Mailbox.org security

Hello, I’m using Tutanota as my mail provider. It’s quite ok for me, but I miss some features, like possibility to remove aliases, “+” aliases or tasks/notes integrated with mail. I’ve started looking for alternatives and I found mailbox.org. Webmail design is not the best, but functionality is great. It has everything I really need. But I found 3 issues, that reject me from switching to mailbox.org.

  1. Weird 2FA system. Its replacing master password with 4-digital (or letter) PIN + 6-digital OTP. After all, it’s nothing more than normal password + 2fa, but why my password is limited to 4 characters? Is it possible or planned to change?

  2. No App Passwords. IMAP doesn’t support 2FA, I know that, but why we don’t have app passwords for it with limited permissions? Instead we have to use our master password.

  3. (connected with 2nd) Account Recovery system. It allows to recover your account if you are logged in on any device (you will receive email with reset link to your mailbox). But! Account recovery is removing 2fa too. So, if someone will access your master password and use it to login via IMAP, then he/she will be able to remove 2FA easily, access our account and change account recovery options, password, etc. We will just loose our account. 2FA is useless in that case.

What do you think about it? Mailbox can be really called secure? As far as I remember, on Tutanota, even if someone will get your recovery key, he/she will be able only to change password, but 2FA has different recovery keys and its real two step verification.

1 Like
  1. Because its PIN also i feel the same i always wonder why Paypal got 30 long password limit
  2. Hmm this weird, are you sure no apps support it? in general 2fa sends you this secret key that generates OTP
  3. That’s weird, she might do like keybase does, DELETE EVERYTHING then let you access

I think it’s sucks but again you have to talk with support and give them chance to talk. i would suggest something like tutanota or pm - about aliases you can use something like simplelogin.

I’ve been mailbox. org user for some time, and it’s more or less like you said

  1. It is as it is. But I still think it’s safer to have PIN + OTP than long/strong password. I don’t know what are the chances for someone to crack your PIN if they get OTP token
  2. No. There is only option to disable IMAP clients completely
  3. This is bad. But I hope they have some verification process in this case (maybe to provide additional identification documents). Or you can disable access from IMAP clients, as mentioned above

All of these concerns are already addressed on their user forum. So maybe they will change this in future.

1 Like

I would use simplelogin, but they are quite fresh and im scared that they might disappear anytime soon with aliases that i would use for my accounts.

You can use your domain/anonaddy then

It’s a feature on server side, not on client side. It forces the user to assign a different password to each IMAP/SMTP app user wants to use to connect to the server. This way main account’s password is not exposed. I confirm Mailbox.org doesn’t support this feature.