Alternative email server [SOLVED]

[Silver Surfer]

Hi Guys,
M$ is intending to tighten the screw on my "Outlook.com" email service, and informing me they will be able to "virtually" do what they like with my data from 1st May 2018.
My OS is Linuxmint Serena. I use Thunderbird as my email client.
Anyone got any suggestions? for an alternative email account, within Linux.

Silver Surfer (Novice Linux user)

[Cosmo.]

The mail provider you use has nothing to do with the OS you are using. So choose the one, which you think, that it is the best for you. A free one (possibly your Internet provider) or a paid one (which will be most likely the better option regarding your privacy).

[Moem]

Adding on to this: any and all email providers that say they offer POP3 or IMAP can be used with Thunderbird as a client. So you have a lot of options.
I've heard that a lot of people seem to like Fastmail.

What you're looking for is an email provider, not an email server; an email server is a computer that handles email, an email provider is a company that has an email server and manages it for you.

[Pierre]

does your ISP offer any email service ?
- mine does, and I'm using that as my main eMail account . .

[Silver Surfer]

Hi Pierre,
Hadn't thought of that! As I am with SKY broadband, they have SKY Yahoo mail.
Perhaps I'll try that..
Further to the original problem, if staying with M$ and having to give Microsoft permissions to access data...
Due to the fact that my Linux OS is supposedly encrypted, does anyone know if M$ or any other email service provider, would they have had access to anything outside the outlook.com email program.

Silver Surfer

[Cosmo.]

As soon as you are logged in into your computer, the system is unlocked. If the computer is encrypted or not does not make the least difference for any access via network.

[Silver Surfer]

Hi Cosmo,
Thanks for your response!
So does this mean that once I'm logged in, anyone could hack my files and system via the network?

Silver Surfer

[Cosmo.]

No, as long as there is not an open security leak.

But I know, that many users have the misunderstanding, that encrypting the system or the home would help to protect against online attacks. This is not the case.
So coming back to your question at the end of this post: What MS (or anybody with bad intentions) can do is not in any way limited by the fact, that you use an encrypted system or home. It is indeed limited by the security of your system, if you keep it current. (That an e-mail provider can read your mails, should be known. This can only prevented by encrypting mails, but this is quite a different story.)

Or in other words: If you use encryption, because you fear a local attack, than it makes sense. Otherwise it does not do, what you possibly believe. But be aware, that encryption can also produce heavy headaches. So you should use it only for a good reason.

[Silver Surfer]

OK Cosmo,

Thanks for that, nevertheless forgive my Novice Linux lack of knowledge, and the fact that I’m 81 years old, but what is the purpose of having a Linux encrypted OS. What is it actually preventing/protecting??

Silver Surfer

[Cosmo.]

Nothing to forgive. You are welcome.
Further more, this misunderstanding about encryption is a very common one.

What is the purpose? Good question.

Encryption is the method to protect anybody from local access to the computer. With a not encrypted system a local attacker could boot your computer with a live system and from there he can access the hard drive and its content. With an encrypted system he can still boot the computer with the live system, but than the game has reached its end. So the question is: How likely is such a problem? Nobody except yourself can answer this question.

One point is also important to note: Backups. I wrote here very often, that not backed up user data are superfluous data. If a user thinks, that his data are needed for more than for the current day, he has to make regular backups. Too many people miss this. - For en encrypted system or home this is especially important. Assumed there arises a heavy problem with your system and you cannot get back into it (I consider the statistical likelihood for this far greater than a local attack), than you risk that all your data are just history. So a regularly backup is especially important in case of an encrypted system. In my opinion an encrypted system without a qualified backup strategy is a contradiction in itself: On the one hand the user thinks, that he has something to protect (otherwise encryption does not make the least sense), on the other hand he does nothing to prevent data loss.

Or - coming back to your question: Most likely for most users encrypting the system or home does nothing good than providing some possible headaches; and who wants them?

What is of more practical use is to encrypt single folders, where you store especially sensible data. Those folders do not get automatically unlocked by using the computer, you can keep them locked until the moment, where you actually need the data and can afterwards lock the folder again without closing the user session of the computer. This can be done with encfs, where also graphical frontends exist.

[Moem]

what is the purpose of having a Linux encrypted OS. What is it actually preventing/protecting??

If someone gets their hands on your computer while it's off, they cannot get to your data that's stored in the computer. This is mainly interesting for people who travel with their laptops, but it can also be beneficial if your desktop computer gets stolen.

[Silver Surfer]

Thanks Cosmo,
You’ve answered many questions, but alas destroyed many beliefs that my encrypted Linux computer is impregnable!!
Ah well, just have to be more vigilant in what I do with it.
Had a look for this “encfs” you mentioned. Found it in Synaptic Package Manager and started to download it. However, during download got the following message:-

“According to a security audit by Taylor Hornby (Defuse Security), the current implementation of Encfs is vulnerable or potentially vulnerable to multiple types of attacks. For example, an attacker with read/write access to encrypted data might lower the decryption complexity for subsequently encrypted data without this being noticed by a legitimate user, or might use timing analysis to deduce information.

Until these issues are resolved, “encfs” should not be considered a safe home for sensitive data in scenarios where such attacks are possible.”

Oh Dear! Guess I’ll have to only use my computer on “Sundays and check all door locks” before I switch it on, and under the bedclothes!!

Thx for your help Cosmo.

Silver Surfer

[AndyMH]

To respond to a couple of your queries:

• Email servers - I pay for my email server, it gives me a personalised email address (or a range of them), e.g. andy@xxx.net or more recently andy@xxx.org.uk. .net isn't cheap to host but .org.uk was. I've been using these people for years and think it is worth every penny:
  https://www.easy-internet.co.uk/

• Encryption - I've got encfs installed and the gnome gui front end, it is easy to use. Because of the security concerns I haven't used it in anger, but instead have installed Veracrypt. I use this for any sensitive stuff. Again straightforward to use (it mounts an encrypted file, e.g. /home/me/.private as a separate volume, e.g. /media/veracrypt1. Depending on what you want, encfs will deter the casual villain, veracrypt is more hardcore.

[Cosmo.]

Regarding the encfs audit:

I cannot judge about details and I think that the audit has to be taken serious. But there is a - let's say - workaround. Create the hidden folder on a thumb drive or store sensible data unencrypted on a thumb drive and attach it only as long as you need it. As long as nobody has physical access to it this method will reduce the risk. There are also other workarounds thinkable. At the end it is a question, how sensible you consider your data and if you keep your system (inclusive programs) up to date, as far as it goes about security fixes. With all security leaks fixed I think, that the risk goes near to zero. (Absolute security does never exist; this is a shame, but a cruel fact.)

[AndyMH]

While this is now drifting somewhat off topic, of the two (encfs, veracrypt), I prefer encfs - it encrypts individual files, while veracrypt is an encrypted volume. So, under encfs if I change a file, when I do a backup (backintime) only the changed file gets backed up. With veracrypt it has to back up the whole volume (4GB in my case). But, given the security issues flagged up, I'm using veracrypt.

Don't like the idea of putting sensitive stuff on a USB stick - that places it outside my backup regime, which is automated. And of course, they are easily lost/misplaced.

[Silver Surfer]

Hi AndyMH, & Cosmo

Thx for your contribution AndyMH, to the topic, but even if we’ve drifted off the original post, it’s still dealing with the prevention of data being purloined by undesirable outsiders.

I found your comments about “Veracrypt” interesting, as in my much younger “Microsoft Windows” days (before migrating to Linux) I did use “Truecrypt", and didn’t realize it was still around, albeit in a different guise, let-alone available in Linux.

Might well go down the “Veracrypt” root again, as well as changing my email service provider.

Thanks both to AndyMH and to Cosmo for your help.

Silver Surfer

[phd21]

Hi "Silver Surfer",

I just read your post and the good replies to it. Here are my thoughts on this as well.

That does not sound good about "outloook.com" wanting to share your data, so I do not blame you for looking at other email providers.

Although most ISP (Internet Service Providers) do offer an email account, I would not recommend that because if you ever switch ISP providers, then you loose that email address.

I would recommend going with an email provider that you know will be around and can be used with any ISP, like Google Mail (Gmail), "ProtonMail", etc... If you want encrypted email, then use Thunderbird with Enigmail add-on, or another email client with encryption options. As far as I know the wonderful "ProtonMail" is only web based for Linux users and cannot be used with a 3rd party email client - yet.

As most people already know, Yahoo has had numerous hacks and serious information leaks, so I would stay away from them too.

+1 for VeraCrypt

Hope this helps ...

[Silver Surfer]

Hi phd21,

Good to hear from you again.
Gmail has always been a no go area for me, I always feel Google makes it’s money from utilising everyone’s data and location, who use it.
I realize all these “Free Apps” have to have a “Payload” but my feelings are, despite the fact all these providers gloat about “Respecting your Privacy”, it’s strange how many marketing emails you get from companies and people, you’ve never contacted.

Back to the subject… Because of the above, I wonder where the payload is, for “Enigmail & Protonmail.” I know many developers have a commercial paid for version of their software which makes money, but also provide a scaled down “Free version” for non commercial users.

Perhaps I’m getting too cynical in my old age, but us Senior Citizens are always being warned about scams and protecting ourselves on the Internet. (I always keep a cover over my webcam, but still get “Funeral Plans” amongst my emails.)

Thanks phd21 for your thoughts on “Enigmail & Protonmail”. I’ll pursue the possibilities on these.

Silver Surfer

[phd21]

Hi "Silver Surfer",

You are welcome. Nice to hear from you as well.

I do not particularly care for Google's or ISP's (or anyone else's) covert information gathering tactics either and they are not the only ones doing this. But Google's Gmail is excellent and all the wonderful related services and options become available once you have an account, and they are just too good not to use (Calendar and tasks - can integrate with your desktop, Google Talk/Hangouts/Voice, including free 15gb Google Drive cloud storage). And you know they will always be around, so you will always have a free and permanent email address. Tip1: Always use a good password (17-20+ mixed characters, symbols, and numbers). Using a good Password Manager helps, like KeePassXC, etc...

Google products - scroll down towards the bottom to see all their services ...
https://www.google.com/intl/en/about/products/

There are simple ways to reduce and or eliminate Google's or anyone else's information gathering tactics:
- Check your browser for security and privacy settings as well.

1. Install some browser add-ons

• "uBlock origin" some browsers already have good ad-blockers built-in now
  Disconnect
  Privacy Badger or Privacy Protector Plus, etc...
  There are also some specific browser extensions and add-ons for blocking Google's information gathering, but I found the ones listed work very well.

2. Use a search page like StartPage or DuckDuckGo, etc...
3. Use Private "incognito" browser windows
4. Change your local ISP's default DNS server IP addresses to safe, secure, and anonymous ones from a DNS provider (use at least 2 DNS provider IP addresses)
- "dns.watch", "OpenDNS", "Opennic", "Freenom world", etc...

5. Use a VPN provider

• a. System-wide VPN provider like the superb low-cost PIA (Private Internet Access) or ProtonVPN, etc...
  b. Browser VPN add-on Hoxx, DotVPN, etc.. These do not protect other applications accessing the Internet, only within the browser.
  c. Paid for VPN providers are better, faster, provide service, have more server locations, etc.... but in my humble opinion if you cannot afford a VPN provider, then using a free VPN provider, like "vpnbook" or "vpngate" is better than not using a VPN. Tip: "vpngate-with-proxy" is an excellent application for using "vpngate" VPN servers.

6. The only way to have truly secure email communications with anyone else using any email provider is to use encrypted email and you can use your Google Gmail account(s) for that as well. I have been using my Gmail accounts for encrypted email for years using Thunderbird with Enigmail add-on or Kmail. There are other email applications that can use GPG/PGP encryption too.

Tip: You can make and receive free phone calls using Google Voice to anyone in the USA, Canada, Mexico?, and some other places, or to anyone anywhere in the world that has a Google Voice phone number. Anyone can have more than one Google Mail Account. Although anyone almost anywhere in the world can create a Google Mail account in whatever country you are in, you have to be in the USA to create a Google Voice account and get a Google Voice phone number. If you are outside of the USA, you can use a system-wide VPN or browser VPN to connect to a VPN server in the USA to create a USA Google Mail account (or create another account) and then signup for a Google Voice account and get a free phone number. Afterward, no matter where you are in the world, regardless of whether you are connected to a VPN server in the USA or not, you can use that Google Voice Phone number to make and receive free phone calls. There are Google Voice smartphone and tablet applications available as well, or you can use your computer with a headset or webcam with a microphone; install the Google Hangouts/talk plugin when using a computer.

Hangouts / talk plugin
https://tools.google.com/dlpage/hangoutplugin

Hope this helps ...

[Moem]

If you want free POPmail *and* you value your privacy too much to use Google products (I can relate, I avoid Google like the plague myself), then maybe mail.com or GMX is a good solution. There aren't all that many providers that offer free POPmaill, which makes sense, because what's in it for them? It's the payload issue, like you said. So you'll either have to hunt around a bit, or pay a few dollars for a reliable provider.

Enigmail is free software, like there is lots of free software. That one doesn't make me wonder about the payload.