Discussion on email providers, services reviews and self hosting e-mail
While it’s not e2ee, https://cock.li is currently accepting public registration. The email addresses are hilarious and their homepage trust blurb is pretty human. I’ll post a snippet.
How can I trust you?
You can’t. Cock.li doesn’t parse your E-mail to provide you with targeted ads, nor does cock.li read E-mail contents unless it’s for a legal court order. However, it is 100% possible for me to read E-mail, and IMAP/SMTP doesn’t provide user-side/client-side encryption, so you’re just going to have to take my word for it. Any encryption implementation would still technically allow me to read E-mail, too. This was true for Lavabit as well – while your E-mail was stored encrypted (only if you were a paid member, which most people forget), E-mail could still technically be intercepted while being received / sent (SMTP), or while being read by your mail client (IMAP). For privacy, we recommend encrypting your E-mails using PGP using a mail client add-on like Enigmail, or downloading your mail locally with POP and regularly deleting your mail from our server.
Also, there’s this quote from /g/:
Administering a mail host is sort of like being a nurse; there’s a brief period at the start when the thought of seeing people’s privates might be vaguely titillating in a theoretical sense, but that sort of thing doesn’t last long when it’s up against the daily reality of shit, piss, blood, and vomit.
Now that I think about it, administering a mail host is exactly like being a nurse, only people die slightly less often.
The Privacy & Security
From their site:
Data cock.li collects
As a cock.li user, at any point, cock.li may be retaining the following information about your account:
A Registration information (E-mail address, hashed password, IP address, user agent, timestamps) C Cookies used to keep you logged in to cock.li and the webmail interface C Session information saved by webmail in order to provide webmail access B Mail storage (Anything saved in your inbox, sent, or any other mail folders) B Mail filters (Configurable through the webmail interface) B XMPP buddy rosters and data saved as part of your client interacting with XMPP extensions C 48-72 hours of IMAP and SMTP log information (detailed below)
Cock.li may also be retaining the following information not related to your account:
HTTP access logs containing your IP address, user agent, and type/location of your requests
Cock.li does not guarantee that the above information is stored, only that it does not knowingly collect information in addition to this.
IMAP and SMTP logs include:
When an E-mail is sent, the username, destination e-mail address, and information about the connection (like IP address, quota information) When you connect to IMAP, what IP address and username (if any) you are logging in with, and if that login was successful
Mitigations
- Use the tor site (But that’s hard sometimes)
a. Thunderbird accepts SOCKS proxy configurations, enabling access to their hidden service - Use a VPN
- Use pgp encryption
a. Thunderbird enigmail plugin
b. GPG bash command
c. k9mail for android - Do not provide any identifying information when creating the account
a. Don’t make your email address similar to something else you’ve used before
b. Same goes for usernames, etc. - Do not utilize your email with any accounts / email addresses associated with your real identity.