I’ve just been through the exact same thing. Look at the documentation for teams. The €3 per user standard account has this feature too.
https://kb.mailbox.org/en/private/account-article/how-to-set-up-team-accounts
And it seems since today you can use light too! https://mailbox.org/en/post/teams-and-families-custom-domains-available-in-the-light-plan
This is also one of the reasons I've moved on from mailbox.org.
Seems like they won't fix this and they also wouldn't bother about complaints, especially in this subreddit. It's unfortunate but well, there're always other choices.
Using an alias for my [email protected] instead of the [email protected] or [anything]@domain.com address.
For burner addresses mailbox.org has disposable addresses: https://mailbox.org/en/post/more-privacy-with-anonymous-disposable-e-mail-addresses
Sweet, it also looks like it's 25 aliases for mailbox.org but 50 custom aliases (or 250 on the more expensive plan)
Under the plan & details https://mailbox.org/en/services#tariffs
Thank you for looking into that for me, much appreciated!
I looked in to what MS does. I believe they use their authentication module on a mobile phone or desktop in a fashion similar to a smart card. The device must be registered with the server, during which process public keys are exchanged and paired with a specific device and user, Then for authentication, there is a challenge-response protocol that proves the identity of the client.
Mailbox.org is fairly vague about how they do it, but I think if you buy the Yubikey from them, they register it so that hopefully they can perform the full security authentication flow when the user logs in. This is in contrast to the TOTP method, which does not include a cryptographic challenge-response protocol. So in the case of mailbox.org. I find their TOTP implementation lacking. But perhaps if they are using FIDO/UTF correctly that could be a valid authentication path,
I wish someone at mailbox.org could explain more deeply what they are doing.
Thank you for helping me understand.
- Barry
RicGonMar - Yes, I also looked at the way they handle Yubikey and it looks similarly bad. You basically use your 4-digit PIN plus the token, whether its from TOTP or Yubikey. After having used other services who do it the "right" way, I can not imagine using mailbox.org for anything important. Too bad because they do a lot of other things well.
- banjo