Helm Email Server: secure and stylish, but has issues

I had an opportunity to test drive the Helm personal email server over the past couple of months. I give them an A for effort, and a C+ for execution. It is a smallish pyramid that can be used to self-host your own email domain.

It has some great ideas and tries hard to be a secure email server that is easy to setup. And its packaging and reviewer’s guide is a design delight, as you can see from the photo below. But it has a few major drawbacks, especially for users that want to do more than protect their email correspondence.

If you want to read a more thorough test, check out Lee Hutchinson’s Ars review here. While I didn’t test it as thoroughly or write about it as much as he did, I did try it out in two different modes: first, as a server on a test account that Helm reserved for me. Then I reset the unit and tried it to serve up email on one of my existing domains. I will get to an issue with that latter configuration in a moment.

My biggest issue is its lack of support for webmail clients. I understand why this was done, but I still don’t like it. I have been using webmail exclusively for my desktop and laptop email usage for more than 10 years, and only use the iPhone Mail app when I am on the phone. Certainly, that leaves me open for exposure, man-in-the-middle, etc. But I am not sure I am willing to give up that flexibility for better security, which is really at the center of the debate.

Brian Krebs blogged that users can pick two of security, privacy and convenience, but only two. That is the rub.

If you are concerned about privacy first and foremost, you are likely to want to use encryption on all of your emails. That is probably for very few folks. Even with zero-trust encryption, this isn’t easy. Helm doesn’t support any encryption such as PGP, so this audience is off the table.

If you are concerned with convenience, you are probably going to stick with webmailers for the time being. So this audience is off the table too.

If you are concerned with security first, maybe you will consider Helm. But it is a big maybe. If you already use a corporate email server and your company has hundreds of mailboxes, I don’t think any IT manager is going to want to have a tiny box like Helm at the center of their email infrastructure. And if you are a SMB that has < 100 mailboxes, perhaps you might move from GSuite or O365, but it will take some work. Certainly, the pricing tipping point is around a dozen mailboxes, depending on the various options that you choose for these SaaS emailers.

Hutchinson’s piece in Ars says, “Helm aims to give you the best of both worlds—the assurance of having a device filled with sensitive information physically under your control, but with almost all of the heavy sysadmin lifting done for you. If you’re looking to kick Google or Microsoft to the curb and claw back control of your email, this is in my opinion the best and easiest way to do it.” I would agree with him.

However, the issue for this last group isn’t the email, but the other things that depend on email that they already use seamlessly: calendars, contacts, and email notifications. Setting up calendars and contacts will take some careful study before you actually configure them. This is because you have to read and understand the web-based support portal pages so that you know what the steps are before you do the configuration. I ended up creating several device profiles before I got all this together, because I couldn’t access the existing details to set up the servers etc. (I understand why you are doing this, but still calling them “device profiles” is confusing.) And then I still had issues with getting things setup for my calendar and contacts. The pretty reviewer’s guide really falls down in this area.

One plus for the security audience is that it supports DMARC/SPF/DKIM with no extra effort. (See the screenshot below.) They don’t make a big deal of this, other than a brief nod to it in the support pages here. My report from mail-tester can be found here, showing that this was implemented correctly.

Another sticking point for me is the use of the smartphone app for configuration and reporting. I have had problems with other consumer-grade products that do this – such as most smart home devices, the Bitdefender Box (I did an early review of this for Tom’s Hardware but haven’t looked at it for a while since then), and some SMB router/firewalls. The problem is that your screen real estate is very limited, forcing you to make some bad UI tradeoffs. For example, a notification alert comes up on my phone during certain times.

One issue that Hutchinson also had is that if you use Helm to serve up your own domain, it needs to take control over your domain’s DNS settings. You can use its smartphone app to add your own custom DNS records, but it isn’t as flexible as say the average ISP DNS web-based management screens. Speaking of DNS, Helm doesn’t support DNSSEC because of the way it moves your email traffic through its AWS infrastructure.

Finally, the backup process didn’t work for my pre-configured unit and I never got a successful backup, even after initiating several of them. It worked fine for my hosted domain. There is no phone message notification of either success or failure: you have to check the app, which also seems like a major omission.

If you aren’t happy with the security implications of Microsoft/Googleplex owning your messages and are a small business that doesn’t use much webmail, then Helm should be a great solution. It costs $500 initially, with $100 annually for a support contract.


One thought on “Helm Email Server: secure and stylish, but has issues

  1. Thanks for taking the time to look at Helm David. I wanted to post some responses to what you wrote.

    Helm does not support webmail clients due to the security risks webmail presents. Nadim Kobeissi captured the general challenges well when reviewing Protonmail recently: https://eprint.iacr.org/2018/1121.pdf. Helm supports native clients which can be used on mobile and desktop devices. Unlike webmail, native client make your email accessible while offline which is great when traveling.

    Helm was built to address privacy by offering full disk encryption with keys managed by a Secure Enclave, client to server encryption over TLS, and server to server encryption over TLS. Helm utilizes certificates from Let’s Encrypt. Helm supports content-level encryption using PGP or SMIME at the MUA not MTA level.

    Corporate / Enterprise
    Helm was designed for individual users and small businesses. Helm is not designed as an enterprise solution today. Helm has built-in support for importing from 3rd party services.

    Calendar/Contact Setup
    We are continuing to improve our user experience to make it as seamless as possible. Some native clients have challenging calendar and contact user experiences that we are working to resolve.

    We included DMARC/SPF/DKIM email authentication to ensure the authenticity of our customers emails. Learn more here: How Helm Works – Part 1 (https://medium.com/gethelm/how-helm-works-part-1-4cf68956dd26). Helm’s mobile app also offers an additional level of security with a proximity-based token for two-factor authentication.

    Smartphone App
    We are continuing to improve our user experience to make it as seamless as possible. Future updates include: Push-notifications with configuration settings, improved setup, multi-user account management, and more. Helm’s mobile app also offers an additional level of security with a proximity-based token for two-factor authentication that is not available in other solutions.

    Helm demo units were tested before being shipped out and it appears that the backup from that testing was not cleared out for your unit which is why you experienced that issue. This has not been seen with retail units.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.