Transparency notice: Our donations for 2016

Created on 14. September 2017, 18:15 | Category: Blog

Dear Posteo users and interested parties,

In the name of transparency we have now updated our donation page, where we document the organisations that we financially supported during the previous year (2016).

It is important to us to encourage social engagement and to take responsibility as a company. We therefore support selected charitable organisations in the areas of environment and climate protection, internet politics and freedom of opinion, as well as refugee aid.

During last year, Posteo donated a total of 29.600,00 EUR. Of this, 28.002,00 EUR constituted voluntary donations by Posteo. The remaining 1.598,00 EUR came from users’ remaining credit. #more#

Compared to the year before we were able to increase our donations by 5,250.00 EUR for 2016.

As per the previous year, recipients of Posteo donations included Reporters Without Borders, UNO-Flüchtlingshilfe, Friends of the Earth Germany (BUND) and

A new addition is a German Red Cross project in the Amazon, where 1.3 million people are acutely threatened by the increase in extreme weather events due to climate change. The project sees houses set up on raised platforms with secure architecture. In addition, blankets and hygiene kits are distributed and a health service set up. The project sustainably contributes to ensuring the existence of people affected by climate change.

In addition, we support the European Centre for Constitutional and Human Rights (ECCHR) since 2016. The ECCHR lawyers’ aim is to hold state and non-state actors legally accountable for grave human rights abuses. Among others, the ECCHR was founded in 2007 by human rights lawyer Wolfgang Kaleck, who represented whistleblower Edward Snowden in Germany.

Posteo does business sustainably and is independent. Our service is financed by our customers’ account fees alone. There are no investors or advertising partners at Posteo.

You are therefore what makes our engagement possible – you make a difference, for which we thank you very much.

All recipients of Posteo donations can be found on our donations page.

Best regards,

The Posteo team

Help video: How to additionally secure your account with two-factor authentication

Created on 23. August 2017, 16:30 | Category: Blog

Dear Posteo users,

We are often asked whether Posteo accounts can be additionally secured without requiring specific knowledge of computers. One possibility is to use two-factor authentication, which we have offered for some time now.

Two-factor authentication is simple but effective additional protection against unauthorised access. When logging in to the webmail interface, a one-time password is required in addition to the personal password. Two-factor authentication prevents account theft: If criminals or intelligence services capture your access information (username and password), they then have no possibility to access your account settings, change your password and lock you out of your account. Third party access of your account and security settings is effectively prevented.

In our experience, people without special knowledge of IT often do not trust themselves to activate two-factor authentication. Optimal online security is important for all, however. For this reason we have today published a video in which our help section editor Tim Vüllers shows you step-by-step how to set up the additional protection. He also explains how the process fundamentally works as well as demonstrating how he uses it on an everyday basis. In addition, he reveals another security trick – if you do not use Posteo with external email programs (such as Outlook and Thunderbird), you can block access for such programs. Thus two factor authentication additionally protects your emails against unauthorised access.

In future, we will be making additional help videos available. Our videos can be accessibly viewed with subtitles. There are also versions of the video available in English and French.

With two-factor authentication, no additional costs are incurred and you can use it on many different devices (computer, smartphone, tablet, YubiKey).
By the way: Our customer support is happy to provide further personalised help if you have any questions or problems with two-factor authentication. Detailed step-by-step instructions for setup can alternatively also be found in the Posteo help section.

Best regards,

The Posteo team

Update: Petya aimed at destroying data

Created on 27. June 2017, 18:15 | Category: Blog

Update: July 3, 2017, 12:45:

Leading security firms now consider that Petya (also known as “PetrWrap” and “NotPetya”) was aimed at destroying data. Petya apparently disguised itself as ransomware but its aim was not to extort money. Analyses by IT security companies Kaspersky and Comae Technologies show that the malware did not encrypt data on the affected systems but instead deleted it. It appears that Petya overwrites data irreversibly, rendering restoration impossible. For the parties concerned, paying the ransom or contacting the attackers would have been useless.

The Posteo address specified in connection with the attack was immediately blocked by Posteo on Tuesday at midday, before the attack spread. The attackers did not replace the blocked address with another one.

June 27, 2017, 18:15:

Info on the PetrWrap/Petya ransomware: Email account in question already blocked since midday

Midway through today (CEST) we became aware that ransomware blackmailers are currently using a Posteo address as a means of contact. Our anti-abuse team checked this immediately – and blocked the account straight away. There was no press coverage at that time. We do not tolerate the misuse of our platform: The immediate blocking of misused email accounts is the necessary approach by providers in such cases.

During the afternoon it emerged that the “PetrWrap/Petya” malware is currently spreading quickly in many places, including Ukraine.

Here are the facts that we can contribute to “PetrWrap/Petya”:
– Since midday it is no longer possible for the blackmailers to access the email account or send emails.
– Sending emails to the account is no longer possible either.

We are in contact with the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik).

What is ransomware?
“Ransomware” denotes malicious software, which becomes installed on a device, for example, by clicking a bad link or attachment. This primarily occurs when the device is poorly protected – when software installed there has not been updated for an extended time, for example. The malicious software prevents access to data and systems – and the user affected is requested to pay a ransom for the release of their data. Payment often does not lead to the data being released, however.

Best regards,

The Posteo team

New: Posteo migration service now for calendars too

Created on 12. June 2017, 18:00 | Category: Info

Dear Posteo users,

We have extended the Posteo migration service. From now on, you can transfer not only your existing email accounts and address books to Posteo, but also your calendars.

The extended migration service allows calendar transfer from providers such as gmx,, Gmail, Aol or iCloud.

Here’s how it works: You can find the new, extended migration service in the settings of your Posteo account under “My account”. When you undertake a new migration service there, not only the email folders and address book will now be shown to you, but also the calendars from your previous account. With a click of the mouse you can conveniently select which items you wish to transfer to Posteo. You can decide yourself whether to delete the data from your previous provider after the transfer.

Special characteristics of the Posteo migration service:
It is free of charge, you do not require any special technical knowledge for the transfer – and you retain control of your data. We do not use transfer service providers. For this reason, your sensitive emails, address book and calendar data are never transferred over a third-party service at any point. We developed our migration service ourselves, so that it conforms to our high requirements in terms of security and data economy: Your data is collected by us directly from your previous provider and transferred to your Posteo account over encrypted connections.

For reasons of data economy, we also do not save the email addresses from which you have transferred data to your Posteo account, for example.

If you have any questions on transferring your calendar data or the Posteo migration service in general, please feel free to contact Posteo support.

Best regards,

The Posteo team

Security warning for users of Mailvelope in Firefox

Created on 04. May 2017, 12:00 | Category: Blog

Dear Mailvelope users,

We have a security notice for anyone who uses the encryption add-on Mailvelope with Firefox.

We have had a current security audit of Mailvelope undertaken, in which a critical vulnerability was found in the interaction between Mailvelope and Firefox. Under certain circumstances, Firefox’s security architecture allows attackers to access users’ private keys via compromised add-ons. We therefore ask all users of Mailvelope in Firefox to carefully read our security recommendations found in this article, below.

This also affects Mailvelope users with all other providers such as Gmail,, Yahoo!Mail, etc.

Firefox’s architecture does not sufficiently compartmentalise add-ons from each other – this has been known for years. The fact that a Mailvelope user’s private keys could be compromised via targeted attacks in Firefox was not proven until now, however. The security engineers that we engaged from Cure53 have now proved this. In the past, Cure53 had already audited Mailvelope for Chrome – on our assignment the engineers have now also investigated the plug-in’s interaction with Firefox. In their investigative report, they conclude that Firefox does not currently constitute a suitable environment for Mailvelope. They write,

“At the end of the day, the Cure53 testing team cannot in good conscience recommend the use of Mailvelope on Firefox.”

Weakness expected to last until November 2017

We informed Thomas Oberndörfer, the developer of Mailvelope, after the security audit. He is unable to fix the weakness, however, as it has to do with Firefox’s architecture. New architecture is already being developed at Firefox. Mozilla is planning to conclude this work with the release of Firefox 57 in November 2017. Oberndörfer is also working on a version of Mailvelope for the new and improved Firefox architecture. We would like to thank him for his development work.

Until Mozilla has updated the architecture, the following security recommendations apply:

Option 1.) In the interim, switch to different software. Either use Mailvelope in a different browser, or use PGP with a local email program. You can find various instructions for these options in the Posteo help section.

Option 2.) Alternatively, using an independent Firefox profile for Mailvelope minimises the risk in the interim. In the Posteo help section, we have published step-by-step instructions for the creation of Firefox profiles on Mac and on Windows. Mailvelope users with other providers can also follow these instructions. Please be sure to note the following security recommendations in order to effectively minimise the risk of a fruitful attack:

  • Do not install any further add-ons in the newly-created browser profile
  • Use the Firefox profile exclusively for your encrypted Mailvelope communication. Only access your provider’s webmail interface and never visit other websites using this profile.
  • In addition, use a password for your PGP key that is as secure as possible
  • Be careful not to accidentally install any add-ons via phishing, through which you could be attacked

Due to the problems with the Firefox architecture, we additionally recommend:

  • Restrict the use of add-ons in the Firefox browser to a minimum, until Mozilla has updated the architecture
  • You can further protect yourself from potential attackers by setting up an additional user on your operating system for end-to-end encrypted communication

Here are the recommendations from the Cure53 report once again, for transparency reasons:

“Two paths can be recommended for the users who rely on Mailvelope for encryption and decryption of highly sensitive data. First, they could use Mailvelope on a browser profile that hosts only and exclusively Mailvelope with no other extensions. Secondly, they would need to rely on a different software solution, for instance Thunderbird with Enigmail.”

“At present, any users working with Mailvelope on Firefox are encouraged to export their settings, delete the extension and migrate their setup to a Mailvelope installation running on Google Chrome. Alternatively, a separate browser profile running Mailvelope only could be used, with the caveat that one must not have any other extensions installed in order to minimize the risk of key material leakage.”

Security engineers engaged by Posteo found the weakness

In their daily activities, our customers use various devices, browsers and add-ons in their local environments. Our users’ communication security is very important to us – we therefore also continually have external standard components checked for weaknesses. Among others, we work together to this end with independent IT security experts at Cure53. They have now made a find with Mailvelope in Firefox.

Dr Mario Heiderich from Cure53 explains,

“the problem is currently located in the architecture. There is therefore no easy fix. Mozilla knows this, but also has to keep a difficult balance between radical changes and ones that are prudent but are often decisions that are slow to take effect. Things are going in the right direction, however, which is definitely something positive for more complex software.”

Thomas Oberndörfer of Mailvelope states,

“Mailvelope is naturally dependent on the security of the underlying browser. Weaknesses in Firefox’s add-on system have been known of for some time, so Mozilla’s improvement should be welcomed. Security audits such as the one undertaken by Posteo are important indicators for us to see how we can further improve Mailvelope.”

Report to be published after weakness is overcome

The weakness outlined above is expected to be overcome by Mozilla in November 2017. Out of consideration for security, we will therefore first publish the report at a later point. In it, the method of attack will be described in detail. The report is already available to Mailvelope and the BSI (German Federal Office for Information Security).

The security audit has also yielded some positive results for Mailvelope, which we would like to outline here: There was a check made as to whether email providers for which Mailvelope is used could access a Mailvelope user’s private keys saved in the browser – this was not possible. All other attempts made by the security engineers to access private keys saved in Mailvelope, such as operating third party websites or man-in-the-middle attacks, were also unsuccessful.

Weakness shows that open source increases security

For security reasons, we exclusively support open source components with transparent code – such as the encryption plug-in Mailvelope. In our view, transparent code is essential for the security and democratic control of the internet: Independent experts can at any time identify weaknesses or backdoors via code analysis, as happened here. A provider or developer’s security claims do not need to be trusted. With the security audits that we commission, we want to contribute to further increasing the security of established open source components and genuine end-to-end encryption.

Best regards,

The Posteo team