Dear Posteo users,

We have news: You now have the possibility to enable two-factor authentication for additional security of access to your Posteo account (in the browser).
#more#
The technology is comparable with multilevel security processes in the banking industry. At an ATM, you can only withdraw cash if you know something (your PIN) and possess something (your ATM card). With two-factor authentication, the situation is similar. In order to log in, you need something that you know (your Posteo password) as well as something that you possess (e.g. your mobile phone). The Posteo login process only changes slightly with the additional security: After entering your username and password, you will in addition be asked for a current one-time password. The current one-time password will be shown to you on a device (e.g. a mobile phone, tablet or desktop) on which you have activated two-factor authentication.

If criminals or intelligence agencies obtain your access information (username and password), they will have no way to access your account via the webmail interface and, for example, to manipulate your account and security settings. The conventional access details are no longer sufficient for the login process.

We have set up two-factor authentication to be as simple and secure as possible. With Posteo, two-factor authentication technology can be used not only with free apps for all current platforms, but also with special hardware (such as a Yubikey). All users who only access Posteo in the browser (i.e. webmail) can distinctly increase the overall security of their emails and account by enabling two-factor authentication. If you specify in the settings that you use webmail only, access will be blocked for local email programs. This eliminates the possibility of attacks, which don’t happen via the browser but rather via external programs (by IMAP and POP3).

Setting up two-factor authentication is simple. It is also recommended for users without technical knowledge. The technology is based on the open TOTP standard. There are no additional costs – the new function is provided at no extra charge. You can find out how to activate two-factor authentication in our help section.

Two-factor authentication significantly increases the security of webmail access. Our development team is currently also working on a solution that will also increase security of access via local email programs using a multilevel security process. We hope we can also make this solution available to you soon.

Best regards,

The Posteo team

Dear Posteo users,

From today onwards, we support the innovative technology DANE/TLSA (DNS-based Authentication of Named Entities). DANE eliminates various weaknesses in the widely-used transport route encryption SSL/TLS – and increases the security of encrypted transport of emails and when accessing websites.
#more#
With DANE, the so-called “digital fingerprints” of an encryption certificate are stored in the internet’s “telephone book” (DNS). There they can be automatically checked by email servers, email programs and browsers before an encrypted connection to a website is established or an email is delivered. The authenticity of a server can thereby be verified before each connection. Until now, most servers sent data over an encrypted connection without first verifying the authenticity of the other server. DANE effectively prevents third parties (such as criminals or intelligence agencies) from pretending to be a particular web or email server in order to obtain login data or content (using a falsified certificate).

Entries in the internet’s so-called “telephone book” are additionally secured with DNSSEC technology, such that DANE can be trusted. DNSSEC prevents third parties from altering entries and switching the “digital fingerprints” of the encryption certificates. Unfortunately, DNSSEC is not yet supported by most domain providers. Posteo had to change its domain provider in order to introduce DANE.

DANE also opens possibilities on another level: Email servers can now force a connection to be encrypted with the help of a DANE entry. Previously, email servers would negotiate whether they could support encryption before establishing the connection. Posteo has already configured its server for this: If other email providers also have a DANE entry, then Posteo sends to their servers with encrypted connections. If no encrypted connection can be achieved, then email sending will be cancelled for security reasons. This not only prevents man-in-the-middle attacks, but is also important for the following reason: With DANE, email servers can clearly authenticate themselves worldwide – and mutually guarantee that emails are always exchanged over an encrypted connection. This is not the case, for example, with “Email Made in Germany”, a group of a few German providers that leaves out all other email servers and only promises its users encrypted connections between each other. Posteo rejects such “partitioning” of some German providers: A global network requires global improvements to the security of communication via consistent, open standards.

Because the technology is not yet widespread, there are currently hardly any other programs or providers who support DANE. Despite this, we want to lead by example, and promote the spread of this important process – DANE will, in the future, make an essential contribution to making the internet safer.

There are already DANE add-ons for all current browsers, with which internet users can secure their access to Posteo using DANE. Via this link, you can find a list of all currently available extensions. We can not provide any support for add-ons or tools. We appreciate your understanding.

The technology is, however, not yet directly implemented in any browser. We hope that the developers of DANE and DNSSEC will achieve this as soon as possible. We also encourage other email providers to implement DANE, so that communication between email servers over encrypted connections becomes more secure worldwide.

Best regards,

The Posteo team