Forward Email (new features)

General Project Showcase
21

Hi @forwardemail :slight_smile:

The service you offer is very interesting and I appreciate your commitment to the open-source software.

I try to understand your encryption process, I read the article on your site:

I have a few questions:

  1. You use symmetric encryption (AES) to encrypt the mailbox inside a SQLite database (separate DB per user) and whenever I connect to the server my IMAP password is used to decrypt the mailbox. Is this correct? So while I’m connected to the server 24/7 my mailbox is in decrypted state for the whole time. That’s ok, I understand that there is no solution to this issue.

  2. But is there also an option to upload my public GPG key to the server so that all incoming emails that were not encrypted by the sender are encrypted on your server? If the server is later compromised this would protect my past emails (only content, not metadata of course) even if I am connected to the server and my mailbox is decrypted. I think this is what Mailbox,org and Posteo do.

  3. Also, how is the temporary database encrypted while I’m offline? Symmetric or assymetric?

  4. What are your thoughts on the JMAP protocol? Will it replace IMAP/SMTP? I know it doesn’t support E2EE by default, by maybe it would simplify encrypting email metadata?

  5. How do you respond to the court/government requests/orders to handle user data or intercept communications? I fully understand that as a legally operating company you have to comply but there are companies/organisations (e.g. Posteo or RiseUp) that try to challenge the orders with the help of attorneys so if the requests are invalid or too broad they are legally rejected. This is of course a significant financial cost.

  6. Will you accept cryptocurrency payments already this year or it will take a bit longer?

22

Hi there @123 – thanks for joining this thread.

All SQLite databases (mailboxes) are encrypted using ChaCha20-Poly1305 using your IMAP password. We do not store your IMAP password, only you have it. When you connect over IMAP, your password is encrypted in-memory (currently using AES-256-CBC but we plan to switch entirely to use ChaCha20-Poly1305 everywhere) and used to open your database. For long-lived IMAP connections, we keep your database open in-memory using a JavaScript Map instance so that IMAP commands can quickly operate (e.g. if we close and re-open on every IMAP command, it adds 100-300ms overhead; which quickly adds up). See forwardemail.net/sqlite-server.js at ab4edcbc39578382f9f0d5379e2ddab31586ab49 ¡ forwardemail/forwardemail.net ¡ GitHub, https://github.com/forwardemail/forwardemail.net/blob/ab4edcbc39578382f9f0d5379e2ddab31586ab49/helpers/get-database.js#L478-L493, and https://github.com/forwardemail/forwardemail.net/blob/ab4edcbc39578382f9f0d5379e2ddab31586ab49/helpers/on-auth.js#L576-L577.

Yes, this is mentioned earlier in this thread at https://discuss.privacyguides.net/t/forward-email-email-provider/13370/36 (screenshots included), but there is a FAQ section regarding this at https://forwardemail.net/en/faq#do-you-support-openpgpmime-end-to-end-encryption-e2ee-and-web-key-directory-wkd.

While you’re offline (no IMAP connection established) we use ChaCha20-Poly1305 using a secret key of ours. Note that if you configure an OpenPGP key (as discussed in previous question) then your inbound email will be encrypted using your key in this temporary database. See https://github.com/forwardemail/forwardemail.net/blob/ab4edcbc39578382f9f0d5379e2ddab31586ab49/helpers/parse-payload.js#L1000-L1013.

We do not think that JMAP will ever be widely adopted nor will it replace IMAP/SMTP. See the thread at https://github.com/nodemailer/wildduck/issues/2#issuecomment-1765190790. We have no plans to support JMAP.

See the discussion at https://discuss.privacyguides.net/t/forward-email-email-provider/13370/57 and https://forwardemail.net/en/report-abuse#for-law-enforcement.

See https://discuss.privacyguides.net/t/forward-email-email-provider/13370/50– perhaps later this year we will start accepting crypto with https://github.com/alexk111/One-Time-Address or something similar.

7 Likes
23

:tada: We’re rolling out a new feature today which makes it easy to provision existing aliases on macOS/iOS/Android – a new button “Get QR Code” which is similar to the “Generate Password” modal (as previously shown above), but allows you to get the QR code on the fly for provisioning your Apple or Android device.

Screenshots:

Screen Shot 2024-08-13 at 9.53.46 AM
Screen Shot 2024-08-13 at 9.53.46 AM644×214 15.2 KB

Screen Shot 2024-08-13 at 9.53.55 AM
Screen Shot 2024-08-13 at 9.53.55 AM1630×670 46.4 KB

Screen Shot 2024-08-13 at 9.54.25 AM
Screen Shot 2024-08-13 at 9.54.25 AM2184×2098 292 KB

2 Likes
24

This doesn’t add to the discussion, but I’m eager to start using Forwardemail once your team rolls out crypto payments, I truly love the transparency and straightforwardness you’ve displayed here, it’s incredibly rare for email providers to be this open :heart:

3 Likes
25

:tada: You can now send mass email newsletters/announcements with Forward Email :rocket:

tldr; You can now send marketing email through our SMTP servers – which means you can send mass announcements and newsletters to a list of your opt-in contacts/subscribers. We previously only supported sending transactional emails.

What does this mean?

We’re now an open-source alternative to MailChimp, Brevo, and Klaviyo (albeit we require you to use something like ListMonk right now – see below) – but we also support IMAP, POP3, SMTP, CalDAV, API, webhooks, and much more – so we’re also an alternative to Gmail/Proton Mail/Sendgrid too!

Our vision is to be the all-in-one, enterprise-grade, open-source + privacy-focused email & security infrastructure platform — and always in alignment with our principles.

How do I send marketing email?

Just ensure you have proper opt-in and opt-out behavior – and include a List-Unsubscribe header as per our updated Terms disclaimer.

We highly recommend to use the open-source newsletter manager ListMonk https://listmonk.app/ (GitHub: https://github.com/knadh/listmonk) until we release our own newsletter/campaign manager system.

We’re submitting a new pull request to ListMonk hopefully later today (follow this issue for updates) to add us as a built-in provider – but it already supports a custom SMTP server configuration (e.g. you could just use smtp.forwardemail.net and one of your alias’ generated passwords or a domain-wide catch-all password – see the screenshot below).

Screenshot:

Screen Shot 2024-08-14 at 11.52.50 AM
Screen Shot 2024-08-14 at 11.52.50 AM1920×1209 79.5 KB

You can also programmatically use our API to send a marketing email, just ensure that you have set a List-Unsubscribe and List-ID header in the headers object – and properly setup a bounce webhook endpoint on your server to maintain your list (see below).

Do you support bounce webhooks?

Yes, we now allow you to specify a “Bounce Webhook” in My Account → Domains → Settings for any of your domains. This should be a valid http:// or https:// URL.

Screenshot:

Screen Shot 2024-08-14 at 11.21.16 AM
Screen Shot 2024-08-14 at 11.21.16 AM1920×707 75.5 KB

To verify the webhook is from us, you can test that POST requests are submitted from one of our IP addresses and/or use SHA256 hash comparison with the payload body and our standard X-Webhook-Signature header (e.g. see this StackOverflow post) in combination with your domain’s webhook key.

Our SMTP servers will automatically submit a POST request to the webhook endpoint you specify with detailed information on the bounce (e.g. so you can perform an opt-out, etc).

If you want to learn more about bounce webhooks, see what the JSON payload looks like that gets POST’ed to your endpoint, and what kind of bounce information is available – then head over to our new FAQ section: Do you support bounce webhooks?

Commit: https://github.com/forwardemail/forwardemail.net/commit/c7101a33cc54513d2036e0c5a69f9557fb929157

3 Likes
26

Maybe not totally related to the topic, but is there a plan to implement family plans and higher storage capacities? 10 GB is very low.

Also for your comparison chart, please remove Skiff. For M365, yes they don‘t have unlimited domain support but their limit is 5000 per tenant. That might qualify as unlimited in theory :slight_smile: For aliases they have 400 aliases. High number but not unlimited. At least it is much better than many others. Microsoft doesn‘t support PGP/MIME but they support SMIME and PGP/Inline. As for API they support it.

27

Additional storage can be purchased as advertised on our website (+$3/mo per additional 10 GB storage).

We’re not going to do this because of SEO. Instead we added a disclaimer on it already that it’s shutdown.

If you have changes/edits for M365, please submit a pull request on GitHub as noted above in the config/alternatives.js file. Thanks!

1 Like
28

All well and good. But after the audit is done, how does someone verify what code is running on your server?

This is why other providers do the encryption and decryption in open source client apps. That can be verified and cannot be altered without the users permission. Unlike server code.

1 Like
29

Routine audits and we’re following System Transparency closely, see above discussions.

Please read our earlier point in regards to MX servers. The backend code is critical because you cannot just say “it’s client-side encryption” when the inbound emails could be copied on any email service’s backend without your knowledge. Without backend infrastructure audits or even seeing the source code you don’t have any insight into what’s going on.

1 Like
30

You’re blurring the lines here. The MX server encrypting inbound emails is only relevant if the inbound email is not already encrypted. This is the whole point of end to end encryption.

1 Like
31

The point is that not all senders sending you an email to your MX service that supports E2EE are going to be sending them encrypted. We don’t know of many actual real-world advertisers, utility providers, financial institutions, etc. (real-world stuff that matters) that actually use E2EE or send you messages encrypted.

Additionally, our point is that it is more probable to believe and trust a service that not only provides their entire back-end source code to the public, but also has third party infrastructure audits (with actual SSH access to the servers provided to the third party) – than one that simply advertises as having “client-side encryption”.

Edit: You can even upload your OpenPGP public key on our site to have all messages, even ones when you’re not connected to IMAP, be double-encrypted with it server-side. That’s basically the same thing as having “client-side encryption”, since we wouldn’t have access anyways without your private key, let alone your IMAP password (which we don’t even store).

2 Likes
32

@Catalyst2422 Thats excellent question :smile: I fail to see proper answer from @forwardemail yet. Because, Im NOT buying what they have written so far regarding your question.

@forwardemail its very cheap.

@forwardemail Wait, what? Skiff is thing of past, so why even mention it? I mean: how keeping reference toi defunct thing is going to help SEO?

(emphasis mine)

First, @Anon473736 thank you for wonderful work doing in-depth research

@Anon473736 thats indeed very interesting. Looks like fake review(s). @forwardemail anything to say about this?

(emphasis mine)

@Anon473736 this is very true. Separate DB for each mailbox is huge attack vector.

33

@wojtekxtx
Reminder that we have a CoC: FAQ - Privacy Guides Community
Add sources to support your claims. Do not personally attack other people however much you disagree with them.

You have been warned multiple times about this and even got suspended once.

34

I’ve echoed this, but the only legal way is to have an AGPL-like license. There is nothing to stop forward email from modifying the code they published to be different than the code the run otherwise. In practice I highly doubt they would do this unless there are some secret sauce code that would be risky to release at this time. Otherwise, there is no good way to validate this.

1 Like
35

Few questions.

  • Is FM an alias service or a full email service?
  • I have four users, will the total cost 9x4=36 USD or 9 USD total?
  • 10 GB is clearly too low for my mailboxes, and 3 USD is for extra 10 GB. Is that space allocated to all users or only to specific mailbox?
  • When sending an email, how does sending from an alias works? Do I need to create a contact like I do in Simplelogin or can I directly send to target email address?
  • How does selecting an alias works when sending an email? At the moment I have more than 200+ aliases in Simplelogin. How can I select which alias I should use for sending email?
  • Is there a way to import currently created aliases from SL?
36

Forward Email is a full email service. We’re an all-in-one alternative to Gmail + Mailchimp + Sendgrid. We support all the standard protocols, e.g. IMAP/POP3/SMTP/CalDAV and we also support API (so you can use us if you’re a developer/programmer and need a service to send programmatic emails with). Additionally we support newsletters, so you can use us in combination with an open-source tool such as Listmonk to send newsletters to subscribers.

It will only cost $9 total. As mentioned and as advertised, we offer unlimited domains and aliases for one single price per month. There are no extra costs per aliases/users.

Our storage is pooled, so if you add an additional 10 GB, then all users can pool from it (e.g. you’d now have 20 GB shared across all users). Rest assured each user’s mailbox is separate from another, we have some awesome quantum-resistant encryption which you can read about at https://forwardemail.net/en/blog/docs/best-quantum-safe-encrypted-email-service.

You can directly send to any target email address. Basically you sign up, then add an alias, and then you can scan a QR code to set it up on your device (e.g. Apple Mail for iOS/macOS or K-9 mail for Android). We support any mail client, e.g. Thunderbird, Apple Mail, and you can even use us with Gmail and Outlook. See the “Apps” drop-down from our navigation menu. Our website also has IMAP/POP3/SMTP configuration server settings listed in the FAQ if you need help. We also have a site-search, click the search icon and type your query if you need to find more information.

You can use a domain-wide catch-all password to send from any alias at your domain (go to My Account → Domains → yourdomain.com → Settings → Domain-wide Catch-all Password). Or you can use a specific generated password on a per alias basis by simply clicking “Generate Password” next to the alias.

Yes, you could simply export them, and then use our API endpoint to POST /v1/domains/yourdomain.com/aliases. You can get your API key from your My Account → Security page. Here is a link to the documentation instructions for our “Create alias” API endpoint which you can use on command line (e.g via curl) or with the programming language of your choice: https://forwardemail.net/en/email-api#create-new-domain-alias

For example:

curl -X POST https://api.forwardemail.net/v1/domains/yourdomain.com/aliases \
  -u API_TOKEN: \
  -d "name=some-alias-name" \
  -d "recipients=some-user@gmail.com"
4 Likes
37

forward email doesn’t feel like a consumer app just yet.

2 Likes
38

@lepras that’s nonsense, we have 550,000 domain names using our service, hundreds of thousands of those are all consumers and individuals. We’ve been around since 2017. If you have specific questions and not just stating arbitrary false opinions please ask them.

We are releasing webmail and our own apps later this year, but we go by email standards, which means you can already use our service with any email client. Apple Mail works perfectly as does any other app/device. We don’t force vendor lock-in nor make you use some arbitrary bridge client to connect.

Additionally we have built-in iOS Push Notification support, which not many services have. See our R&D and eventual solution at https://github.com/nodemailer/wildduck/issues/711 which is integrated into Forward Email. Many other services that have IMAP do not work properly on iOS devices because they do not support the XAPPLEPUSHSERVICE IMAP command capability. We do, and this means that iOS devices have PUSH support as opposed to FETCH (which means you get mail instantly as opposed to on a 15 minute fetch interval) with our service.

3 Likes
39

I meant to say non-tech savvy people, lay man, normal users etc would probably prefer simplelogin for eg.

Like it still feels like you are managing an infra / dns records when tyou are using forward email, not using an “app” (You would probably get to a point sooner than later where normies can use it as well).

4 Likes
40

yeah this is where normies will become comfortable.