[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] 20210501 Help in understanding Roundcube mail & network

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] 20210501 Help in understanding Roundcube mail & network
From: Simon Waters <simon@xxxxxxxxxxxxxx>
Date: Sat, 01 May 2021 20:19:14 +0100
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dcglug.org.uk; s=1618045561; h=Sender:Content-Transfer-Encoding: Content-Type:Reply-To:List-Subscribe:List-Help:List-Post:List-Unsubscribe: List-Id:Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From: Cc:Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Owner:List-Archive; bh=EJouXai68QFZMmwCnIKEx7r/725Nyp3JBnSZ4k1VUV0=; b=O92LRYgM78VuPSihpLfDtdJvIk tibkCTHPSl1c9em3jn2ncFiRemVx4U5wGEbUBg6aAuggdLutsUCGrYIl60X4pje2fgbX862JOiOgv kQtgjuk6BeKIk9yhSJo0INZ4MinFQO3wyeYckQjxhlPm4o0AwcDaZ9ZQxH3W8s3nNSTs=;

On Saturday, 1 May 2021 12:09:56 BST maceion@xxxxxxxxx wrote:
> 
> To read an attachment in a saved draft in the drafts folder, there are
> two options:
> "open" and "download".
> 
> 1) "Open"  This appears to open the relevant programme on the local
> connected computer to see and then act on the opened attachment.
> E.g. a  draft saved attachment ".odt" file is opened in local
> Libreoffice Writer or local word processor programme.
> 
> Is this a direct opening from the saved visible draft on email server to
> the local computer? Can you confirm?
> It does not appear to pass over the internet.

My copy of RoundCube doesn't ungrey "Open" for any formats I tried (may depend 
on configuration), but since you could be accessing the draft from a different 
computer or mail client, it is clearly passed between mail server, and web 
server, and then web server to browser.

Obviously opening files straight from a mail server into an application is 
pretty suspect if security is as big a concern as you suggest. 

> 2) "Download",
> 2.1 Here it is not obvious if the download is a local thing, that is
> from draft screen open on local computer to local computer download file
> storage OR

Download is from the "Drafts" folder on the mail server, it is loaded to the 
web server (using the settings configured for RoundCube mail access) and then 
delivered to the browser by the web server.

> 2.2 if like a sent email,  it is passed by the programme to local
> machine over an exposed internet system of connections from 'compose
> page' with the saved draft to local machine.
> 
> This could expose sensitive subjects to the internet traffic watchers.

We don't know how your RoundCube web server talks to your email server. Or 
which "Internet traffic watrchers" are a concern to you. 

But in general you should assume email can be intercepted and read unless you 
know steps have been taken to prevent this.

Save Draft on RoundCube, saves to a folder on the IMAP server via the web 
server. It is likely there is also a temporary copy on the web server briefly, 
but I haven't dug into how RoundCube does this.

> In a received email both body text and any attachments would have passed
> over the internet to the local machine.
> 
> This is what my contact does not want.
> They do not want 'draft saved attachments' to transit internet as does a
> normal email in delivery.
> 
> 3. Any thoughts?

As above, the attachment is loaded from client computer's browser to the web 
server, then stored in the mail server's drafts folder. 

I don't know if this transitions the Internet without knowing where the 
RoundCube server and Email server are that you are using. If they are both on 
your network, then no, if they aren't, well magic doesn't happen it has to get 
to the email server somehow.

In most cases these days, mail clients require encryption for mail submission, 
and so nearly all mail servers allow encrypted submission and retrieval of 
email (and drafts).

But without knowing how your copy of RoundCube is configured I'd be guessing 
about if this is encrypted or not. between webserver and email server.

Without knowing the threats of concern we can't say if it is secure enough or 
not.

If you are paranoid enough about file names and such like to not to want them 
to transition the Internet unencrypted, I'd suggest you don't want to use 
email (at least without encrypting it first).

There are open source end to end encrypted comms tools, like Signal, which 
don't introduce the vagaries of email.

If email is a given, use GNUPG, and ensure the drafts are correctly addressed 
and encrypted before they are saved on the server.  But I expect great care 
would need to be exercised to ensure things are done correctly.

I use to make a living ensuring people had better tools than email for 
collaboration on sensitive documents, if email is a given, perhaps security 
isn't as important to them as they claim?

If perhaps you are looking to communicate by saving drafts in a shared email 
folder, well it is interesting approach ;)

-- 
The Mailing List for the Devon & Cornwall LUG
https://mailman.dcglug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

Follow-up: Re: [LUG] 20210501 Help in understanding Roundcube mail & network
- From: maceion@xxxxxxxxx

References:
- [LUG] 20210501 Help in understanding Roundcube mail & network
  - From: maceion@xxxxxxxxx

Prev by Date: Re: [LUG] Physical and virtual Lug meets
Next by Date: Re: [LUG] Physical and virtual Lug meets
Previous by thread: [LUG] 20210501 Help in understanding Roundcube mail & network
Next by thread: Re: [LUG] 20210501 Help in understanding Roundcube mail & network
Index(es):
- Date
- Thread