ProtonMail vs Self Hosted Email in Switzerland

ProtonMail is the most well known encrypted email service in Switzerland, and perhaps the world. It began as a crowdfunded project initiated by a team of researchers at CERN, growing into the full-fledged email service it is today. Like we mentioned earlier, we love ProtonMail and their contribution to the browser-based encryption library, OpenPGP.js. What fewer people know though is that it’s possible to host your own email server in Switzerland – and use OpenPGP and/or S/MIME to exchange encrypted email.

This article provides an overview of the advantages and drawbacks of hosting your own email server in Switzerland (or any privacy-respecting country) versus purchasing a ProtonMail for Business plan.

ProtonMail is not a typical email hosting service, because their focus is on a webmail and mobile app experience that minimizes their knowledge of the contents of their users’ email messages. As soon as a non-PGP encrypted email is received from another email service (e.g. Gmail), ProtonMail encrypts it with the recipient’s public key before storing it in the user’s inbox. Any email exchanged between two ProtonMail users (whether the addresses are @protonmail.com/@protonmail.ch/@pm.me or the users’ custom domains) is encrypted from end-to-end. The plain text never leaves the users’ browsers whether on the sender or recipient’s side. The message is encrypted in PGP format before its transmitted to ProtonMail servers, and decrypted locally on the recipients’ browser with OpenPGP.js.

Where ProtonMail falls a bit short is conventional IMAP access to inboxes with their service. Users on the free plan have no IMAP access; only Plus, Professional, and Visionary users do through the ProtonMail Bridge. The Bridge has yet to be made open-source, and is only supported on Windows and Mac, not Linux. It runs a local IMAP server that decrypts your emails as they arrive using your ProtonMail account password, which also serves as your PGP passphrase. To read and compose emails using Thunderbird, Outlook, or any IMAP mail client, you would set up an account that connects to the local IMAP and SMTP servers on ports 1143 and 1025, respectively.

ProtonMail’s regular paid plans are only intended for use by a single user – providing one  consolidated inbox for multiple addresses. ProtonMail for Business was added as a bit of an afterthought, providing functionality similar to GSuite or Office 365 where an administrator can create multiple users and inboxes at a custom domain. It can quickly get pricey at $8/user/month (monthly) or $6.25/user/month (annually) especially if most users have small inboxes that could be inexpensively hosted on ordinary cloud infrastructure.

This is a huge additional hoop to jump through for many organizations that need plain IMAP access to their mailboxes. A self hosted email server using Mailcow or iRedMail may be a more appropriate choice, in conjunction with a public key infrastructure (PKI) to issue S/MIME certificates, or a private keyserver where users can look up the public keys of others in the company. If you wanted to avoid the hassle of running your own certificate authority and making the root/intermediate keys trusted on every device (especially in an organization with a Bring Your Own Device policy), you could go with a commercial CA that’s trusted by default in all major operating systems.

Running a self hosted email server has become more practical than ever. Mailcow bundles almost everything an email admin would ever need into a single Docker Compose file – Postfix MTA, Dovecot POP3/IMAP server, Rspamd spam filter, and SOGo groupware with CardDAV and CalDAV support. One of the biggest concerns about hosting an email server is the IP reputation which can impact whether outbound emails are delivered to the inbox, or get flagged as spam. Secondary to that is whether incoming emails could be lost if the mail server experiences downtime. Fortunately, both of these concerns can be allayed by the user of an email relay and a backup MX server.

iRedMail is another great choice, with support for OpenLDAP for provisioning and authenticating users. Existing inboxes can be imported into both Mailcow and iRedMail using the open source imapsync tool, so long as the existing email server has IMAP access.

With a self hosted email server, your organization can encrypt its internal communications from end-to-end using the S/MIME functionality of email clients such as Outlook or Thunderbird, or using PGP with Afterlogic Webmail PHP or a desktop tool such as GnuPG. With Mailcow, any emails arriving (in plain text) from outside the organization are stored in an encrypted Docker data volume. Granted, this is not zero access encryption like ProtonMail because the private key is stored on the server to allow for unattended reboots, but for professional rather than personal use, zero knowledge can actually be a liability rather than an asset. The problem with ProtonMail for Business and ProtonMail in general is that the administrators don’t control the passphrase for users’ inboxes. In the workplace, the employer can have a legitimate reason where they need to decrypt a user’s inbox without their involvement, for example after they depart the company or for compliance reasons. Because ProtonMail encrypts the user’s entire inbox with their account password (that only the user knows), it isn’t possible to reset the password from a centralized dashboard to retrieve the emails.

With Mailcow or iRedMail, you have the flexibility to additionally encrypt the disk of the mail server with LUKS encryption at-rest. The LUKS passphrase can be stored offline as long as an administrator is present to enter it over SSH whenever the mail server is rebooted.

Contact the Autoize team about deploying your own secure mail server on Swiss cloud infrastructure that is ISO 9001 and ISO 27001 certified, in addition to being PCI-DSS 3.2, SOC-1 Type II, and SOC-2 Type II compliant.