server's static IP address
Can you elaborate on this, specifically the concept of "reputation" for a static IP address which sends email.

I think if you use a standard hosting company to put a webpage on a domain then use their in-built email service, you get an automatic "reputation" from them. If you however create your own email server with nuts and bolts so to speak, that concept of reputation would apply.

Have not really heard of it though and am rather curious what it exactly is.

My regular email address once rejected an email from someone based on a "sender policy framework violation" but not sure if that is because their static IP was lacking in "reputation"..
 

Valentine

Kingfisher
Catholic
Gold Member
Can you elaborate on this, specifically the concept of "reputation" for a static IP address which sends email.

I think if you use a standard hosting company to put a webpage on a domain then use their in-built email service, you get an automatic "reputation" from them. If you however create your own email server with nuts and bolts so to speak, that concept of reputation would apply.

Have not really heard of it though and am rather curious what it exactly is.

My regular email address once rejected an email from someone based on a "sender policy framework violation" but not sure if that is because their static IP was lacking in "reputation"..

If you search "email reputation static IP" or similar you can find articles like this one which explain the various factors, but it basically boils down to "how has the IP address been used?" e.g. was it ever used for spam, what's it's email reputation like now, etc.

There are a number of tools which can be used to check your email reputation. From what I understand though an IP needs to send hundreds of thousands of emails per month to build reputation significantly, and during this time all these emails may have unreliable deliverability rates. Using a hosting company's in-built email would not necessarily have a good reputation, it all depends on what the thousands of users which share the IP do with email. If a large amount of emails isn't being sent per month, it also means email providers are less likely to remember that IP as a high reputation sender.

SPF is something configured in DNS records to give domain authenticity and isn't the same thing as IP reputation but it is a signal that improves deliverability and it should be configured also.
 

Stadtaffe

Kingfisher
Orthodox
Gold Member
Thanks @Valentine curiosity satisfied, I had a look at the links but think for my use case reputation of a static IP would not be an issue. They talk about "warming up an IP" and not exceeding 50 emails per hour.. I don't think I even exceed 50 emails per fortnight. It's more for receiving of emails than sending them and it sounds like this reputation factor has no meaning for receiving them.

It makes sense, I was reading about some email providers having to tighten their rules for joining after someone created an account and started sending a lot of spam. Sounds like these email providers need to take care of who joins, as one bad apple can do a lot of harm for the whole user base.
 

Max Roscoe

Pelican
Orthodox Inquirer
The bigger issue with sending emails is that you must typically pay for a fixed, or static, IP address, because due to the pervasiveness of spam, if your email is SENT from an ip address that changes every day, as the typical internet service gives you, it will be marked as spam and blocked, as this is the method easily used by spammers to send unsolicited junk.

The cost of a static IP account can be something like $80 a month. There are ways to rent computer time, or virtual machines, that can make this more affordable. But sending email using your home internet account is usually not practical or cost effective for a single individual. As someone said earlier, the email protocol really is broken and desperately in need of a rewrite.
 
Top