neilalexander / yggmail

End-to-end encrypted email for the mesh networking age
https://matrix.to/#/#yggmail:matrix.org
Mozilla Public License 2.0
138 stars 18 forks source link

Add DNS-based aliases #6

Open cofob opened 3 years ago

cofob commented 3 years ago

Is your feature request related to a problem? Please describe. In the current version of yggmail, it is quite difficult to remember or share addresses like e8a6d1decc5c53b657bf57c546b894c7f07bcebf9a1bcc09de00d7a03d7e5366@yggmail.

Describe the solution you'd like It is possible to use ALFIS (or any other DNS) to solve this problem. You can add a TXT record to _yggmail.domain.tld containing the yggmail public key. When sending a message to domain@tld, yggmail will extract the public key from the DNS, and send the message to the {public key}@yggmail

neilalexander commented 3 years ago

This is a pretty good idea and I had been thinking of something similar. Just not sure if it will fracture the experience if people use different DNS (e.g. some people use ALFIS, others use internet DNS, or have no DNS connectivity at all).

zander commented 3 years ago

now, I'm no expert in ygg, so correct me if I'm wrong here.

If on my example.com I add an ygg AAAA record (starting with 0200), isn't that enough for yggmail to already be able to do the task?

Afterall, ygg manages to encrypt and route packages based purely on IP, yygmail should be able to extract the public key from a running node too.

cofob commented 3 years ago

This is a pretty good idea and I had been thinking of something similar. Just not sure if it will fracture the experience if people use different DNS (e.g. some people use ALFIS, others use internet DNS, or have no DNS connectivity at all).

You need yggdrasil to use it, I don't think that the people who use it do not distinguish between different DNS.

cofob commented 3 years ago

now, I'm no expert in ygg, so correct me if I'm wrong here.

If on my example.com I add an ygg AAAA record (starting with 0200), isn't that enough for yggmail to already be able to do the task?

Afterall, ygg manages to encrypt and route packages based purely on IP, yygmail should be able to extract the public key from a running node too.

This will allow you to more flexibly customize your mailbox (and not all domains have a yggdrasil address, or there may be several of them). You can make yggmail look at the TXT record first, only then at AAAA.

Revertron commented 3 years ago

There are some security concerns though. If someone sends mail, for example to neil@yggmail and uses faulty DNS-server, it can get attackers address, and send mail to an attacker instead of Neil.

The better way is to use addresses like neil.ygg@yggmail, using full domains from ALFIS' zones. Then if yggmail sees that address is not a public key, and has one of ALFIS's zones ending, it tries to resolve that domains TXT record. I think, the record should be for subdomain like yggmail.neil.ygg.

cofob commented 3 years ago

There are some security concerns though. If someone sends mail, for example to neil@yggmail and uses faulty DNS-server, it can get attackers address, and send mail to an attacker instead of Neil.

The better way is to use addresses like neil.ygg@yggmail, using full domains from ALFIS' zones. Then if yggmail sees that address is not a public key, and has one of ALFIS's zones ending, it tries to resolve that domains TXT record. I think, the record should be for subdomain like yggmail.neil.ygg.

I suggested addresses like neil@ygg (neil.ygg), neil@com (neil.com).

Revertron commented 3 years ago

I suggested addresses like neil@ygg (neil.ygg), neil@com (neil.com).

How the DNS server will resolve such addresses?

cofob commented 3 years ago

I suggested addresses like neil@ygg (neil.ygg), neil@com (neil.com).

How the DNS server will resolve such addresses?

Before resolving, the back-end will parse such an address in domain.tld, and request a public key from the DNS, then send an email to public_key@yggmail

ghost commented 3 years ago

most apps don't work with tld

cofob commented 3 years ago

most apps don't work with tld

Perhaps we misunderstood each other. .tld is a placeholder for first level domain like .ru, .us, .com (Top-level domain)

ghost commented 3 years ago

i'm in point that most apps don't work with domain like hash@yggmail

tionis commented 3 years ago

Yes, I was unable to use my usual mail clients, because they didn't accept the mail address. The only one that worked for me was thunderbird.

neilalexander commented 3 years ago

i'm in point that most apps don't work with domain like hash@yggmail

Can you please qualify which apps don’t? Everything I have tested has so far been fine (including Apple Mail, iOS Mail.app, Thunderbird, mutt and Evolution).

tionis commented 3 years ago

Mailspring and KMail didn't accept the email.
Mutt didn't like the non existant encryption (this may have been a configuration issue on my side).

ghost commented 3 years ago

i'm in point that most apps don't work with domain like hash@yggmail

Can you please qualify which apps don’t? Everything I have tested has so far been fine (including Apple Mail, iOS Mail.app, Thunderbird, mutt and Evolution).

DeltaChat and KMail Screenshot_20210711_231932 "Wrong mail address"

neilalexander commented 3 years ago

Mutt definitely worked when I set it up. If KMail and Mailspring have issues with the address format then we should probably raise issues on their respective bug trackers, since the email addresses are valid as per RFC 5322.

tionis commented 3 years ago

I opened an Issue in the bug report forum of Mailspring link

tionis commented 3 years ago

Mutt definitely worked when I set it up. If KMail and Mailspring have issues with the address format then we should probably raise issues on their respective bug trackers, since the email addresses are valid as per RFC 5322.

How did you prevent Mutt from trying to use TLS for the SMTP server?
I already used the smtp:// format instead of the ssmtp:// one.

neilalexander commented 3 years ago

How did you prevent Mutt from trying to use TLS for the SMTP server?

Something like this in .muttrc:

set folder = "imap://localhost:1143"

set imap_user = "<username>"
set imap_pass = "<password>"

set smtp_url = "smtp://localhost:1025"
set smtp_pass = "<username>"

set ssl_starttls = no
set ssl_force_tls = no

set from = "<mailaddr>"
set realname = "<name>"
tionis commented 3 years ago

I tried it with this config and either get a SASL authentication failed if I use something like smtp://HASH@yggmail@localhost:1025 or SMTP session failed: 502 5.7.0 Not expecting anonymous connection on internal backend when configuring it via the example above. But this seems to be getting off topic.

tbxv commented 3 years ago

Maybe it would be better to allow multiple inboxes on one node and use more conventional addresses like inbox@public_key.yggmail and inbox@domain.tld. This would be more compatible, more flexible, and could make it possible to have one address for both yggmail and standard email.

Or maybe support only one inbox per node but accept any name before '@'. This way emails sent to both name1@key.yggmail and name2@key.yggmail will go to the same inbox, but different names could be used to help filtering and categorization of mails.

tbxv commented 3 years ago

Or maybe support only one inbox per node but accept any name before '@'. This way emails sent to both name1@key.yggmail and name2@key.yggmail will go to the same inbox, but different names could be used to help filtering and categorization of mails.

Also in this case an option to restrict allowed names will be useful for basic spam protection: to send mail complete address must be known, not just the public key, so it won't work for spammers to try to send mails to every node discovered on the network.