I was a very happy FastMail customer until a hacker asked them to reset my password. After _incorrectly_ answering a handful of questions asked by the FastMail support, the recovery email address was changed and a password reset link sent. From there, the hacker attempted password resets on other services.<p>Initially, FastMail was dismissive that this was a simple "mix-up" and didn't disable access to the hacker for 7.5 hours after my report.<p>To their credit, FastMail gave me a list of the email accessed and the message headers of the messages the hacker sent from my account (and then deleted -- unrecoverable).<p>Until and unless FastMail addresses the human factor of security, their technical security mindset is of secondary importance.
I see the usual comment about Fastmail (comparison to Gmail, ProtonMail, web interface, spam filtering performance, servers in the US, ...) but still nothing about the TOS, which seems more important to me<p>So here it is again:<p>- Fastmail can immediately cancel your account for any reason: "The Service Provider may terminate your access to any part or all of the Service and any related service(s) at any time, with or without cause, with or without notice, effective immediately, for any reason whatsoever, with or without providing any refund of any payments."<p>- Fastmail can disclose your info/data if it thinks it's in the interest of the company: "The Service Provider will not monitor, edit, or disclose any personal information about you [...] unless required or allowed by law, or where the Service Provider has a good faith belief that such action is necessary to: [...] (2) protect and defend the rights or property of the Service Provider; [...] (4) act to protect the interests of its members or others [...]<p>By comparison, mailbox.org TOS are much better.<p>Also mailbox.org offers GPG encryption, which Fastmail doesn't (AFAIK).
Wow what a coincidence — I switched from Gmail to Fastmail exactly 1 year ago today.<p>I couldn't be happier. I mostly use native clients, but the Web client is a joy to use, and everything I've observed about Fastmail gives me confidence in their service.<p>I never used the Gmail-exclusive features like labels, so switching was pretty easy. I highly recommend it to anyone considering it.<p>Keep up the good work, guys.
> Just as important as what we do do is what we don’t. For example, we don’t do full message encryption (e.g. PGP) in the browser. In theory it means you “don’t have to trust us”. However in reality, every time you open your email you would be trusting the code delivered to your browser. If the server were compromised, it could easily be made to return code that intercepted and sent back your password next time you logged in; it could even just do this for specific users. It is very unlikely that a user would notice.<p>I don't agree.<p>I don't want full message encryption because I'm afraid that my email provider is reading my messages, but because I'm storing years worth of emails in my mailbox. With a provider such as ProtonMail that encrypts incoming messages with my personal key I know that if someone manages to get unauthorized access to my mailbox that person would only be able to read new emails, but none of my already archived mails. Of course it's possible that the intruder also manages to change the JS code returned to the client, but that's not the case for all of the possible scenarios where someone gets access to my mailbox. Full message encryption does not provide perfect security, but is able to significantly raise the provided level of security.
Any lawyers care to comment on this claim of theirs?<p><i>It has been pointed out to us that since we have our servers in the US, we are under US jurisdiction. We do not believe this to be the case.</i><p><a href="https://blog.fastmail.com/2013/10/07/fastmails-servers-are-in-the-us-what-this-means-for-you/" rel="nofollow">https://blog.fastmail.com/2013/10/07/fastmails-servers-are-i...</a><p>As a non-lawyer I would expect the US to be able to serve their host with a warrant to get whatever data the judge said they could have.
This is an entry in FastMail's series of Advent Calendar blog posts that they do every year. I'm glad to see them continue the tradition this year, and it's valuable to get this level of insight into a company that I trust with my mail. If you're interested in seeing more, check this year's first Advent Calendar post which has links to their calendars from 2014, 2015, and 2016, which are all worth reading if you're a FastMail customer or just interested in how running a mail hosting company works: <a href="https://blog.fastmail.com/2017/12/01/fastmail-advent-2017/" rel="nofollow">https://blog.fastmail.com/2017/12/01/fastmail-advent-2017/</a>
I've had to dump Fastmail. I was getting 10-15 very (sexually) explicit spam emails daily slipping through the filter daily even after 100's of training emails being identified. Queue weird looks at work if I left my mail client visible.<p>Moving back to G Suite was painful. I had to manually do it after the G Suite 'Migration' tool missed 1000's of messages. But so happy to have decent search back!
I use FastMail and love it, but I've noticed that if I use SMTP, it leaks my IP address in the email headers, whereas using the web client does not.
They should do PGP on the way in, for people who want it. It's trivial to set up. All they need to do is let people paste in a public PGP key and encrypt all incoming email with that key. Here's how I've been doing it for the last 7 years:<p><a href="https://www.grepular.com/Automatically_Encrypting_all_Incoming_Email" rel="nofollow">https://www.grepular.com/Automatically_Encrypting_all_Incomi...</a>
Another data point: I have had a FastMail account before Gmail before Opera and Kaggle. Why pay for email? when everything was free ...Yahoo, hotmail, etc. Word of mouth. Reputation. Though times were less sophisticated back then along with security; Fastmail kept up. I used my YubiKey with them way before gmail u2f fido support and they fostered my trust over the years keeping it clean and simple. Nothing is foolproof but at least I know their track record and commitments to their users despite dropping the ball in some cases. That said, I'm glad to read about the horror stories, provider alternatives and fastmail responses; hopefully we are all the better for it.
I don't know if any Fastmail employees read over this, but thanks for finally adding TOTP to the list of 2FA methods! I had been (uneasily) using SMS and wishing you guys would up your game, and I'm glad to see that you did.
I only see FastMail and ProtonMail mentioned on Hacker News, never in real life.<p>To those who made the switch away from free,conventional mail services like Gmail and Outlook, what was the appeal ? What's your case for making the switch ?
FastMail is tempting. I'm currently moving over to hosting my own E-mail, since Gmail is failing to deliver a significant number of important inbound E-mails to my account, rejecting them as spam (and fails to deliver almost all of my wife's E-mail). I could be convinced to pay for E-mail, but I'm concerned with customer support and the "black box" nature of online services. For something as important as E-mail, I grudgingly feel I finally need to bite the bullet and do it myself.
The simple reason I haven't switched email providers: all my online accounts, as well as many offline ones, are tied to my gmail account.<p>Yes, I can set up forwarding, but that defeats the purpose of switching providers IMO (for me, the purpose would be to move away from Google <i>completely</i>). I don't want Google to read any of my emails period, so forwarding is not a sufficient solution.