New security certificate

Created on 15. January 2019, 14:30 | Category: Info

Dear Posteo customers,

Over the next few days we will update our main security certificate. Security certificates are only valid for a specified time period and need to be renewed from time to time. Because of this, we will be changing this certificate before January 21, 2019.

In most cases, you will not notice any change.
All clients like Thunderbird or Outlook will automatically find the new certificate. You do not need to do anything. However, should your client display a certificate error during this changeover process, please restart your client. This should fix the error.
If you manage the trustworthiness of certificates manually, you can find the fingerprint for the new main certificate that we will shortly begin using below. You can also find complete fingerprints for all certificates in our legal notice.

New fingerprint for the TLS security certificate for

SHA256: 4D:BE:FA:8D:28:6A:D3:73:85:A1:B9:3F:77:D0:5F:E9:70:DD:BF:91:B6:0B:66:3A:1E:4B:C0:3D:4F:71:90:D0
SHA1: 73:4A:26:46:D0:A3:95:1D:52:88:83:F4:12:E9:CA:35:67:8A:6A:07
MD5: BD:6F:47:5C:8E:A9:82:87:E1:DC:A1:7C:07:85:95:A7

Best regards,
The Posteo Team

Cartography for Relief Organisations: Missing Maps host an evening at Posteo Lab

Created on 27. August 2018, 17:01 | Category: Blog

Improving maps in Nigeria — all the way from Kreuzberg. This was made possible on August 14th in our Berlin-located Posteo Lab, where a new Missing Maps Group hosted their first German mapathon. With guidance from Missing Maps, volunteers improve online maps at mapathons by plotting villages and streets on satellite imagery. At the events organised by Missing Maps, OpenStreetMaps of crisis regions are improved upon. This can, for example, aide relief organisations in planning their operations more effectively.

Missing Maps is a humanitarian project that was founded in November 2014 by the American and British Red Cross, the Humanitarian OpenStreetMap Team and Doctors Without Borders. Since then, Missing Maps has regularly organised mapathons in various European countries. About 17 interested parties participated in the first German event at Posteo Lab. #more#
The focus of the event in Berlin was satellite imagery of Niger State in western Nigeria. Currently there are active teams from medical relief organisations that need more precise maps of the region for their work.

The mapathon began with a detailed introduction by Marcel Werdier from the organisation Missing Maps. He clearly explained in a presentation how mapping works. He also demonstrated the required programs and outlined the most important rules for plotting maps to the volunteers.

After the presentation, the volunteers could immediately apply their newly gained knowledge and began plotting maps on the laptops they had brought with them. They analysed satellite imagery and plotted streets and villages with just a few clicks. The team from Missing Maps helped the participants and answered all questions that came up.

At the end, there was a final presentation where the volunteers could see the progress of their collective efforts made on the maps. The knowledge they gained from this experience can continue to be applied when mapping in private.

The team from Missing Maps was very satisfied with their premiere mapathon in Germany. There are plans to organise more evenings like this one in Berlin.

Background Information
Because we want to strengthen social engagement, we regularly make Posteo Lab available to charitable associations and organisations free of charge. It’s important to us that the events hosted at Posteo match our values in sustainability, technology, democracy, open source, internet politics, IT security and privacy. If you’re interested in hosting an event here, send us an inquiry at

Posteo is financed 100 percent by user fees. We’d like to take this opportunity to thank our user for making our social engagement possible.

Transparency notice: Our donations for 2017

Created on 12. July 2018, 15:05 | Category: Blog

Dear Posteo customers and interested parties,

In the name of transparency we have updated our donations page, where we document the organisations that we financially supported during the previous year (2017).

During last year, Posteo donated a total of 34,600.00 EUR. Of this, 33,022.05 EUR constituted voluntary donations by Posteo. The remaining 1,577.95 EUR came from users that donated remaining credit when terminating their account.
In comparison with the previous year, we were able to increase our donations in 2017 by 5,000 EUR.

It is important to us that we encourage social engagement and take responsibility as a company.
Because of this, we donate to selected charitable organisations in the areas of environment and climate protection, internet politics and freedom of opinion, as well as refugee aid. #more#

Posteo donated to the following organisations in 2017:

Bund für Umwelt und Naturschutz Deutschland (BUND) is one of the largest German environmental organisations. Throughout Germany there are more than 2,000 voluntary BUND groups engaged with regional environmental topics. BUND is also engaged with climate protection, ecological agriculture and protection of threatened species, forests and water. BUND is the German member of the international environmental network, “Friends of the Earth”.

German Red Cross (DRK):
The German Red Cross (DRK) is one of the largest German help organisations. The DRK is active worldwide and can be present anywhere in the world in co-operation with partner organisations. In the face of the threat of climate change, the DRK has realised multiple projects along with the Ministry of Foreign Affairs to support people internationally who suffer from the effects of climate change. Our donations go towards a project in the Amazon in Peru, where 1.3 million people are acutely threatened by the increase in extreme weather events due to climate change. The donations are used to set up houses with secure architecture on raised platforms. In addition, blankets and hygiene kits are distributed and a health service set up.

The European Centre for Constitutional and Human Rights (ECCHR) is engaged with legal measure for human rights. The ECCHR lawyers’ aim is to hold state and non-state actors legally accountable for grave human rights abuses. Among others, the ECCHR was founded in 2007 by human rights lawyer Wolfgang Kaleck, who represents whistleblower Edward Snowden in Germany. is a journalistic platform for digital freedom rights and presents the most important debates and developments on the topic of the internet. The platform documents how politics is changing the internet and society through regulation and the continued expansion of surveillance laws. With its work, wants to encourage people to become engaged for their digital freedom rights and an open society.

Reporters Without Borders:
Reporters Without Borders engages itself worldwide for freedom of the press and freedom of information. The organisation documents violations against freedom of the press and supports journalists that are in danger. Reporters Without Borders combats censorship and restrictive media laws.

UNO-Flüchtlingshilfe is the German offshoot of the Office of the United Nations High Commissioner for Refugees (UNHCR). It ensures the survival of refugees in acute crisis situations with life-saving emergency measures. UNO-Flüchtlingshilfe thus provides for sufficient supplies of water, food and medicines in refugee camps or regions that are hard to access, for example.

In addition to these donations, Posteo also sponsored taz.panterstiftung.

Posteo does business sustainably and is independent. Our service is financed entirely by our customers’ account fees. There are no investors or advertising partners at Posteo.
You are what makes our involvement in these projects possible. We thank you very much for helping to make a difference.

Best regards,
The Posteo team

Update: Information about "Efail" reports

Created on 14. May 2018, 18:40 | Category: Blog

Update on May 15, 15:30:

We have an update for all users of Mailvelope:
The open source encryption plug-in Mailvelope is not affected by the critical Efail vulnerabilities and can continue to be used. Mailvelope communicated this information earlier this afternoon. With Mailvelope, PGP can be used in Posteo’s webmailer. We are in contact with the Mailvelope developer, Thomas Oberndörfer.
Nevertheless, he announced that they will improve the plug-in’s handling of HTML emails in regards to privacy for example by making the loading of external content such as images optional.
He recommends that users update to today’s release (Version 2.2.2) as minor problems have been fixed.

May 14, 18:40:

Dear Posteo users,

Today, the media has reported vulnerabilities within the end-to-end encryption standards, PGP and S/MIME.

We only became aware of the investigation today. Because of this, we cannot make any final assessments about the publication yet. We’re currently examining the document for you and are getting assessments from security experts. Furthermore, we have made contact with developers from current encryption software.

We’d like to respond to some questions we’ve received and also provide some initial tips for users of PGP and S/MIME. We will update this blog entry with any news.

1.) If you do not use end-to-end encryption with PGP or S/MIME then you are not affected by this issue.
2.) If you use PGP or S/MIME, disable HTML rendering and external content from being loaded. (We’ve provided instructions on how to do this at the end of this blog entry)
3.) All participants of an encrypted communication must take the measures described in point 2.) of this summary.

Is email encryption unsafe now?

No, as a generalisation this is not correct as there is no “singular” form of email encryption. In general, emails nowadays are simultaneously secured through various security and encryption technologies. For example, end-to-end encryption does not protect the entire email communication even if many people believe it does. It only protects the content data.
The email’s metadata and subject are protected by the providers’ transport route encryption.

In reality, the security of an email correspondence depends on the combination of various technologies. When one encryption technology is viewed separately, it doesn’t say much about the actual security of a specific email communication in practice.

Attacks are only possible under strict conditions

The creators of this investigation presume in their scenario that an attacker already has access to an encrypted communication. However, nowadays email providers utilise security technologies that effectively prevent man-in-the-middle attacks and unauthorised access to encrypted communication.

The German Federal Office for Information Security (BSI) also describes the conditions for an attack (German text):
“An attacker has to have access to the transport route, the mail server or the email account of the recipient to exploit the vulnerabilities.”

The fact is that providers today are constantly improving secure transport routes, mail servers and accounts. We always utilise state of the art technology. Users should also secure their end devices as well.
Here’s an example of how we secure transport routes. In 2014, we were the first provider to implement the innovative technology DANE that eliminates the current vulnerabilities in transport route encryption (TLS). A combination of end-to-end encryption with a DANE-based transport route encryption results in a very high level of protection.
Tip: In Posteo’s webmailer you are notified before sending an encrypted email whether it will be protected with DANE or not .

We protect email servers with numerous technologies and an infrastructure that particularly protects our internal network and customers’ mailboxes consistently from external access. You can protect your account with a strong password. We encrypt every access to your account with the latest technologies. You can achieve an even higher level of protection if you activate two-factor authentication with additional email account protection. By activating the TLS-sending guarantee, you prevent your emails from being transferred to another email server without transport route encryption.

The German Federal Office for Information Security (BSI) describes another condition for an attack:
“Additionally the recipient would have to allow active content, or in other words, the rendering of HTML code and in particular the loading of external content.”

Because of this, users of end-to-end encryption should immediately review and adjust their settings for loading HTML code and external content accordingly. This should avert any acute dangers.

Guide for disabling external content from being loaded or HTML rendering

Disable HTML rendering:
1. Click on the sandwich-button in the top right corner of Thunderbird.
2. Click on “View”.
3. Under “Message Body As” select the menu item “Plain Text”.
Disable external content:
1. Click on the sandwich-button in the top right corner of Thunder and open “Options” / “Preferences”.
2. Open the menu item “Privacy”.
3. Under the category “Mail Content”, remove the tickmark “Allow remote content in messages”.

Apple Mail:
1. From the menu bar click on “Mail” and open “Preferences”.
2. Open the menu item “Viewing”.
3. Remove the tickmark from “Load remote content in messages”.

1. Open “Settings”.
2. Touch “Mail”.
3. In the category “Messages”, deactivate the switch next to “Load Remote Images”.

1. Click on “File” and on the side menu on “Options”.
2. Open the menu item “Trust Center” and click on “Trust Center Settings”.
3. Click on “Email Security”.
4. In the section “Read as Plain Text” place a tickmark next to “Read all standard mail in plain text” and also by “Read all digitally signed mail in plain text”.
5. Confirm the changes with a click on “Ok”.

Best Regards,
The Posteo Team

New security certificates

Created on 09. January 2018, 13:00 | Category: Info

Dear Posteo users,

In the coming days we will be updating our security certificates. Security certificates are only valid for a specified time period and need to be renewed from time to time. We will therefore be changing them by 22.01.2018. We continue to use certificates from Geotrust (Digicert) and the Bundesdruckerei (D-Trust).

In most cases you will not notice anything when the certificates are changed over. All programs such as Thunderbird or Outlook will find the new certificate automatically. You do not need to do anything. If your program displays a certificate error during the changeover process, please simply restart the program, which should overcome the error.

If you check the trustworthiness of certificates manually, you can find the fingerprints for the new certificates that we will shortly begin using, below. You can also find the fingerprints in our legal notice.

New fingerprints for TLS security certificates

SHA256: FB:28:42:1E:23:AD:8A:23:8B:AB:C1:ED:FD:86:FD:F5:30:C6:D9:35:E0:E6:D8:91:CD:F3:77:66:05:C5:75:33
SHA1: AC:9D:4C:F6:36:78:FE:D6:EB:5C:CE:F9:DA:CB:69:CE:0A:93:F4:58
MD5: E9:B3:0A:C5:76:86:0C:FC:15:3D:43:D9:6E:CD:FC:CE

SHA256: 09:63:1B:8C:35:CD:67:0E:AB:60:B3:63:1E:F3:42:DB:9F:43:5E:09:AD:09:A5:90:49:33:26:F2:FD:B4:D7:AA
SHA1: B6:B8:3C:59:23:22:33:07:88:9E:DD:B9:8D:2D:ED:6C:FA:32:E9:04
MD5: 5D:3F:4C:A3:72:7F:8B:3A:54:92:B4:C8:BC:D5:D9:B7

Best regards,

The Posteo team