Proton suggests sender IP address may leak through Thunderbird

Proton states that the they hide the senders IP address when sending mail via webapp. However, they say that the IP may be visible if the sender uses Thunderbird instead.

. The email headers of messages sent from Proton Mail web and mobile apps don’t contain user IP addresses in the headers of sent mail.
But desktop email apps that use SMTP, like Outlook or Thunderbird, may include the originating IP address in the header.

Elsewhere, contributors to Ubuntu forum state that Thunderbird/clients have no control over the headers, which are determined solely by the email provider.

Which is correct?

And is IP address the only metadata we should be worried about? I wonder if there is metadata which could link the sender to its device?

Even if Thunderbird was adding such headers, Proton’s mail server could just strip them out.
This is nonsense.

3 Likes

Proton is correct, third party clients using SMTP is the problem. This is a nice explainer: privacy - Email Client STMP Personal IP Leak - Information Security Stack Exchange

Ubuntu forum is technically correct, the clients have no control over headers, but the IP leaks due to their connection, not any header modification.

Use web clients or native Proton client for safety.

Metadata that SMTP leaks includes, but is not limited to, login timestamps, host names, and device IP.

This is an interesting read: Using Apple Mail with Gmail leaks your IP address - luke miles

True if the old default out of the box mail server configuration is used by the email provider.

But email servers can be configured to strip those headers from mail received over the submission port (i.e. local accounts). I have my email server setup this way so the “received from” headers are removed from any email from my users. For debugging purposes, I don’t strip the “received from” headers from incoming mail from other servers.

Anyway, if a service is not stripping the privacy sensitive headers from email submitted by their account holders then I don’t think they are using current best practices and should be called on it.

3 Likes

Sure, could be Proton dragging it’s feet to explicitly discourage third party clients (Proton keeps taking certain unsavory steps, so I wouldn’t be surprised), I am not very familiar with email protocol, nor have I self hosted my email ever.

Gmail could strip the first Recieved header from an email, preserving only the Gmail internal headers and removing any other “public” headers. This breaks the SMTP spec and could cause deliverability issues for emails, but is probably the most correct option listed here. I looked at emails that I’ve received from friends that use Apple’s iCloud email service, and I don’t see their personal IPs leaked, but instead an Apple-owned IP3. If Apple Mail uses SMTP for iCloud email, then this indicates that Apple is dropping personally identifying information from SMTP headers, a practice Gmail should adopt.

The post I linked seems to mostly agree with you too. What I understood was that dropping IP addresses from the header breaks SMTP specs, so what Apple does is to replace those IP with its own, and other servers should do the same. Do correct me if I am wrong!

Usually my recommendation to most people is to anyways stay away from thunderbird and other clients, as they have their own methods of handling mail (Proton Bridge is an abomination), have more attack surface (thunderbird is almost a browser), and are easy to misconfigure. First party apps unless they are virtually useless. Email is so broken :cry:

I’m overall a moderately happy Proton user, but I continue to not understand Andy Yen’s belief that because Microsoft Outlook is potentially headed toward a proprietary mechanism, somehow that makes IMAP - the literal industry standard for this use case - a “third party platform”.

I’d like to think he understands the difference between a client for a particular protocol, and a “platform” that may or may not also incorporate that protocol…ex. Mozilla Thunderbird is not a platform, Gmail is. I’d also like to think they’d be straightforward enough to admit if they’re just trying to slowroll the demise of Proton Mail Bridge, but…maybe that’s unfounded optimism?

4 Likes

Why do people have a problem with the bridge? It seems like a reasonable way of allowing IMAP use without undermining security.

It always is a bit finicky, plus it doesn’t always work with external PGP signing very well (You need to reveal your key to bridge if you want it to work well, otherwise it butchers the mail).

Curious to know how else it may be finicky as I’m on the brink of transitioning (an important account from gmail to proton) but may change my mind.

You can read some here: https://www.reddit.com/r/ProtonMail/search/?q=Proton+bridge

Randomly issues pop up, I have given up and use their client on desktop.

1 Like

It is the SMTP server, not the client, which is responsible for including IP address. As stated above, even if the client did send such information, Proton could and should strip it away.

If Proton doesn’t, I’m afraid it doesn’t fulfill the minimum requirements to be recommended by Privacy Guides:

Minimum to Qualify:
Protect sender’s IP address, which can involve filtering it from showing in the Received header field.

The recommendation of Proton should therefore be contingent on Proton assuring they protect such identifiable information, and correcting the linked article if it’s incorrect.

@Proton_Team

2 Likes

This issue felt like a betrayal of trust to me, so I did some testing even though I haven’t used Bridge at all before. I setup the bridge with Outlook, and send mails to a non-Proton Email (Gmail) from the Bridged email and examined the headers shared. No VPN was turned on, and no firewall filtering rules were active (although this wouldn’t affect it anyway).

The headers included the following data:

  1. Received By (Outlook details)
  2. SMTP ID
  3. Timestamp
  4. Received From (Proton server names including swiss IP address, leading up to a Google IP which was Gmail)
  5. TLS version and other technical details

So no IP leak as far as I could see. This seems like a nothing burger to me now, and I feel stupid taking the claim by the post at face value without testing lol.

Proton article the OP might have read could have been trying to cover their bases by accounting for the biggest OpSec threat - Human actions - and thus just said it might leak, so that even if someone misconfigured shit, they cannot blame proton. (I remember all the hue and cry after Proton was blamed for poor OpSec by some French climate activists)

Would be helpful if someone could repeat the experiment with Thunderbird too.

2 Likes

I tested also and the IP address was not included.

However, all such tests tell us is that IP address usually is not included in header. Proton should give us a guarantee. To cover themselves, they could say “it is not included by default, but may be included if [the exact conditions which would make it included]” instead of “may be included if you use the bridge” . The latter complete nonsense.

2 Likes

Sure, but “bad wording” makes me way less angry than “third party clients leaks IP”. Totally agree with you by the way.

I am of the opinion that utilising VPN services from the router would mitigate any concerns regarding IP leakage when utilising third-party applications for emailing. I checked some of my emails in view souce in Thunderbird, and they don’t show a true IP address. To me there is a lot of nothing and fear mongering.