Re: [MlMt] Security

[Jan Erik Moström]

On 22 Jan 2018, at 15:30, Benny Kjær Nielsen wrote:

At least not for the Inbox. I guess push notifications could also be 
used for read receipts, but again, MailMate doesn't support that.


Which is good :)
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Security

[Benny Kjær Nielsen]

On 22 Jan 2018, at 15:19, Jan Erik Moström wrote:


On 22 Jan 2018, at 15:04, Benny Kjær Nielsen wrote:

I guess that feature might be “read receipts” implemented using 
server-side images. This is not supported by MailMate and it'll most 
definitely not be implemented if it involves the MailMate server.


Probably push notification ... at least that is how I read Airmail 
user agreements, that if you don't enable push notifications then they 
store nothing.


Ah, ok. Push notifications are not supported by MailMate. It's not a 
problem to be notified of new emails on a Desktop machine (using IMAP 
IDLE). At least not for the Inbox. I guess push notifications could also 
be used for read receipts, but again, MailMate doesn't support that.


--
Benny
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Security

[Jan Erik Moström]

On 22 Jan 2018, at 15:04, Benny Kjær Nielsen wrote:

Thank you. I've been looking around at email clients and I saw that 
Airmail and Spark both had some sort of additional functionality which 
required them to store email addresses and associated passwords on 
their servers. That makes me uncomfortable.



I guess that feature might be “read receipts” implemented using 
server-side images. This is not supported by MailMate and it'll most 
definitely not be implemented if it involves the MailMate server.


Probably push notification ... at least that is how I read Airmail user 
agreements, that if you don't enable push notifications then they store 
nothing.


(Yep, I've deleted both Airmail and Spark from my iOS devices because 
their user agreements)


= jem
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Security

[Benny Kjær Nielsen]

On 18 Jan 2018, at 23:53, Daniel Torrecillas wrote:

Thank you. I've been looking around at email clients and I saw that 
Airmail and Spark both had some sort of additional functionality which 
required them to store email addresses and associated passwords on 
their servers. That makes me uncomfortable.


I guess that feature might be “read receipts” implemented using 
server-side images. This is not supported by MailMate and it'll most 
definitely not be implemented if it involves the MailMate server.


--
Benny
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Security

[Charlie Garrison]

On 19 Jan 2018, at 9:53, Daniel Torrecillas wrote:

Thank you. I've been looking around at email clients and I saw that 
Airmail and Spark both had some sort of additional functionality which 
required them to store email addresses and associated passwords on 
their servers. That makes me uncomfortable.


I couldn’t get Spark off my phone quick enough when I found out how 
they were abusing my details. :-O


You can be heaps more comfortable and relaxed with MailMate; it’s a 
proper email client that doesn’t strive to move personal details into 
the cloud. (I’m starting to RANT; it’s the fault of Spark though; I 
was shocked when I learned how much of my data, including passwords, 
they had copied off my phone.)


-cng

--

Charlie Garrison   
Garrison Computer Services  
PO Box 380
Tumbarumba NSW 2653  Australia

[Conundrum](http://www.ietf.org/rfc/rfc1855.txt)
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Security

[Daniel Torrecillas]

MailMate is a Desktop application and most of its network activity is
between you and your IMAP/SMTP providers. MailMate only talks to my
server when doing application update checks, when updating bundles (a
plugin-system for MailMate) and when sending crash reports (if enabled
in the General preferences pane).


Thank you. I've been looking around at email clients and I saw that 
Airmail and Spark both had some sort of additional functionality which 
required them to store email addresses and associated passwords on their 
servers. That makes me uncomfortable.


--
Daniel

On Jan 18 2018, at 6:09 AM, mailmate-requ...@lists.freron.com wrote:


Send mailmate mailing list submissions to
mailmate@lists.freron.com

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.freron.com/listinfo/mailmate
or, via email, send a message with subject or body 'help' to
mailmate-requ...@lists.freron.com

You can reach the person managing the list at
mailmate-ow...@lists.freron.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of mailmate digest..."


Today's Topics:

   1. Re: Security (Benny Kjær Nielsen) (Benny Kjær Nielsen)
   2. Re: Edit Notification format? (Compass Luca Cignacco)
   3. Re: forwarding HTML emails (Benny Kjær Nielsen)
   4. Re: Edit Notification format? (Benny Kjær Nielsen)
   5. Re: Is it possible to refresh the addressbook data from
  MailMate? (lists.freron@nietzold.com)
   6. Retain width of Thread Size column between views (possible
  bug?) (askedre...@gmail.com)


--

Message: 1
Date: Thu, 18 Jan 2018 10:39:29 +0100
From: "Benny Kjær Nielsen" <mailingl...@freron.com>
To: bl...@torrecillas.com, "MailMate Users"
<mailmate@lists.freron.com>
Subject: Re: [MlMt] Security (Benny Kjær Nielsen)
Message-ID: <34f73193-2e21-4997-bf3f-29691775e...@freron.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"

On 17 Jan 2018, at 17:47, uncat wrote:


I back you up. Only thing to add is that one should make sure that
SSL
is always enabled such that a password is never sent to the 
IMAP/SMTP

server in plain text. Note that most proper email servers wouldn't
even
allow non-SSL connections.


Is there a Privacy Policy shown during the installation by chance?


No. Installation is just dragging MailMate to, e.g., the Applications
folder.

MailMate is a Desktop application and most of its network activity is
between you and your IMAP/SMTP providers. MailMate only talks to my
server when doing application update checks, when updating bundles (a
plugin-system for MailMate) and when sending crash reports (if enabled
in the General preferences pane).

If you get a license key then I also have access to some personal
information via FastSpring (my reseller). Earlier on I got an email 
with

this information for every purchase, but this is no longer the case.
This means that I only store the name and email address of each 
license

key owner (everything else is handled by FastSpring). I do *not* have
(and never had) access to credit card information.

That's all the relevant information I can think of for now. Let me 
know

if you have any concerns or you can point to an example of a privacy
policy which you would prefer instead of the above.

MailMate is developed by Freron Software which is a small one-man (me)
business located in Copenhagen, Denmark (in the EU).

--
Benny
MailMate developer
-- next part --
An HTML attachment was scrubbed...
URL: 
<http://lists.freron.com/pipermail/mailmate/attachments/20180118/e56a51d9/attachment-0001.html>


--

Message: 2
Date: Thu, 18 Jan 2018 10:43:35 +0100
From: "Compass Luca Cignacco" <i...@compass.udine.it>
To: bl...@torrecillas.com, "MailMate Users"
<mailmate@lists.freron.com>
Subject: Re: [MlMt] Edit Notification format?
Message-ID: <885b982b-09aa-4b89-8a9b-97badeadc...@compass.udine.it>
Content-Type: text/plain; charset="utf-8"; Format="flowed"

Go to Preferences -> Counters -> Edit “Format” field

That’s it

On 18 Jan 2018, at 4:04, Daniel Torrecillas wrote:


Hi,

I've just started a trial to see if MailMate will work for me. Is
there a way to edit the format of the Notification banner to mirror
Apple Mail's implementation?

I see the **Format** field in the **Counters** tab of Preferences, 
but

I don't know where to go from there.

Please see attached screenshots to see the message banner for Apple
Mail and MailMate, for the same message.

--
Daniel
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate


![alt 
text](http://www.compass.udine.it/files/stacks-image-3cef510.png)
*Compass di Luca Cignacco* - I

Re: [MlMt] Security (Benny Kjær Nielsen)

[Benny Kjær Nielsen]

On 17 Jan 2018, at 17:47, uncat wrote:

I back you up. Only thing to add is that one should make sure that 
SSL

is always enabled such that a password is never sent to the IMAP/SMTP
server in plain text. Note that most proper email servers wouldn't 
even

allow non-SSL connections.


Is there a Privacy Policy shown during the installation by chance?


No. Installation is just dragging MailMate to, e.g., the Applications 
folder.


MailMate is a Desktop application and most of its network activity is 
between you and your IMAP/SMTP providers. MailMate only talks to my 
server when doing application update checks, when updating bundles (a 
plugin-system for MailMate) and when sending crash reports (if enabled 
in the General preferences pane).


If you get a license key then I also have access to some personal 
information via FastSpring (my reseller). Earlier on I got an email with 
this information for every purchase, but this is no longer the case. 
This means that I only store the name and email address of each license 
key owner (everything else is handled by FastSpring). I do *not* have 
(and never had) access to credit card information.


That's all the relevant information I can think of for now. Let me know 
if you have any concerns or you can point to an example of a privacy 
policy which you would prefer instead of the above.


MailMate is developed by Freron Software which is a small one-man (me) 
business located in Copenhagen, Denmark (in the EU).


--
Benny
MailMate developer
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Security

[Steven M. Bellovin]

On 17 Jan 2018, at 10:49, Bill Cole wrote:


On 17 Jan 2018, at 8:06, Steven M. Bellovin wrote:


On 17 Jan 2018, at 5:51, Benny Kjær Nielsen wrote:

[...]
I back you up. Only thing to add is that one should make sure that 
SSL is always enabled such that a password is never sent to the 
IMAP/SMTP server in plain text. Note that most proper email servers 
wouldn't even allow non-SSL connections.


What authentication options that don't involve sending passwords does 
MailMate support? Is there a way to configure MM to use only one of 
these safer options if available?


I can't answer that, but I do take issue with the implied assertion 
that it is inherently safer to use CRAM-MD5, DIGEST-MD5, or other 
password-based mechanisms that avoid send the password to the server 
in decodable form rather than using a plaintext mechanism via an 
encrypted (i.e. TLS) transport. To support those mechanisms, the 
server needs to *store* a recoverable form of the password, which in 
most circumstances creates a less protectable attack surface than 
putting a password on the wire inside an encrypted channel to a server 
that only stores strong one-way hashes.


It varies, depending on the design. Client-side certificates require 
only a public key on the far end. Both sides could store hashed 
passwords (see https://tools.ietf.org/html/draft-bellovin-hpw-01 -- 
alas, it went nowhere) for one design.


But there's a more subtle issue: when you make your trust decisions.  
*If* you trust the site to store passwords safely -- and I agree; that's 
a big assumption -- you make the trust decision once. When you send 
passwords in the clear, you're making that trust decision every time you 
log in, and you're trusting the certificate issuance (think Diginotar 
and Comodo), corporate firewalls that terminate every TLS session and 
create a new one, users who click "OK" to certificate warnings, and 
more.



--Steve Bellovin, https://www.cs.columbia.edu/~smb


___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Security

[Bill Cole]

On 17 Jan 2018, at 8:06, Steven M. Bellovin wrote:


On 17 Jan 2018, at 5:51, Benny Kjær Nielsen wrote:

[...]
I back you up. Only thing to add is that one should make sure that 
SSL is always enabled such that a password is never sent to the 
IMAP/SMTP server in plain text. Note that most proper email servers 
wouldn't even allow non-SSL connections.


What authentication options that don't involve sending passwords does 
MailMate support? Is there a way to configure MM to use only one of 
these safer options if available?


I can't answer that, but I do take issue with the implied assertion that 
it is inherently safer to use CRAM-MD5, DIGEST-MD5, or other 
password-based mechanisms that avoid send the password to the server in 
decodable form rather than using a plaintext mechanism via an encrypted 
(i.e. TLS) transport. To support those mechanisms, the server needs to 
*store* a recoverable form of the password, which in most circumstances 
creates a less protectable attack surface than putting a password on the 
wire inside an encrypted channel to a server that only stores strong 
one-way hashes.


___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Security

[Benny Kjær Nielsen]

On 17 Jan 2018, at 14:06, Steven M. Bellovin wrote:

What authentication options that don't involve sending passwords does 
MailMate support? Is there a way to configure MM to use only one of 
these safer options if available? I know that I use it with an IMAP 
server that only supports CRAM-MD5 and DIGEST-MD5.


MailMate only supports `CRAM-MD5`. It can be forced to only use this by 
editing `Sources.plist` (and `Submission.plist`) to include this for 
each account:


authMechanism = 'CRAM-MD5';

(`XOAUTH` is also supported for Gmail/Outlook.)

The only real reason for the lack of support of other mechanisms is that 
I implemented it myself instead of using a library which probably 
supports more methods (I haven't checked recently).


Also, most of the servers I have access to only support very few 
authentication methods. They don't even support `CRAM-MD5`.


--
Benny
https://freron.com/become_a_mailmate_patron/
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Security

[Steven M. Bellovin]

On 17 Jan 2018, at 5:51, Benny Kjær Nielsen wrote:


On 17 Jan 2018, at 8:33, Fabian Blechschmidt wrote:

Is my password to my email account or my email address stored  
anywhere?


The password can (not must) be stored in the Mac OS X keychain.


Or sent anywhere?


MailMate is not "cloud" - so except the mail server itself I assume 
it stays on your machine.



Is there any assurance of that?


I hope Benny will answer your mail too and back me up :-)


I back you up. Only thing to add is that one should make sure that SSL 
is always enabled such that a password is never sent to the IMAP/SMTP 
server in plain text. Note that most proper email servers wouldn't 
even allow non-SSL connections.


What authentication options that don't involve sending passwords does 
MailMate support? Is there a way to configure MM to use only one of 
these safer options if available? I know that I use it with an IMAP 
server that only supports CRAM-MD5 and DIGEST-MD5. There are others 
possible, such as client-side certificates.  (To the original querier: 
if you control your IMAP server, disable plaintext password logins.)



--Steve Bellovin, https://www.cs.columbia.edu/~smb


___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Security

[Benny Kjær Nielsen]

On 17 Jan 2018, at 8:33, Fabian Blechschmidt wrote:

Is my password to my email account or my email address stored  
anywhere?


The password can (not must) be stored in the Mac OS X keychain.


Or sent anywhere?


MailMate is not "cloud" - so except the mail server itself I assume it 
stays on your machine.



Is there any assurance of that?


I hope Benny will answer your mail too and back me up :-)


I back you up. Only thing to add is that one should make sure that SSL 
is always enabled such that a password is never sent to the IMAP/SMTP 
server in plain text. Note that most proper email servers wouldn't even 
allow non-SSL connections.


--
Benny
https://freron.com/become_a_mailmate_patron/
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Security

[Jan Erik Moström]

On 17 Jan 2018, at 8:33, Fabian Blechschmidt wrote:


Or sent anywhere?


MailMate is not "cloud" - so except the mail server itself I assume it 
stays on your machine.


Except for the obvious thing of logging in to the mail server to 
validate that you is you.


= jem
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

Re: [MlMt] Security

[Fabian Blechschmidt]

On 17 Jan 2018, at 8:27, uncat wrote:


Hi,

I'm interested in trying out MailMate. Questions: Is my password to my 
email account or my email address stored anywhere? Or sent anywhere? 
Is there any assurance of that?


--
Daniel


Hi Daniel,

I'm only a user, so this answer are only observation - I have no access 
to the code.


Is my password to my email account or my email address stored  
anywhere?


The password can (not must) be stored in the Mac OS X keychain.


Or sent anywhere?


MailMate is not "cloud" - so except the mail server itself I assume it 
stays on your machine.



Is there any assurance of that?


I hope Benny will answer your mail too and back me up :-)
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate

[MlMt] Security

[uncat]

Hi,

I'm interested in trying out MailMate. Questions: Is my password to my email 
account or my email address stored anywhere? Or sent anywhere? Is there any 
assurance of that?

-- 
Daniel
___
mailmate mailing list
mailmate@lists.freron.com
https://lists.freron.com/listinfo/mailmate