Privacy Policy

We try to comply with the Providers' Commitment to Privacy Policy. Our current level of compliance is as follows:

 

  • Mail: Level 1
    This means the connections between the user and the server are always encrypted, StartTLS is used to exchange mails with other servers whenever available and we use a cacert-signed certificate. The server doesn't add the IP address of a user sending a mail through its service anywhere in the email (level 2), but we have not yet implemented certificate pinning for other level 2 compliant servers. IMAPS is available as an enclaved hidden Tor service on 4xxjkcq535yjalls.onion

  • Webmail: Level 3
    This means the connections between the user and the server are always encrypted, Session IDs cannot be in the URL, the user's IP address does not appear in any email headers, webmail is functional without javascript, the session ID algorithm and cookies do not use or store the user's IP address, sessions are not restricted to IP addresses and webmail is available as an enclaved hidden Tor service on https://4xxjkcq535yjalls.onion/

  • Certificates: Level 2
    This means we don't allow weak ciphers and private keys are only stored encrypted. PFS (forward-secrecy) is partially implemented, but needs more work.

  • Filesystem: Level 3
    This means the operating systems its configurations and all user date is stored encrypted with a strong passphrase. Swap is encrypted with a random key on boot.

  • Logging: Level 3
    This means no logs of any kind are stored. We do sometimes temporarily switch on logging for debugging purposes.

  • Users: Level 2
    This means users are forced to use strong passwords and there is a seperate VM for shell accounts. Shell accounts are not isolated from eachother (level 3), we're a community server.

  • Evaluation of policy compliance: Level 1
    This means we have no fixed periodic checks for compliance, the last update was 2014/25/5, the one before was on 2013/06/02.