Currently trying to gain some understanding of the backend, if I am understanding both the drawings at Quantum Resistant Email Service in 2024 and the code correctly, inbound emails are sent into a temporary mailbox with an encryption key the server controls if there is no active session (and it is a single key for the entire server as seen here forwardemail.net/helpers/get-temporary-database.js at d23f4fda6639d05d87d6fbfab976e4e93b131996 · forwardemail/forwardemail.net · GitHub).
As I am not yet familiar with the codebase, please correct me if I’m wrong because to me this seems like bad design.
The other big issue is one that has been brought up multiple times, and that’s how emails are stored into the persistent database for the recipient mailbox. The IMAP password is encrypted in memory and not stored, but it is decrypted several times (using the exact same key from above it seems) meaning an admin is able to access the full mailbox as long as a session is active (+ the temporary mailbox as mentioned in the previous part.)
Both of these issues can be resolved by manually setting up a public key, but by default a mailbox cannot be considered secure.