Releases: the-djmaze/snappymail
v2.10.2
v2.10.1
Bugfixes
- Unknown Error when deleting an email #170
- CantGetMessageList throws BADCHARSET with Courier-Imap 5.1.4 #179
- Cannot write a value to a ko.computed unless you specify a 'write' option
- Double SELECT/EXAMINE command is useless
- MessageExpunge should be FolderExpunge
Improvements
- Cleanup mime message builder
- Drop HTML messages table
widthattribute to prevent side scrolling - Replace "$IndexRange, bool $bIndexIsUid" with new SequenceSet class
- Replace some FolderSelect to FolderExamine because they should be READ-ONLY
- Speedup IMAP FETCH responses
- Speedup loading message list
- KnockoutJS computed to pureComputed which prevents memory leaks and reduces computation overhead
Lighthouse / PageSpeed Insight
After taking a new test with PHP 8, it seems SnappyMail is very fast nowadays.
My mailbox now gets a score of 98:
v2.10.0
Bugfixes
- Auth failure with user=<> on server due to bug in FunctionExistsAndEnabled() #171
- Storage of SALT.php failed on new install (should fix #176)
- #174
- #175
Improvements
- Message menu use hamburger icon instead of tiny triangle
- Added Admin -> Config screen to view application.ini
- Better FileStorage handling for SESSION data
- Added \SnappyMail\LOG::*() which is RFC 5424 compatible
- Speedup and cleanup PHP and JavaScript code
v2.9.6
Bugfixes
- Auth failure with user=<> on server due to bug in FunctionExistsAndEnabled() #171
- Class 'RainLoop\Model\Notifications' not found
- DecodeKeyValuesQ could be null
- Prevent Crypt::Decrypt loop
- Incorrect return type for SetSpecLogoutCustomMgsWithDeletion()
- Prevent out-of-memory loop
- Undefined Remote.domainList
- Undefined index 'UidNext'
Improvements
- Added Server side control/kickout of logged in sessions #151
- Cleanup some PHP code
- CSS removed rainloopErrorTip corner triangle
- "delete folder" error now show at folder instead of top (because else hard to find on long list with scroll).
- Changed admin login cookie
- Just force logout on InvalidToken error immediately.
- Some md5 to sha1
- Sort Folders on add/rename folder (thanks to the v2.9.5 folders sort in JavaScript)
- Test login credentials on account switching for better account login/switch handling
v2.9.5
Bugfixes
- Account switching failed
- CardDAV sync broken #163
- findEmailAndLinks() breaks some HTML messages #167
- Folder rename/move was broken
- PHP Notice Undefined: ThreadUid, HideUnsubscribed, UseThreads, ReplySameFolder
- Revert the Safari fix "position: sticky;" as it breaks Firefox and Chrome
Improvements
- Be structural with messagelist menu sorting options (DESC/ASC and not mixed)
- Better caching
- Better mail message handling
- Change AbstractFetchRemote (and child classes) with a better structure
- Drop useless Microsoft 'Sensitivity' MIME Header
- Force email minimum font-size to be 11px for readability
- Offload some server CPU usage to the client when fetching folder list
- Revamp mailbox management so that reloading of the whole folder tree is mostly not needed
- Revamp the FullNameHash system for better readable urls for mailboxes
- Some PHP code cleanups and added an IMAP yield/iterate untagged responses handler
v2.9.4
Plesk Obsidian uses Courier IMAP which enforces UTF8 (RFC 6855).
I've noticed RainLoop/MailSo does not support this and just use the raw "modified utf7¨ of RFC3501 for communicating.
Secondly the utf7 encode/decode functionality of RainLoop/MailSo is broken, so i've replaced them with the imap_utf8_to_mutf7()/imap_mutf7_to_utf8() or mb_convert_encoding() method.
So this release should be compatible with Courier and Gmail in UTF8 mode (only tested with Gmail).
Bugfixes
- Better fix for Spam Score for SpamAssassin #162
- Call to a member function Email() on null
- CardDAV sync not working due to new login system #163
- Dialog/select layout broken in Safari
- instanceof check for Account Settings was incorrect
- isFileHasThumbnail check for GD/GMagick/IMagick instead of only GD
- Messagelist flex layout was broken
- On login, loading the user settings failed
- saveSystemFolders failed at initialization of mailbox
- Undefined method $oAccount->Domain*()
Improvements
- Cleanup HTML/CSS/JavaScript/PHP
- Cleanup lessphp specific for SnappyMail
- Dovecot supports wildcards on GETMETADATA
- Detect language on first login
- Dropped 'sieve_utf8_folder_name' setting. Sieve is always UTF-8
- HTML UTF-8 handling
- HTML message parsing
- IMAP LIST also fetch SPECIAL-USE
- Faster LessPHP
- Settings -> Themes use figure and figcaption HTML elements
- Simplify Logger
- Support RFC 6855 / RFC 5738 (UTF8) as used by Courier and Gmail
- UTF7 ⇄ UTF8 handling
v2.9.3
v2.9.2
These are mainly bugfixes as a result of the vulnerability fix in 2.9.1
Bugfixes
- Compose/send mail as AdditionalAccount failed #160
- Login screen icons to the left due to issues with browser plugins like LastPass which place buttons on the right
- MessageList using ThreadUid sometimes failed
- PHP 8 errors
- Rendering of bullet points and numbered lists #159
- Revert to QuotaRoot for issue #75
- When allowMultipleIdentities is false always return primaryIdentity
Improvements
- Added a TOTP icon to login screens
- Better additional account management
- Cleanup CSS. HTML & JavaScript
- Squire v1.11.3
v2.9.1 vulnerability fix
Release cycle
Due to the impact of this release, i will not publish fast rolling releases the next two months.
Only important bugfixes will be published to make everything very stable.
Vulnerability
I found a security vulnerability in the accounts management.
The data was encrypted using the SALT that is on the server.
This means anyone/anything that has access to the SALT could decode the accounts and gain the passphrases.
Detailed info reported at RainLoop#2134
This release has several solutions to this problem and workarounds:
- Support is added to encrypt using Sodium (when available) else OpenSSL (when available) else the old broken XXTEA.
- Additional accounts are not \RainLoop\Model\Account but a child \RainLoop\Model\AdditionalAccount
- The AdditionalAccount passphrases will be encrypted using a key that is based on the MainAccount login passphrase (with option to set own CryptKey by plugins)
- When MainAccount gets a new passphrase, switching to AdditionalAccount is impossible due to the changed CryptKey
- System will now show error and popup the "edit account" window to re-enter the passphrase (will also happen when child account passphrase is changed)
- MainAccount will not be stored on server with the additional accounts (it does in RainLoop)
- Contacts sync has same issue and is now also encrypted using CryptKey
There are now two cookies:
- MainAccount cookie
- optionally the switched AdditionalAccount cookie.
This way the MainAccount is always properly accessible when working in an additional account.
Logout will destroy both cookies.
Switching from child to main account will destroy the AdditionalAccount cookie.
Both cookies are encrypted using a nonce/iv/salt that is stored in the cookie.
The cookies encryption key is based on your user agent header and salt (i know this is an issue with Tor and certain firewalls, empty string fallback is the server SALT).
Overall, with Sodium on my server the Lighthouse page speed dropped from 99% to 98% due to a 20ms increase for the better encryption methods.
This impact differs per server setup.
Other solutions i thought about but didn't pass:
- Separate passphrase for the additional accounts and Contacts sync (but then at login you need to enter a second passphrase).
- Browser stored data (defeats the purpose of login with several devices, only 1 device has the data, just like the previous "remember me" bug).
- WebAuthn support not great and easy
- openssl_seal to allow multiple people having a key to open them needs management to add new people to the list. But when you loose your key, you will not have access.
- store as METADATA in the IMAP, but relies on METADATA support of the server.
Vulnerability impact
Although the system may attempt to fix and update the files, it will NOT try an attempt when there is no login on an account (because password is unknown).
When update fails, it should not loose the accounts
Future
In the future i might change the system a bit by using a CryptKey file.
That file will store the encryption key to decode the additional accounts and contact sync.
This way, if there are many additional accounts and contact sync, the user only has to update the CryptKey file password and not update every additional account.
I waited with this approach because it impacts the system with another login screen to ask for the old password (which is strange behavior in a UX sense).
Bugfixes
- system folders initialization failed on first time login
- iSpamScore should be int, not float
- CSS removed bootstrap .clearfix (old "fix" for float stuff)
- CSS removed bootstrap .well and .pull-left
- Remote.message() and Remote.messageList() RawKey mode broken, fixed using JSON
Improvements
- Added encryption using OpenSSL (default: aes-256-cbc-hmac-sha1)
- Added encryption using sodium_crypto_aead_xchacha20poly1305_ietf_*
- Don't decode Account cookie several times (1x decrypt is enough)
- Try to convert the old less secure accounts and sorted order to the new encrypted ones at login
- When switching to additional account fails, show account update screen
v2.9.0 + solved security vulnerability
Due to an important discovered security vulnerability I've quickly made this new release.
The problem resides in how to store the "remember me" data on the server.
The data is stored using the application key which allows anyone/anything, that has access to the data (server or backup), to decode the "remember me" and gain the email account credentials.
For more in-depth RainLoop#2133
Bugfixes
- exitFullscreen was broken
- "remember me" security issue
- "remember me" not working #126
Improvements
- Added resize messages list vertical (only horizontal was possible)
- Cleanup and improve HTML/CSS/JavaScript
- New account storage structure #151 (comment)
- Popups are now proper
<dialog>elements (Firefox/Safari poly-fill) instead of "Boostrap .modal with ko.bindingHandlers.modal" - Replaced my old ResizeObserver workaround for RainLoop resize bugs with proper CSS flex.