"Current notices about Posteo: News, developments, background information and media appearances."

Blog and Media


Important: Possible disturbances due to DDoS

Created on 22. October 2021, 18:15 | Category: Info

Dear Posteo customers,

We would like to inform you that yesterday and today we had to fend off DDoS attacks on a larger scale. For this reason, there have been network disruptions and delays and the availability was partly restricted yesterday morning and evening.

Also today in the afternoon the attacks continued. Although they are currently warded off effectively, we would like to inform you, just by way of precaution, that restrictions could occur again. We have already intensified our existing safeguards and continue to further diversify them.

During DDoS attacks internet services are overloaded with connection requests by criminals. Customers are then temporarily unable to access the service in question – or only in a very limited manner. Data is not attacked during DDoS attacks. With the help of technical measures these attacks can be contained and fended off. However, how fast this can be accomplished depends on the extent and type of the attack and also on the defensive measures that are taken.

We have received a threatening letter and a demand for money. We will not pay the amount of money demanded. Companies must not allow themselves to be blackmailed by criminals under any circumstances: Otherwise they will become even more attractive to them. And DDoS attacks often are not stopped even if money has been paid.

According to our security guidelines we have also informed the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik).

As an email provider, we take our responsibility towards you very seriously. We therefore would like to give you a few tips.
In case Posteo should suddenly become slower or be temporarily unavailable within the next days, please proceed as follows:

- Do not be concerned. There are no technical disturbances on our part.
- Should you have problems accessing Posteo, please wait and then try again to open our website or retrieve your emails. You soon will be able to log in to your account as usual.
- Visit our Twitter profile @Posteo_en or our status page to keep up to date. Should it indeed happen that our services are unavailable, we will inform about the situation there.
- Please do not send emails to our customer support if our service is unavailable for a short time. One of the attackers’ goals is it to push the companies that are being blackmailed to their capacity limits by generating masses of customer requests.
- Emails that are sent to you are not lost. When a disruption occurs emails are delivered as soon as our servers are available again.

Best regards
The Posteo team

New: TLS-receiving guarantee

Created on 25. June 2021, 18:00 | Category: Info

Dear Posteo customers,

We have released a new feature: Our TLS-receiving guarantee.
The new security feature protects you from receiving emails from servers that send them insecurely and rounds off our TLS guarantees: We have been offering a similar guarantee for sending emails for some time now. You can now activate your TLS-receiving guarantee in the settings.

New: TLS-receiving guarantee
New: TLS-receiving guarantee

Protection against insecure senders

If you activate the new security feature, we will refuse to receive an email to your mailbox if a server tries to deliver it without up-to-date transport route encryption. An insecure transmission from such servers through the internet is guaranteed to be prevented and you will immediately receive a notification from us. Even as a layman, you can thus immediately recognise who is not making sufficient efforts to ensure email security.
TLS protects your emails on their way through the internet

Nowadays, emails are transmitted via encrypted connections: The transport route encryption (TLS) protects your communication on its way through the internet. Without TLS, emails could simply be intercepted and read in transit. Therefore, almost all email servers now establish encrypted connections with each other as a standard.
The rate of insecure servers without up-to-date TLS encryption is already below 5% (Posteo survey May 2021).

We have tested the new feature both internally and with users over the course of several months. The conclusion: as a rule, the receiving guarantee is not noticed in everyday life, since the vast majority of senders nowadays support up-to-date encryption.
The largest share (>90%) of unencrypted contact attempts is now accounted for by spammers and a few newsletter distributors.

In the rare case that the transmission of a desired email is stopped due to a lack of TLS encryption, you and the sender will immediately receive a notification from us.

Then you have two options:

1. You decide for yourself whether unencrypted transmission is also an option for you in this instance. If so, deactivate the feature for a short time and ask the sender to send it again.
2. You point out the lack of security to the sender; we offer a template for this in our help section. During our field tests, the senders usually reacted within 1-2 working days and activated the missing transport route encryption. Every newly secured server is a contribution to IT security for everyone.

If an operator does not respond or is evasive, you can ask us for assistance at We will then also contact the sender for you.

New security check before each email is received

For security reasons, a new TLS check is carried out every time an email is received. This ensures that your emails are not transmitted insecurely even if a server is temporarily not TLS-capable – for example, due to technical problems or an attack.
Transmission is also stopped if unauthorised third parties attack a secure connection and want to force the switch back to an unencrypted connection.

How to activate the TLS-receiving guarantee

You can now activate your TLS-receiving guarantee in the settings of your Posteo account under “Settings → My account → Transport encryption”. Our tip: You can also activate your TLS-sending guarantee there, which we have already been offering for some time.

In our help section, we have provided an article for you on the new TLS-receiving guarantee. With it you will learn how to activate and deactivate the feature – and how to proceed if the transmission of an email from an insecure email server has been stopped.

The TLS-receiving guarantee at a glance:

  • Emails are always guaranteed to be received via an encrypted transport route.
  • You and the sender will immediately receive a notification if we have stopped the transmission of an email from an insecure server.
  • Even as a layman, you can immediately recognise who is not making enough effort to ensure email security.
  • Downgrade attacks, in which an attacker can switch off modern, secure encryption, are prevented.
  • Outdated encryption protocols such as SSLv3, TLS 1.0 or 1.1 are not tolerated.
  • Man-in-the-middle attacks are made more difficult. If, like Posteo, the receiving server uses DANE, they are impossible.

Best regards,
The Posteo Team

New security certificate

Created on 29. December 2020, 18:00 | Category: Info

Dear Posteo customers,

Over the next few days we will update our main security certificate. Security certificates are only valid for a specified time period and need to be renewed from time to time. Because of this, we will be changing this certificate before January 21, 2021.

In most cases, you will not notice any change.
All clients like Thunderbird or Outlook will automatically find the new certificate. You do not need to do anything. However, should your client display a certificate error during this changeover process, please restart your client. This should fix the error.
If you manage the trustworthiness of certificates manually, you can find the fingerprint for the new main certificate that we will shortly begin using below. You can also find complete fingerprints for all certificates in our legal notice.

New fingerprint for the TLS security certificate for

SHA256: CA:AD:66:0A:5A:7F:0E:CD:85:31:77:89:0F:2B:41:82:D9:C7:37:A4:99:35:9F:C8:6D:83:A4:2C:94:5D:97:40
SHA1: A0:E0:98:21:9B:AE:81:56:21:50:7C:B4:76:AD:1F:76:24:2A:8B:32

Best regards,
The Posteo Team

New at Posteo: Attachment browser with photo stream

Created on 03. September 2020, 12:30 | Category: Info

Dear Posteo customers,

We are releasing a new feature for you: the Posteo attachment browser with integrated photo stream.
The new feature makes your account noticeably more modern and easier to use.
As of this morning, the attachment browser has already been made available to some of you.

In the coming weeks we will gradually make it available for all accounts.
You can then find it in the menu under “Attachments”.

All attachments in a convenient overview

Email attachments neatly arranged in a list
Email attachments neatly arranged in a list.

This feature allows you to manage your emails in new ways — attachments are displayed in a separate overview, independent of the corresponding emails. From there you can view, download and delete attachments with ease. Also finding attachments has been made easier. In the attachment browser you can search for files sent from various contacts, at specific times, with specific file names or file types — and combine the search filters. Photos you have received can be found exactly as quickly as contracts or invoices.

The attachment browser makes it easier to work in your own account — while providing you with more convenience and organisation. There is a photo stream available for viewing images.

Viewing photos in privacy with the photo stream

The new photo stream provides a modern appearance for your account. Photo attachments are visually displayed in a way that might be familiar to you from social media platforms, but remain within the privacy of your email account. The stream can be filtered at your convenience — the photos from your recent vacation can be found as quickly as the photos from the family reunion. Additionally, you can quickly identify which photos you no longer need: a photo can be downloaded or deleted with two clicks.

Images from emails displayed in the photo stream
Photos can be viewed in the photo stream.

Delete attachments, save storage space and protect the climate

Many of you requested a separate feature for deleting attachments.
This is now conveniently made possible with the attachment browser at the touch of a button. Attachments that are no longer needed can be deleted while keeping the corresponding email. This frees up storage space and saves resources. Because data saved online continually uses energy. So that you can remember that the deletion occurred, a note summarising which file was deleted as well as the time of deletion is added to the email. This will also be reflected in local email clients and apps.

With the filter option “size” you can quickly obtain an overview of which files and images are taking up a considerable amount of storage space.
You can load the photo stream in the attachment browser via “Images”. In our help section you can find information as well as step-by-step guides for the new feature.

Comprehensive tests and external security check

Deleting an attachment
Attachments can be deleted from emails.

The attachment browser with photo stream is a Posteo in-house development. We develop ourselves because we have specific requirements for privacy, security and sustainability. For example, as a matter of principle we do not collect any personally related inventory data or traffic data like IP addresses. As a service without advertisements we also refrain from tracking and incorporating social media plug-ins. Because of this, new features are conceptualised so that they effectively continue to not accumulate any personal data in the background. This strengthens your right to informational self-determination — and saves energy resources. Because unnecessary processes, logs and data heaps use a lot of energy.

Your attachments are a sensitive commodity worth protecting: they are subject to telecommunications secrecy and are protected by basic rights. Because of this, your access to your data and its display occur in real time within your account. It is not temporarily saved in databases which is frequently the case with such features. Your data always remains within your account. Also the preview images of the photo stream are not held in databases, but rather generated in real time from your emails as soon as you access the stream. The new feature has been comprehensively tested and additionally checked by independent security researchers (Cure53).

Encryption at the touch of a button

The attachment browser and photo stream are also compatible with our crypto mail storage. If it has been activated, all data saved within the account is encrypted with your password. The new feature is then accessed within the privacy of your own encrypted account. Even we, as the provider, do not have access to your data. This principle can be compared with device encryption on smartphones.

Email attachments that have been sent with end-to-end-encryption (PGP/S/MIME) can not be displayed in the attachment browser.

More updates coming soon

Already in the near future we will be making additional improvements available to you — an optimised version of Posteo webmail for smartphones will also be made available soon. The attachment browser and photo stream have already been customised for mobile use.

Best Regards
The Posteo Team

Enigmail users: do not update to Thunderbird 78

Created on 01. July 2020, 14:45 | Category: Blog

Dear Posteo customers and interested parties,

Today we address all users of the encryption add-on Enigmail in Thunderbird. If you regularly encrypt your emails with OpenPGP and depend on this feature, please avoid updating to the forthcoming Thunderbird release (version 78.0). Enigmail will no longer be supported in Thunderbird 78. The program’s new and own implementation of OpenPGP encryption is still in an experimental phase and is deactivated by default.

Should you use automatic updates, no further action is required. An installation of the Thunderbird 78 update will not occur automatically.

Background information:
This summer, Mozilla is planning on releasing a new version of Thunderbird (78.0) that will change how add-ons are supported. Among other reasons, this became necessary due to security issues.
This was also made clear from a security audit commissioned by Posteo at the end of 2017. Various security issues in Thunderbird were identified, particularly with its add-on interface.

Third-party add-ons like Enigmail, that need to access internal components of Thunderbird, will no longer be supported.

Because of this, Mozilla is implementing their own OpenPGP feature in Thunderbird 78. This built-in encryption is planned to replace the Enigmail add-on..
Currently OpenPGP support in Thunderbird 78 is categorised as experimental and is disabled by default: Enigmail is no longer supported in Thunderbird 78.

Waiting for Thunderbird 78.2

From Thunderbird 78.2 onwards, OpenPGP is planned to be made available by default in Thunderbird. We will inform you as soon as this version is made available and an update for OpenPGP users is possible.

Best regards
The Posteo Team