Security adjustment and deactivation of certain mail functions

Dear users of mailbox.org,

we will make some security adjustments to mailbox.org in the next few weeks, which may affect you personally. Please briefly note the following information:

 

As of September 16, 2020

Discontinuation of TLS 1.0 and 1.1 support

All connections to mailbox.org are always encrypted with SSL/TLS. No matter whether web pages (https) or mail receiving/sending (POP3, IMAP, SMTP). On September 16th we will discontinue support for the obsolete and no longer sufficiently secure TLS protocols TLS 1.0 and TLS 1.1 and instead only support the current TLS 1.2 and TLS 1.3. Fewer than 100 users still use old e-mail programs with the outdated TLS procedures. These users have been contacted by us in the last few weeks and must obtain more recent software versions; otherwise a connection to mailbox.org will no longer be possible.

 

As of September 29, 2020

Sending e-mails only possible with registered e-mail addresses/aliases

With effect from September 29, 2020, our mail servers will only allow those senders from an account who are also assigned to this account as mail address or alias. This will help us to prevent forgeries of senders.

In individual cases, however, private and some business customers use mailbox.org accounts to send e-mails with senders they have registered at other providers. This will then no longer be possible - the respective addresses must be explicitly created or at least assigned as "catch-all". Our FAQ describes the details.

 

As of September 30, 2020

DKIM signatures for all outgoing e-mails

We have been signing all e-mails sent through us with DKIM signatures for a long time. This prevents sender forgery and phishing attacks and significantly reduces the risk of e-mails from other providers being filtered into the suspected spam folder. Some of our users also sends e-mails with mailbox.org sender addresses via other ISPs, so that these e-mails do not have a DKIM signature from mailbox.org. For this reason, we have not been able to inform other providers via the so-called "DMARC" rules that 100% of our mailbox.org e-mails must have DKIM signatures in any case and that if this signature is missing, it must be a phishing e-mail or other forged sender addresses.

However, an increasing number of providers, including the industry giants, are demanding restrictive DMARC regulations and require 100% fully signed emails. With effect from September 30, 2020, we will therefore also make our SPF/DMARC/DKIM rules more restrictive. E-mails with mailbox.org senders that were not sent via our servers but via other providers could be rejected completely or filtered into spam folders. Our users must ensure that e-mails with our senders are always actually sent via our SMTP servers.

Best wishes,
Your mailbox.org team