Local hostname in Message-ID

[sthesing]

Alot appends the local hostname to the Message-ID.

If a user called their machine "bobsnewcomputer", the message IDs of email messages sent by alot consist of some random hash followed by @bobsnewcomputer.

Not only doesn't this help to achieve the purpose of message ids: uniqueness (cf. RFC822), it also exposes potentially private information.

Software Versions

• Python version: 3.8.10
• Alot version: 0.9.1

To Reproduce Steps to reproduce the behaviour:

1. send yourself an email
2. look at the message id

Proposal

W3C considers it best practice to format message ids as: <something unique within the machine, like a timestamp>@<internet domain name of the host>.

That's what Thunderbird does, for example: 8BF8CF7C-5FA3-4480-9968-DCDBC7788724@example.net

In times of mail providers with millions of users, the domain name alone is probably very unique. But since the sender address is known to anyone having access to the message, a message id like <some randomnumber>.<senderadress> e.g. 8BF8CF7C-5FA3-4480-9968-DCDBC7788724.bob@example.net shouldn't cause any privacy concerns.

[lucc]

I understand the general idea and I think you can open a PR to change the message ID to include the sending email address after the random string. I do not see a reason why the change you describe should be problematic. In the best case it can conceal your hostname (some additional information that might otherwise not be present in the mail).

technical sidenotes:

I can however not observe the format of the message ID you describe: my IDs end in @localhost even though hostname tells me my computer is called differently. But in my /etc/hosts I have

127.0.0.1 localhost
::1 localhost

No idea why your computer generates this message ID. I did not yet check the code.

---

I also read the RFC differently. I think you refer to this sentence:

The uniqueness of the message identifier is guaranteed by the host which generates it.

But how can one host guarantee uniqueness across all messages that are generated globally? That is theoretically impossible, so I understand this as "the uniqueness (among all messages generated by this host) of the message identifier ...".

You are of course right that appending the host name only helps to generate uniqueness if every computer has a unique hostname. And this is not true for personal computers today.

I would however argue that the uniqueness is only needed in a practical sense and the current scheme is as effective as the proposed.

[sthesing]

I understand the general idea and I think you can open a PR

I fear my Python skills aren't sufficient to do just that. I did have a look at the code, though and found the following:

• the id is set in the function construct_mail in alot/db/envelope.py
• the local hostname is the default setting of the Python email.utils.make_msgid
• said default becomes active because the constructor of the class Account sets None as the default for its attribute message_id_domain. So I guess that would be the place to change things.

There is also the file defaults/alot.rc.spec. I have no idea what *.spec files do. As I said, my Python is limited.

The message_id_domain attribute made me aware of something that I had overlooked in the user guide and that's a perfect workaround.

Workaround

In your alot config file add

message_id_domain = example.com 

to your settings for each account, replace example.com as needed.

Sorry I overlooked that. As far as I'm concerned as a user, this issue can be closed.

[kbingham]

Aha, the message_id_domain is something I'd missed to and wanted to stop my hostname being included in my outgoing mails.

Couldn't this could be generated from the domain name of the outgoing FROM: header though?

[lucc]

@kbingham you can follow the above arguments and make a PR to change the default if the setting is not present in the config file. I will close this as @sthesing said but you can still pursue this if you want.

@sthesing the spec file is not specific to python, it is specific to the config parsing library we are using. It is used to validate the config file. The file extension is arbitrary, the syntax is the same as for the config file (similar as you can write json specs in json).