Hi there @123 – thanks for joining this thread.
All SQLite databases (mailboxes) are encrypted using ChaCha20-Poly1305 using your IMAP password. We do not store your IMAP password, only you have it. When you connect over IMAP, your password is encrypted in-memory (currently using AES-256-CBC but we plan to switch entirely to use ChaCha20-Poly1305 everywhere) and used to open your database. For long-lived IMAP connections, we keep your database open in-memory using a JavaScript Map instance so that IMAP commands can quickly operate (e.g. if we close and re-open on every IMAP command, it adds 100-300ms overhead; which quickly adds up). See forwardemail.net/sqlite-server.js at ab4edcbc39578382f9f0d5379e2ddab31586ab49 · forwardemail/forwardemail.net · GitHub, https://github.com/forwardemail/forwardemail.net/blob/ab4edcbc39578382f9f0d5379e2ddab31586ab49/helpers/get-database.js#L478-L493, and https://github.com/forwardemail/forwardemail.net/blob/ab4edcbc39578382f9f0d5379e2ddab31586ab49/helpers/on-auth.js#L576-L577.
Yes, this is mentioned earlier in this thread at https://discuss.privacyguides.net/t/forward-email-email-provider/13370/36 (screenshots included), but there is a FAQ section regarding this at https://forwardemail.net/en/faq#do-you-support-openpgpmime-end-to-end-encryption-e2ee-and-web-key-directory-wkd.
While you’re offline (no IMAP connection established) we use ChaCha20-Poly1305 using a secret key of ours. Note that if you configure an OpenPGP key (as discussed in previous question) then your inbound email will be encrypted using your key in this temporary database. See https://github.com/forwardemail/forwardemail.net/blob/ab4edcbc39578382f9f0d5379e2ddab31586ab49/helpers/parse-payload.js#L1000-L1013.
We do not think that JMAP will ever be widely adopted nor will it replace IMAP/SMTP. See the thread at https://github.com/nodemailer/wildduck/issues/2#issuecomment-1765190790. We have no plans to support JMAP.
See the discussion at https://discuss.privacyguides.net/t/forward-email-email-provider/13370/57 and https://forwardemail.net/en/report-abuse#for-law-enforcement.
See https://discuss.privacyguides.net/t/forward-email-email-provider/13370/50– perhaps later this year we will start accepting crypto with https://github.com/alexk111/One-Time-Address or something similar.