from BeerEnjoyer@lemmy.zip to privacy@lemmy.ml on 11 Nov 09:38
https://lemmy.zip/post/52838538
This might come out as a bit of a rant, but I just wanted to post it here anyway since it’s the only social media I use.
Recently, I’ve been making some steps to improve my privacy. GrapheneOS, Linux on my PC, open source software, moving away from Google stuff. So, next logical step was for me to switch away from Gmail. I went with Tutanota, since they’re based in EU, their mobile app is on F-Droid and doesn’t require Google Play Services. So I made an account, switched a bunch of my private account e-mails from Gmail to Tuta, and was basically done. Two days later, I wake up to a “invalid credentials” message. I checked the option to remember my password on my PC, so I thought it was weird. I checked my phone, and it turns out I was logged out of the app too. I tried changing my password with recovery code, thinking something went wrong (though unlikely since I used a password manager), but I got an error on that one too. So I contacted Tutanota, almost a week ago. No response.
I tried looking on various sites to check if people had a similar issue. I found a few reports on Reddit. The moderator of Tuta says to contact the e-mail address that I sent a message to already, but people complained that they haven’t gotten a response either. I found out that similar reports were happening for a while now, accounts being flagged for seemingly no reason. I found one post from October, 2024, from a frustrated user. He said he was in the same situation, and when he finally got the reply, Tutanota said they can’t do anything. When I found that post, I was really disheartened. I’ve already went back on a bunch of accounts to @gmail.com account, for safety, but there is still a few that I’m not even able to access because they use e-mail 2fa. Some of them being accounts for various government public services.
So this one gave me a pause on my privacy journey. I never encountered problems like this one before. A service blocking my account without any message or warning. No contact from support. Being locked out of my accounts. I’ve lost a lot of enthusiasm to replace a few proprietary services that I have left.
threaded - newest
Does this happen when you log in via your browser as well as when using a client app?
Browser and android app. Just tried the appimage too, same problem.
I’m really sad to hear that you had this experience. I started using Tuta back in April or May and it’s been full featured for me. I also use it for my BitWarden since both can host in EU, and Tuta has been rock solid for me across the last half year.
I hope that you get to resolution sooner than later, with their support.
I am following the same path for more privacy, ultimately choosing Posteo, where I am now slowly transferring all my addresses. After 6 months, I have not encountered any problems yet.
Try posteo. They at least allow third party clients and they have some cool features.
I tried Tudor and proton’s free tier, and I couldn’t deal with how they can’t use a normal email client.
On the other hand, I’ve been trying to use Thunderbird with my next cloud calendar and it keeps hanging for me on Ubuntu. So maybe trying to use Thunderbird is a recipe for disaster as well. I don’t know what to do.
I wished posteo allowed custom domains… They would be perfect then!
Their reasoning seems to be because of potential privacy issues: posteo.de/en/site/faq
I had the exact same issue when I created a Tuta email, thankfully they solved my problem in less than 24h after I emailed them about this.
Just send an e-mail. your account was flagged as bot.
Why would they flag a human as a bot?
I have been disappointed in tuta myself as well. They seem to be too privacy and security focused at the cost of being hard to use.
It seems OP was attempting to move several addresses. Several sign ups from one source is probably an uncommon practice for typical users.
To be fair though, the exact same thing can happen to you on gmail too. They are not unknown to immediately block your account if something flags it to them and getting a quick response there is not a given either.
I guess that’s true. This might make me question using some online services and providers altogether if I can avoid it. For example, I don’t think I’ll ever use an online password manager and just stick with local one. Having a situation like this with Bitwarden/Proton Pass would be a nightmare.
Regarding email, consider buying a personal domain for your email address. You specify the ip addresses of the email provider in the domain’s DNS, and on the provider’s side specify that the domain is for your email box. This way, if the email provider doesn’t work out, you only need to change the DNS records to another provider, instead of changing the email address on accounts (which is often impossible).
However, not all email providers support custom domains, and some only do that on paid tiers.
If you do this, make sure to have a backup email on a different provider for all of your domain and DNS services in case something goes wrong you can still fix it. I’ve heard horror stories…
Or use an online password manager and take scheduled exports of the data as a backup.
is it possible that you are using the wrong mail address?
since there are a few different domains on tuta, you might have saved the wrong domain as address
(when i emailed them last time i received help in 24 hours aswell js, not sure why they dont answer you)
No chance, I chose @tuta.io and that’s the one I had set up for many of my account, including lemmy. Plus, the 2FA app also points to @tuta.io.
nevermind sry, forgot you mentiond 2fa in your post 😅
I also had a problem a few years ago with Tutanota and when I emailed for help, no response. I just gave up and accepted that those emails were lost forever. I now have Protonmail and I’ve been happy with them.
This is horrible, did you try reaching out to them on mastodon? Their account is pretty active there
I choose mailbox as my email service, it’s mature, based in Germany, privacy focused and has given me zero issues in terms of my emails going into people’s spam folders.
Mailbox.org has been great for me too.
Why don’t you just setup your own email server? Get a domain if you don’t already have one, it’s like $30/year? Then a small cloud server? Like 4 core/ 6GB mem, 100GB SSD for $5/month? Or use a home server? Then use Modaboa (FOSS) to setup a full email server for your domain, including trusted TLS encryption and all the current email security stuff (DKIM, SPF, DMARC). Yes, your email server will very likely be blocked from sending emails for some time, however, it works perfectly for receiving emails. I use it for wildcard emails so that I can just use a different email address for each service/website (i.e. unlimited email addresses) . Then I let google get my emails from my mailserver. If there is ever any problem with google then I can either directly get my mail via webmail or I just use another (free etc) mail provider or even a local thunderbird client to get mails.
This is what I did but I would suggest you shop around. in many cases for first time sign ups you can get the domain for free and you pay a discounted price for the first year. For example I went with a local webhosting service where I got the domain for free, unlimited email account creations, and a decent shared web hosting server for $50 a year. I use the web hosting to host my personal site regardless of the fact I have a dedicated server with OVH. But I mean the free domain and emails + web hosting for $50 a year was a deal I couldn’t turn down.
Yea, sounds like a good deal, just be careful that the “domain for free” isn’t tied to your web hosting service provider subscription! Will you loose the domain when you cancel the service? If so, then a “free domain” is much worse than one you paid for but that you directly own (via registrar). The whole point of “your own” domain is that you can keep it and the related email addresses regardless of email or web service provider.
Btw, backstory to setting up my email server is that I used to use the “free” email box provided with my domain registrar gandi.net . Then they suddenly wanted $5/month per mailbox and I said no and instead set up my own email server. That can happen to your service too, hence be careful that you fully own (including transfer rights etc) your domain.
yes I should have clarified I completely own the domain. the deal I got was essentially a “coupon” thus free for registering the domain that the web hosting service was partnered with. naturally once my first year is up I have to pay for the domain on a regular basis.
Is there a good noob friendly tutorial for all this? Or do people just try, make mistakes, lose all their data, get hacked and finally learn?
they are active on mastodon. message them publicly there and tag them
Probably silly question but how do you know the app on fdroid is legit and safe to use ?
Tutanota points to the F-Droid app on their own website so I assume they vouch for it.
my new Tuta account got “frozen” for 48h after creating it. Tuta said to prevent mass-sign-ups of bots and prevent spam…
Yeah, fuck those bait and switch tactics.
.
Tutanota is from Germany, though?
You should search for the latest news about Proton then, it’s way worse than what you have read here.
.
You know exactly what I mean 😉
Thank you first of all OP for actually sharing your experience. I’ve known Tuta was sketchy for a while, yet in every single post anyone talks about switching emails, every other reply is always “Tuta! :)”
And I feel because everyone is so unanimously vouching for Tuta, people who may use other niche services don’t feel as encouraged to share what they may have “Oh, guess everyone likes Tuta.”
Stfu about Tuta. Seriously.
And ftr, no OP you’re not alone. I’ve seen countless other domains engage in the same draconian 2FA shit where they do a better job of locking you out of your own accounts than actually protecting your privacy. It’s unfortunately becoming an industry standard model from the looks of it.
Tuta deleted my account after six months if inactivity.
Lord forbid I don’t care to check my email gasp full of spam
They informed users they were getting rid of innactive accounts. But you can still use the account if you pay.
Not saying it was the best decision by them though.
Blackmail.
Yeah, my fist step was tuta as well, I ditched them after a month for malbox.org. never looked back
Tuta is very suspect
No clue what you’re talking about at the end with 2fa, though. it sounds very yelling at clouds.
Instead of having your online accounts registered directly to your @tuta.io address (or your gmail address, or any webmail address), buy a domain name and have the accounts registered to that and then set the DNS to forward all mail from that domain to your webmail account of choice. That way, if the webmail service fucks up, the worst-case scenario is that you change the forwarding again and you’ve only lost the contents of the previous emails sent, not access to receive future ones.
(Caveat: when you send an email it’ll by default be coming from your webmail provider address, not your custom domain address, and I’m not sure how to fix that – I’ve only recently started switching to the scheme myself – but if your main issue is receiving 2FA emails and such that’s not a big deal.)
That’s mostly just a setting in the provider to verify your domain. Most out it behind a paywall though.
You’ll need to set a few DNS entries so that places know that server is allowed to send email from those servers.
I agree with your solution but please note that if you go down that road, you’ll need to renew your domain from now to forever.
If they “can’t do anything” on their own service then how can they be trusted at all?
They’re either lying outright, or are so deeply incompetent that they don’t know how their own software works and can’t touch it to try to resolve a problem for fear of breaking something.
I’m really sorry this happened to you OP.
I would really recommend that you consider getting a custom domain for your email. many are not that expensive and if you do, then you can just point that domain at whatever email provider you want without changing your email on the services.
in this scenario, it would let you setup that domain on another provider and at least get access to any emails going forward.
A good and super cheap hosting provider for emails is PurelyMail, albeit it’s based in the US
Just curious was this a Tuta paid account, or a free one?
Tuta is very strict with the free accounts and flag them for all sorts of reasons. They take their time to “approve” free accounts just to be able to use them. And on top of that they might nuke your account anyway if they think it is being used for spam/illegal activity/whatever or they think it’s not being used.
But I thought those are just issues with their free accounts, presumably their paid accounts don’t get flagged for those things… or so I thought.
Also to echo the other comments - best to buy and own your own domain for your email, that way it doesn’t matter where the email is being hosted in case you need to switch email providers.
I went through a similar situation with openmailbox dot org, though of course in their case the entire service suddenly shut down. Terrible position to be in. I eventually recovered most, but not all, accounts using that email address. Huge PITA.
Annoying experience you’ve had there.
I have never had any problem. I have my own domain names, I host them privately and on a webhotel. And then I use Thunderbird - and it just works.
Ive lost several tuta accounts, mostly for being inactive in them for 6 months, I find their service pretty annoying, but i think it’s a good idea to write down a password for these kinds of things, and keep it hidden somewhere physically
i dont like the password manager random character youll never recall it nonsense
also setting up a recovery email for a new secure email is important but i understand that doesnt help you now
having to use an email for govt accounts is really annoying ive just had to recreate everything after using the same account for 10 plus years
best of luck op
Wat?
Lol ya here’s how I use tuta. It’s 90% of the time just a recovery option for other emails that require another email so nothing gets linked. You don’t want to use their app even if its on fdroid its going to make it easy for them to keep track of what you’re up to. Use rethink or foxyproxy to rotate proxies on a mobile browser or tab and open it there, don’t stay logged in. Set reminders on your organization system to periodically login to free blob datacenter emails and clouds. Euros can suck my eggs im not giving them money bc they used the bourgeois state to present a facade of respecting privacy.
I’ve been using tuta for more than 3 years now, paid, and even though it has its drawbacks, it’s a good secure alternative to most providers nowadays.
I’ve had to deal with support a while back and even though they were not the fastest, they replied on a fairly timely manner.
I’m sorry to hear you’ve had a bad experience with them.
A lot of these “privacy sensitive” service providers are actually quite user-hostile.
Find a middle ground - get your own domain (pick a good registrar) and find a respectable mail host that has a support team with accountability who don’t treat you like a burden on this planet when you attempt to contact them (i.e not Tuta, not Mailbox-org - nope!!!, not Proton etc.). Do not go overboard with DMARC/etc in the beginning. Go about it slowly.
Also - make sure you use a service that lets you connect via an IMAP/POP client. It pains me to say that, but if you start avoiding services based on “five eyes” and “14 eyes” and “195 eyes”, I’m pretty sure we will be looking at pigeons and corked bottles in the sea. So, if you need E2EE over email - please use E2EE in the email using GPG on your own. I’d highly recommend not falling for the privacy theatre of the likes of Proton.
Fastmail is what i use for this. $50/year. Not gmail. Catch-all email boxes. So i use a new address for everything. It’s not proton. So not sure if it’s even encrypted at rest. But they are not selling my email to advertisers like gmail. And if I want to move I own my domian so its easy.
+1 for Proton as a security theatre.
Proton is not safe, the Swiss government can (and did, in fact) ask Proton for users’ IP addresses and metadata.
Plus, Proton forces you to use their client instead of standard IMAP.
What metadata?
Proton stores senders and subjects in clear text. Only the content of the email is encrypted.
That means that the Swiss government can easily force them to handle out that data.
Did we read the same post?
I understand the tuta and proton hate, but what’s wrong with the mailbox dot org?
I think they have some sort of critical security flaw regarding spoofing that hasn’t been resolved in years and they had a forum thread about it
I found some really old leddit and HN threads with similar warnings but nothing conclusive
–Please send links if anyone finds anything convincing
I think it’s safe to say you went too fast (id always start with email forwarding and slowly moving services over in ascending order of importance, and make sure you avoid email 2fa if at all possible), but that does suck.
Tuta is definitely the least reputable of the privacy email services, I still don’t know why they get recommended. I’ve made and lost several accounts with them and treat them like a burner.
Protons a bit risky to me because they’re very aggressive about immediately locking you out if you don’t pay right away (in this case a trial expired, they charged me with no credit card on the account and threatened to block me from accessing my account if I didn’t pay up even though I immediately contacted them and tried to cancel as soon as I saw the trial expired). To me that level of inflexibility is, while maybe acceptable in Europe, not for me. I keep a few email addresses and as soon as the above happened immediately moved everything out of proton.
But really what I’d recommend is the more traditional services that you pay a small amount for. Posteo has been good for me for several years. I’ve read similar things about similar services which aren’t marketed as “privacy” services but instead they just aren’t Google.
+1 for Posteo
Buying a domain and using that is a good idea, and you can also do a catch-all so you can give each service their own address and see which ones leak your data
Use duck dot com email proxies, ya noob.
This is what I hate about all email and why I say every so often I would like citizens public email. I mean this could happen with google. We need to have a right to an email address.
I bet the US will be your full name + the last 4 digits of your social.
fulllegalnameyearemailactivated@street.city.state.us
Sorry to hear this, what a nightmare.
If your old Gmail account lives, my thought is to carry on using that with auto forwarding to a fresh Tuta account and see how that goes, using the fresh Tuta and copying to old Gmail for redundancy / fallback. Thats what I did
That’s why I switched to my own mailserver. Sure this isn’t something for everyone. But getting a vps with a reputable and static IP to setup stalwart and use their manual for building up all the DNS querys wasn’t that hard.
Yeah same here, they deleted my old addr for inactivity, fine, so I made a new one. “Flagged for review, cannot send/receive emails at this addr yet” 2d go by, “flagged harder, reach out, using the email that can’t send email, to tuta support and explain why you need this acct.” Tried to send the email, perhaps unsurprisingly, to no success.
So I created a Disroot acct instead. They also flagged me for review (but then approved me, and I did it twice so I have two disroot accts which I need for different reasons), and their sign up site is pretty bad (it says “weak password” until you get enough chars in the prompt, coulda just told me that instead of making me insane rolling 30 different passwords in keepass…) but still, much better now, I have IMAP and disroot doesn’t delete for inactivity, so, woohoo!