Resurfacing Mails as Privacy Concern

RobSlgm commented 5 months ago

Steps to reproduce

Create a new account

./mox config account add test1 test1@redacted.com
./mox setaccountpassword test1 somesecretpassword

Add content to the mailbox (through webmail or other means).
Remove the account

./mox config account rm test1

Verify that the account is inaccessible and emails are not received using the original address.
Re-create the account with the same email address:

./mox config account add test1 test1@redacted.com
./mox setaccountpassword test1 sameordifferent

Observation:

Despite account removal, emails from the original mailbox resurface with the recreated account using the same email address.

Concern:

This behavior can lead to privacy issues. Users who intend to permanently delete their accounts and emails might be surprised by the ability to recover emails simply by recreating the account. This could potentially contradict user expectations regarding the "right to be forgotten" and data deletion.

Recommendation:

The documentation should be updated to explicitly state that mox config account rm does not permanently delete emails.
Consider implementing an option for irreversible mailbox deletion alongside account removal or making it the standard, with the option only to remove the account definition.

Additional Notes:

The password used during account recreation can be the same or different from the original password.
This behavior might be intentional for scenarios like account recovery, but it's IMHO crucial to ensure user awareness and provide clear options for permanent deletion.
As current work around just delete the data directory of the account

mjl- commented 5 months ago

Thanks for raising this issue. This isn't the right behaviour. I think it's we should just really remove the account data. Admins should have backups. In the admin webinterface we can ask for confirmation. We could also force an admin to specify a flag to "mox config account rm", to indicate they really mean to remove the account, but that's probably a step too far.

The other option is moving the account data to some directory, out of the way. But the risk is that it is never cleaned up and lingers (like it does now!).

x8x commented 5 months ago

I did run into this as well, agree with @RobSlgm .

./mox config account rm test1 should remove account config and data

If you think there is a good use for keeping account's data, that data should still be linked to the account config.

Maybe a better way would be to have: ./mox config account disable test1 Keeping both account's data and config. This would also be more clear than adding a flag to rm.

To be more clear, both: ./mox config account rm --keep-data test1 or ./mox config account rm --delete-data test1 would be less clear.

mjl- commented 4 months ago

thanks for the feedback. "mox config account rm" now indeed simply removes all files (first moving the directory from data/accounts/ to data/tmp/). there is no disable yet. to achieve a disabled account, an admin can either set a new password and not tell the user and/or remove all email addresses configured for the account.

mjl- / mox