 |
Title: I moved my emails to Proton Mail |
|
Author: Solène |
|
Date: 12 September 2024 |
|
Tags: privacy security emails selfhosting |
|
Description: In this blog post, I explain why I migrated my emails from |
|
self hosting to Proton Mail |
|
|
|
# Introduction |
|
|
|
I recently took a very hard decision: I moved my emails to Proton Mail. |
|
|
|
This is certainly a shock for people following this blog for a long |
|
time, this was a shock for me as well! This was actually pretty |
|
difficult to think this topic objectively, I would like to explain how |
|
I came up to this decision. |
|
|
|
I have been self-hosting my own email server since I bought my first |
|
domain name, back in 2009. The server have been migrated multiple |
|
times, from hosting companies to another and regularly changing the |
|
underlying operating system for fun. It has been running on: |
|
Slackware, NetBSD, FreeBSD, NixOS and Guix. |
|
|
|
# My needs |
|
|
|
First, I need to explain my previous self-hosted setup, and what I do |
|
with my emails. |
|
|
|
I have two accounts: |
|
|
|
* one for my regular emails, mailing lists, friends, family |
|
* one for my company to reach client, send quotes and invoices |
|
|
|
Ideally, having all the emails retrieved locally and not stored on my |
|
server would be ideal. But I am using a lot of devices (most are |
|
disposable), and having everything on a single computer will not work |
|
for me. |
|
|
|
Due to my emails being stored remotely and containing a lot of private |
|
information, I have never been really happy with how emails work at |
|
all. My dovecot server has access to all my emails, unencrypted and a |
|
single password is enough to connect to the server. Adding a VPN helps |
|
to protect dovecot if it is not exposed publicly, but the server could |
|
still be compromised by other means. OpenBSD smtpd server got critical |
|
vulnerabilities patched a few years ago, basically allowing to get root |
|
access, since then I have never been really comfortable with my email |
|
setup. |
|
|
|
I have been looking for ways to secure my emails, this is how I came to |
|
the setup encrypting incoming emails with GPG. This is far from being |
|
ideal, and I stopped using it quickly. This breaks searches, the |
|
server requires a lot of CPU and does not even encrypt all information. |
|
|
 |
Emails encryption at rest on OpenBSD using dovecot and GPG |
|
|
|
Someone shown me a dovecot plugin to encrypt emails completely, however |
|
my understanding of the encryption of this plugin is that the IMAP |
|
client must authenticate the user using a plain text password that is |
|
used by dovecot to unlock an asymmetric encryption key. The security |
|
model is questionable: if the dovecot server is compromised, users |
|
passwords are available to the attacker and they can decrypt all the |
|
emails. It would still be better than nothing though, except if the |
|
attacker has root access. |
|
|
|
Dovecot encryption plugin: TREES |
|
|
|
One thing I need from my emails is to arrive to the recipients. My |
|
emails were almost always considered as spam by big email providers |
|
(GMail, Microsoft), this has been an issue for me for years, but |
|
recently it became a real issue for my business. My email servers were |
|
always perfectly configured with everything required to be considered |
|
as legit as possible, but it never fully worked. |
|
|
|
# Proton Mail |
|
|
|
Why did I choose Proton Mail over another email provider? There are a |
|
few reasons for it, I evaluated a few providers before deciding. |
|
|
|
Proton Mail is a paid service, actually this is an argument in itself, |
|
I would not trust a good service to work for free, this would be too |
|
good to be true, so it would be a scam (or making money on my data, who |
|
knows). |
|
|
|
They offer zero-knowledge encryption and MFA, which is exactly what I |
|
wanted. Only me should be able to read my email, even if the provider |
|
is compromised, adding MFA on top is just perfect because it requires |
|
two secrets to access the data. Their zero-knowledge security could be |
|
criticized for a few things, ultimately there is no guarantee they do |
|
it as advertised. |
|
|
|
Long story short, when making your account, Proton Mail generates an |
|
encryption key on their server that is password protected with your |
|
account password. When you use the service and log-in, the encrypted |
|
key is sent to you so all crypto operations happens locally, but there |
|
is no way to verify if they kept your private key unencrypted at the |
|
beginning, or if they modified their web apps to key log the password |
|
typed. Applications are less vulnerable to the second problem as it |
|
would impact many users and this would leave evidences. I do trust |
|
them for doing the things right, although I have no proof. |
|
|
|
I did not choose Proton Mail for end-to-end encryption, I only use GPG |
|
occasionally and I could use it before. |
|
|
|
IMAP is possible with Proton Mail when you have a paid account, but you |
|
need to use a "connect bridge", it is a client that connects to Proton |
|
with your credentials and download all encrypted emails locally, then |
|
it exposes an IMAP and SMTP server on localhost with dedicated |
|
credentials. All emails are saved locally and it syncs continuously, |
|
it works great, but it is not lightweight. There is a custom |
|
implementation named hydroxide, but it did not work for me. The bridge |
|
does not support caldav and cardav, which is not great but not really |
|
an issue for me anyway. |
|
|
|
GitHub project page: hydroxide |
|
|
|
Before migrating, I verified that reversibility was possible, aka being |
|
able to migrate my emails away from Proton Mail. In case they stop |
|
providing their export tool, I would still have a local copy of all my |
|
IMAP emails, which is exactly what I would need to move it somewhere |
|
else. |
|
|
|
There are certainly better alternatives than Proton with regard to |
|
privacy, but Proton is not _that_ bad on this topic, it is acceptable |
|
enough for me. |
|
|
|
## Benefits |
|
|
|
Since I moved my emails, I do not have deliverability issues. Even |
|
people on Microsoft received my emails at first try! Great success for |
|
me here. |
|
|
|
The anti-spam is more efficient that my spamd trained with years of |
|
spam. |
|
|
|
Multiple factor authentication is required to access my account. |
|
|
|
## Interesting features |
|
|
|
I did not know I would appreciate scheduling emails sending, but it's a |
|
thing and I do not need to keep the computer on. |
|
|
|
It is possible to generate aliases (10 or unlimited depending on the |
|
subscription), what's great with it is that it takes a couple seconds |
|
to generate a unique alias, and replying to an email received on an |
|
alias automatically uses this alias as the From address (webmail |
|
feature). On my server, I have been using a lot of different addresses |
|
using a "+" local prefix, it was rarely recognized, so I switched to a |
|
dot, but these are not real aliases. So I started managing smtpd |
|
aliases through ansible, and it was really painful to add a new alias |
|
every time I needed one. Did I mention I like this alias feature? :D |
|
|
|
If I want to send an end-to-end encrypted email without GPG, there is |
|
an option to use a password to protect the content, the email would |
|
actually send a link to the recipient, leading to a Proton Mail |
|
interface asking for the password to decrypt the content, and allow |
|
that person to reply. I have no idea if I will ever use it, but at |
|
least it is a more user-friendly end-to-end encryption method. Tuta is |
|
offering the same feature, but it is there only e2e method. |
|
|
|
Proton offer logs of login attempts on my account, this was surprising. |
|
|
|
There is an onion access to their web services in case you prefer to |
|
connect using tor. |
|
|
|
The web interface is open source, one should be able to build it |
|
locally to connect to Proton servers, I guess it should work? |
|
|
|
GitHub project page: ProtonMail webclients |
|
|
|
## Shortcomings |
|
|
|
Proton Mail cannot be used as an SMTP relay by my servers, except |
|
through the open source bridge hydroxide. |
|
|
|
The calendar only works on the website and the smartphone app. The |
|
calendar it does not integrate with the phone calendar, although in |
|
practice I did not find it to be an issue, everything works fine. |
|
Contact support is less good on Android, they are restrained in the |
|
Mail app and I still have my cardav server. |
|
|
|
The web app is first class citizen, but at least it is good. |
|
|
|
Nothing prevents Proton Mail from catching your incoming and outgoing |
|
emails, you need to use end-to-end encryption if you REALLY need to |
|
protect your emails from that. |
|
|
|
I was using two accounts, this would require a "duo" subscription on |
|
Proton Mail which is more expensive. I solved this by creating two |
|
identities, label and filter rules to separate my two "accounts" |
|
(personal and professional) emails. I actually do not really like |
|
that, although it is not really an issue at the moment as one of them |
|
is relatively low traffic. |
|
|
|
The price is certainly high, the "Mail plus" plan is 4€ / month |
|
(48€ / year) if you subscribe for 12 months, but is limited to 1 |
|
domain, 10 aliases and 15 GB of storage. The "Proton Unlimited" plan |
|
is 10€ / month (120€ / year) but comes with the kitchen sink: |
|
infinite aliases, 3 domains, 500 GB storage, and access to all Proton |
|
services (that you may not need...) like VPN, Drive and Pass. In |
|
comparison, hosting your email service on a cheap server should not |
|
cost you more than 70€ / year, and you can self-host a nextcloud / |
|
seafile (equivalent to Drive, although it is stored encrypted there), a |
|
VPN and a vaultwarden instance (equivalent to Pass) in addition to the |
|
emails. |
|
|
|
Emails are limited to 25MB, which is low given I always configured my |
|
own server to allow 100 MB attachments, but it created delivery issues |
|
on most recipient servers, so it is not a _real_ issue, but I prefer |
|
when I can decide of this kind of limitation. |
|
|
|
## Alternatives |
|
|
|
I evaluated Tuta too, but for the following reasons I dropped the idea |
|
quickly: |
|
|
|
* they don't support email import (it's "coming soon" since years on |
|
their website) |
|
* you can only use their app or website |
|
* there is no way to use IMAP |
|
* there is no way to use GPG because their client does not support it, |
|
and you cannot connect using SMTP with your own client |
|
|
|
Their service is cool though, but not for me. |
|
|
|
# My ideal email setup |
|
|
|
If I was to self-host again (which may be soon! Who knows), I would do |
|
it differently to improve the security: |
|
|
|
* one front server with the SMTP server, cheap and disposable |
|
* one server for IMAP |
|
* one server to receive and analyze the logs |
|
|
|
Only the SMTP server would be publicly available, all ports would be |
|
closed on all servers, servers would communicate between each other |
|
through a VPN, and exports their logs to a server that would only be |
|
used for forensics and detecting security breaches. |
|
|
|
Such setup would be an improvement if I was self-hosting again my |
|
emails, but the cost and time to operate is non-negligible. It is also |
|
an ecological nonsense to need 3 servers for a single person emails. |
|
|
|
# Conclusion |
|
|
|
I started this blog post with the fact that the decision was hard, so |
|
hard that I was not able to decide up to a day before renewing my email |
|
server for one year. I wanted to give Proton a chance for a month to |
|
evaluate it completely, and I have to admit I like the service much |
|
more than I expected... |
|
|
|
My Unix hacker heart hurts terribly on this one. I would like to go |
|
back to self-hosting, but I know I cannot reach the level of security I |
|
was looking for, simply because email sucks in the first place. A |
|
solution would be to get rid of this huge archive burden I am carrying, |
|
but I regularly search information into this archive and I have not |
|
found any usable "mail archive system" that could digest everything and |
|
serve it locally. |
|
|
|
## Update 2024-09-14 |
|
|
|
I wrote this blog post two days ago, and I cannot stop thinking about |
|
this topic since the migration. |
|
|
|
The real problem certainly lies in my use case, not having my emails on |
|
the remote server would solve my problems. I need to figure how to |
|
handle it. Stay tuned :-) |
