🆕 Software Suggestion | NixNet Mail

[Amolith]

Basic Information

Name: NixNet Mail Category: email URL: nixnet.email

Description

My vision is for NixNet Mail to be a more professional version of cock.li with additional privacy features. I'm not creating this issue saying it should be added to the list right away, I just want to get it out there and maybe have a few people review it to see what I need to improve.

Current state

The only way to get an account is to contact me somewhere. That can be done through some method at nixnet.services/contact or by sending an email to the postmaster inbox. GPG keys are available for both my address and the Postmaster. I don't care where I'm contacted from, I just need to know the desired username and domain and I need to be able to send a temporary password back. Users are instructed to change it from within Roundcube and given a link to documentation for connecting desktop/mobile clients as well as encouraged to read useplaintext.email. Emails are sent in plaintext by default in Roundcube.

• Everything is fully open source and I'm in the process of documenting all of the components used.
• SPF, DMARC, DKIM, STARTTLS, and DNSSEC are all implemented and I'm looking into DANE as well.
• When a user asks me to delete their account, I run the SQL query to delete them from the database then I delete their mail directory from the filesystem.
• Client IP addresses are redacted before sending the email anywhere else
• Emails are stored in plaintext but I don't bother reading them and I do have a document saying that with information on how to use encryption.
• Users can choose from any of the domains I currently have set up. I don't allow for adding custom domains yet.

Future state

It will be a fully self-service platform for users and domain administrators. There will be a place for domains owners to bring their own, DNS records (DKIM, SPF, the works) will be automatically generated, and there will be a dashboard for creating inboxes and aliases. When bringing their own domain, the addresses listed in RFC 2142 will be mandatory but users can choose to create them as individual inboxes or as aliases. Default behaviour will be that the postmaster has an inbox and everything else is aliased to that.

In being able to create additional inboxes, domain owners could actually be an admin at a company and create accounts for employees (though that would require an API that hasn't been made yet).

Local inbox encryption will be implemented using an official Dovecot plugin so that I'm unable to read any emails.

Once I've added some minimal CSS, koushin will be the recommended webmail client but Roundcube will still be supported and desktop clients will still be heavily recommended.

TODO list

• [x] Correct MTA-STS issue
• [x] Add HSTS to other domains
• [ ] Revise cipher suite
• [ ] Set .onion domain up
• [x] Add koushin
• [ ] Add DANE
• [ ] Set up Cal/CardDAV server for koushin integration
• [ ] Improve documentation
• [ ] Implement maildir encryption
• [ ] Add proper privacy policy
• [ ] Add terms of service
• [ ] Fund the creation of the dashboard

Last item will be a massive undertaking that I will likely pay for myself. It will be open source and licensed under MIT.

Why I am making the suggestion

I think it will be a valuable addition to the list of recommended email providers once it's further along.

My connection with the software

I am the creator!

---

• [x] I will keep the issue up-to-date if something I have said changes and if progress on any of the planned features is made

[ian-tedesco]

Hello.

Your service looks really nice and simple, I like it. I think the criteria is still under development and I think the staff (I am only a contributor) prefers to first finish the editing with the current providers and the correct criteria and then add some more. If you look through the issues you will be able to find the new e-mail section with the deploy, and within it there's the criteria.

You can test your website here to see what you are missing: https://www.hardenize.com/report/webmail.nixnet.email/1582052965

---

I would like to request a feature added to the todo list, an .onion URL would be awesome.

[Amolith]

I would like to request a feature added to the todo list, an .onion URL would be awesome.

That's already on my mind and in the Planned features list at the bottom of nixnet.email, I simply forgot to add it here :wink: I actually have five vanity onion URLs generated starting with nnmail. If I have time this evening, I'm going to set that up along with some others I've spent a few days generating for other sites.

You can test your website here to see what you are missing: https://www.hardenize.com/report/webmail.nixnet.email/1582052965

I ran the test against an active mail domain, nixnet.email, and this is the current report. It looks like I need to modify my cipher suite and correct an issue with MTA-STS; I recently migrated servers (it took about 8 hours in total) but that aspect escaped my attention.

Thanks!

[ian-tedesco]

Great! I'll check it out this night to see if the .onion URLs are live.

Great, I see it looks better now. Also you have to be registered under the EEF as a STARTTLS supporter, I don't know it that's implemented.

[Amolith]

Also you have to be registered under the EEF as a STARTTLS supporter, I don't know it that's implemented.

I've been in the STARTTLS Everywhere queue for a while now but there's still the MTA-STS issue I urgently need to fix; that's at the top of my todo list this evening. Once I correct it, I'll add the other domains to the queue as well.

[Amolith]

The MTA-STS issue has been resolved and results can be seen below. I've also added each domain to the queue for STARTTLS Everywhere. https://www.starttls-everywhere.org/results/?nixnet.email https://www.starttls-everywhere.org/results/?pwned.life https://www.starttls-everywhere.org/results/?nixnetmail.com https://www.starttls-everywhere.org/results/?647630.xyz https://www.starttls-everywhere.org/results/?3733366.xyz https://www.starttls-everywhere.org/results/?7748229.xyz

There's an updated analysis of the mail server's security as well. I'll be taking a look at the rest of the issues tonight.

[blacklight447]

Nice progress so far!

[Amolith]

I just finished with koushin and it's running at simple.nixnet.email. Though a little experimental at the moment, I have high hopes for it.

[ian-tedesco]

I just finished with koushin and it's running at simple.nixnet.email. Though a little experimental at the moment, I have high hopes for it.

That's great, I'll send you an e-mail in a couple of hours to create an account if it's possible. Does koushin work without JavaScript or you are going to use Squirrelmail for Tor?

[Amolith]

Does koushin work without JavaScript or you are going to use Squirrelmail for Tor?

Koushin has no JavaScript components at all; by default, it's pure HTML. The theme it's using now doesn't even have CSS if I remember correctly; I'm going to work on improving it a bit when I have some time 😉 JavaScript could be added but, in my opinion, it's completely unnecessary and would detract from the experience.

[dngray]

I'm a bit unsure as to why you opened this prior to meeting our criteria. Surely this tracking issue would have been better suited on your own bug tracker.

Closing as it won't be added until it is ready. Feel free to re-open when you want to be re-evaluated.