disposable email prefixes for existing mailboxes

I am considering switching an existing Exim mailserver for a Cloudron instance.

One feature I need to maintain is a custom mail routing rule which allows mailbox addresses with an arbitrary prefix, designed to implement disposable addresses for use as casual log-ins, inspired by spamgourmet.org.

Is this possible with the default Cloudron mail service? Perhaps using some custom configuration, for instance, can SpamAssassin rules do this?

Thanks!

---

I'll explain the use-case in more detail briefly.

I might have a mailbox alice@example.com, and an alias for this, bob@example.com, which by itself doesn't accept mail, but will forward mail to alice@example.com when prefixed with any arbitrary word (delimited by dot). For example, twitter.bob@example.com, yahoo.bob@example.com and ebay.bob@example.com would all forward to alice@example.com by default, as well as any other prefixed address you could think of.

This allows unique email aliases like this to be invented off-the-cuff when creating a log in for a site requiring an email address to register a user account. These addresses can be disabled if and when they start attracting spam (perhaps because the site has been penetrated by malware, and the user data captured and redistributed in spammer databases).

Because they are unique, the addresses also tends to reveal the source of a breach, because the prefix indicates what it was used for originally.

Disabling an address is done by alice@example.com sending an email to one of her aliases with the subject !off, via an authorised connection to the SMTP server implementing the prefix aliases.

If switching to another implementation, the mechanism for managing these aliases could change, but I'd need the addresses to continue working, obviously.

Kobo Toolbox is a tool for collecting survey data. Fulfills a similar purpose to LimeSurvey, but has a somewhat nicer UI, and supports online or offline completion of surveys. It seems to have a fairly active online community.

Data collection is done via the web with Enketo, or on an Android mobile device via the app Kobo-Collect.

https://www.kobotoolbox.org/

KoBoToolbox is a suite of tools for field data collection for use in challenging environments. Our software is free and open source. Most of our users are people working in humanitarian crises, as well as aid professionals and researchers working in developing countries. Our teams of developers and researchers are based in Cambridge, MA and many other places around the world.

Quickly collecting reliable information in a humanitarian crisis – especially following a natural disaster such as a large earthquake or a typhoon taking place in a poor country – is the critical link to saving the lives of the most vulnerable. Understanding the population’s needs is often neglected for lack of quick means to gather and analyze this crucial information. KoBoToolbox, developed by the Harvard Humanitarian Initiative, is an open source suite of tools for data collection and analysis in humanitarian emergencies and other challenging environments that was built to address this gap. KoBoToolbox is funded entirely through generous grants and donations from our partners.

Ok, that's fair enough.

@girish said in No 'resetToken' for admin password reset:

But as you figured you can just put a json in that ghost file /home/yellowtent/platformdata/cloudron_ghost.json and that's it:
{"username": "sometemporarypassword" }

However, this might be worth adding to the documentation.

Scenario: forwarding email addresses from the Cloudron domain to 3rd party email services such as GMail

Problem: when SRS rewrites the email headers to allow the mail to be classified as legitimately from the forwarding Cloudron host, it can also cause the forwarded spam to appear to be sourced from that host, resulting in it being blacklisted.

Potential solution: implement adequate spam filtering for forwarded mail, for which no manual classification can be used to training a filter as could be for a local mailbox

Another possible solution in the case of GMail might be to implement POP3 and allow GMail to pull mail from that. GMail no longer supports arbitrary IMAP servers since releasing its newer "Gmailify" service.

See the original discussion here:

https://forum.cloudron.io/topic/3323/reading-a-cloudron-mailbox-using-gmail

Hi,

I've just attempted to purchase a Cloudron subscription. I'm doing it on behalf of a co-operative company I am a member of. The company has a bank account but does not have a credit card, so I attempted to use my own for now, however, I only have debit cards, and none of mine seem to work. The subscription form says "Your card does not support this type of purchase" for one, and "Your card cannot be charged" for the other.

Is this really the only way to pay, and if so, are there any plans to allow anything else in the immediate future? As it is this is an unexpected show-stopper for our use of Cloudron.

@jdaviescoates - this is close, but not quite a cigar, because although this would work when just starting to use this scheme, there's a whole bunch of existing addresses in use using a different scheme.

I think Cloudron's SMTP server is Haraka, correct? Is it possible to install plugins for it this context? (I might be able to write a plug-in.)

@yusf Oh. Doh. Thanks.

So I've worked around this by telling Firefox to "Forget this host" (right-click on an URL to get this option in the history tab), and thereby got to the web console that way.

However, it could still be handy to know how to trigger the renewal from the terminal, as this might not be the only case when you'd need to do it.

@girish, yes - the implementation rules are logically "like *.bob then route it to a specific mailbox", but there is extra logic to handle things like:

• if the alias is marked disabled, drop it
• if the subject is !off and the connection is authenticated as the user in question, disable the alias and drop it
• ...plus some similar things (implementing !on and !report functions)

State needs to be stored somewhere (the implementation uses a SQLite3 DB). So if the wildcard alias plugin does not store state, that probably won't do it.

Implementing this in Exim filter rules is challenging, both to write and to read, but FWIW it's here

Rereading, could be worth noting for other readers of this thread: the poll2 plug-in (which seems to be marked as possibly not working with this version of NodeBB) is not the same as the poll plug-in (which seems to be marked as working)/ I'm not sure why I had both installed.

@girish I've written non-trivial Sieve filters before, Dovecot supports it (which the server in question uses, and I believe, Cloudron). So far as I know (and scanning through the extensions in those docs) it doesn't really support storing state between filter runs which will allow aliases to be disabled.

So I think the best I could hope for is to use wildcard aliases, and manually block spammy ones using sieve filters. This wouldn't be very user friendly, so this seems to be a potential show-stopper.

(Possibly something external to Haraka could be inserted into the mail delivery process?)

Thanks!

@girish, yes - the implementation rules are logically "like *.bob then route it to a specific mailbox", but there is extra logic to handle things like:

• if the alias is marked disabled, drop it
• if the subject is !off and the connection is authenticated as the user in question, disable the alias and drop it
• ...plus some similar things (implementing !on and !report functions)

State needs to be stored somewhere (the implementation uses a SQLite3 DB). So if the wildcard alias plugin does not store state, that probably won't do it.

Implementing this in Exim filter rules is challenging, both to write and to read, but FWIW it's here

@jdaviescoates - this is close, but not quite a cigar, because although this would work when just starting to use this scheme, there's a whole bunch of existing addresses in use using a different scheme.

I think Cloudron's SMTP server is Haraka, correct? Is it possible to install plugins for it this context? (I might be able to write a plug-in.)

I am considering switching an existing Exim mailserver for a Cloudron instance.

One feature I need to maintain is a custom mail routing rule which allows mailbox addresses with an arbitrary prefix, designed to implement disposable addresses for use as casual log-ins, inspired by spamgourmet.org.

Is this possible with the default Cloudron mail service? Perhaps using some custom configuration, for instance, can SpamAssassin rules do this?

Thanks!

---

I'll explain the use-case in more detail briefly.

I might have a mailbox alice@example.com, and an alias for this, bob@example.com, which by itself doesn't accept mail, but will forward mail to alice@example.com when prefixed with any arbitrary word (delimited by dot). For example, twitter.bob@example.com, yahoo.bob@example.com and ebay.bob@example.com would all forward to alice@example.com by default, as well as any other prefixed address you could think of.

This allows unique email aliases like this to be invented off-the-cuff when creating a log in for a site requiring an email address to register a user account. These addresses can be disabled if and when they start attracting spam (perhaps because the site has been penetrated by malware, and the user data captured and redistributed in spammer databases).

Because they are unique, the addresses also tends to reveal the source of a breach, because the prefix indicates what it was used for originally.

Disabling an address is done by alice@example.com sending an email to one of her aliases with the subject !off, via an authorised connection to the SMTP server implementing the prefix aliases.

If switching to another implementation, the mechanism for managing these aliases could change, but I'd need the addresses to continue working, obviously.

Kobo Toolbox is a tool for collecting survey data. Fulfills a similar purpose to LimeSurvey, but has a somewhat nicer UI, and supports online or offline completion of surveys. It seems to have a fairly active online community.

Data collection is done via the web with Enketo, or on an Android mobile device via the app Kobo-Collect.

https://www.kobotoolbox.org/

KoBoToolbox is a suite of tools for field data collection for use in challenging environments. Our software is free and open source. Most of our users are people working in humanitarian crises, as well as aid professionals and researchers working in developing countries. Our teams of developers and researchers are based in Cambridge, MA and many other places around the world.

Quickly collecting reliable information in a humanitarian crisis – especially following a natural disaster such as a large earthquake or a typhoon taking place in a poor country – is the critical link to saving the lives of the most vulnerable. Understanding the population’s needs is often neglected for lack of quick means to gather and analyze this crucial information. KoBoToolbox, developed by the Harvard Humanitarian Initiative, is an open source suite of tools for data collection and analysis in humanitarian emergencies and other challenging environments that was built to address this gap. KoBoToolbox is funded entirely through generous grants and donations from our partners.

Rereading, could be worth noting for other readers of this thread: the poll2 plug-in (which seems to be marked as possibly not working with this version of NodeBB) is not the same as the poll plug-in (which seems to be marked as working)/ I'm not sure why I had both installed.

After disabling all the plugins and rebuilding, there is just this error:

Failed to load ‘https://forum.code-operative.co.uk/assets/vendor/fontawesome/fonts/fontawesome-webfont.woff2?v=4.7.0’. A ServiceWorker intercepted the request and encountered an unexpected error.

Re-enabling these plug-ins:

• nodebb-plugin-markdown
• nodebb-plugin-mentions

Then I see 404s on /plugins/nodebb-plugin-markdown/styles/railscasts.css. Seems to be a bug in the markdown plugin, I filed a bug here:

I also get more occasional .ttf//.woff errors as above. And lots of [benchmark] warnings in the server logs, I think these can be ignored.

Renabling these seem to go without faults:

• nodebb-plugin-composer-default
• nodebb-plugin-dbsearch
• nodebb-widget-essentials

However, nodebb-plugin-private-forum introduces errors, when visiting anonymously.

https://github.com/LM1LC3N7/nodebb-plugin-private-forum/issues/2

Finally, installing nodebb-plugin-poll doesn't (so far) seem to create any errors....

Will keep an eye on things. There were some other plug-ins (code-button, emoji-related) which I didn't consider important enough to re-enable.

I'm trying to disable plugins and will report back.

Should the NodeBB Cloudron package version (v1.17.0-1) match that reported by NodeBB itself (v1.16.0)?

The installed plugins:

# ./nodebb plugins
Active plugins:
        * nodebb-plugin-code-button (installed, enabled)
        * nodebb-plugin-composer-default (installed, enabled)
        * nodebb-plugin-dbsearch (installed, enabled)
        * nodebb-plugin-discord-bot (installed, enabled)
        * nodebb-plugin-discord-notification (installed, enabled)
        * nodebb-plugin-emoji (installed, enabled)
        * nodebb-plugin-emoji-android (installed, enabled)
        * nodebb-plugin-markdown (installed, enabled)
        * nodebb-plugin-mentions (installed, enabled)
        * nodebb-plugin-poll (installed, enabled)
        * nodebb-plugin-poll2 (installed, enabled)
        * nodebb-plugin-private-forum (installed, enabled)
        * nodebb-plugin-soundpack-default (installed, disabled)
        * nodebb-plugin-spam-be-gone (installed, disabled)
        * nodebb-rewards-essentials (installed, enabled)
        * nodebb-theme-lavender (installed, enabled)
        * nodebb-theme-persona (installed, disabled)
        * nodebb-theme-slick (installed, disabled)
        * nodebb-theme-vanilla (installed, disabled)
        * nodebb-widget-essentials (installed, enabled)

No, that still doesn't resolve the problems. The console shows these errors again on first visit, following erasing the browser information for the forum domain:

This page uses the non standard property “zoom”. Consider using calc() in the relevant property values, or using “transform” along with “transform-origin: 0 0”. [...]
Uncaught TypeError: t is not a function
    <anonymous> serializer.js:17
    <anonymous> serializer.js:162
serializer.js:17:25
Loading failed for the <script> with source “[...]/assets/src/modules/bootbox.js?v=1mjvdi86tsu”. [...]:1:1
Uncaught Error: Script error for "bootbox", needed by: forum/category/tools
https://requirejs.org/docs/errors.html#scripterror
    makeError require.js:168
    onScriptError require.js:1738
require.js:168:16
ServiceWorker registration failed:  DOMException: The operation is insecure. app.js:793:13
Loading failed for the <script> with source “[...]/assets/src/modules/timeago/jquery.timeago.js?v=1mjvdi86tsu”. forum.code-operative.co.uk:1:1
Uncaught Error: Script error for "timeago/jquery.timeago"
https://requirejs.org/docs/errors.html#scripterror
    makeError require.js:168
    onScriptError require.js:1738
require.js:168:16