Show HN: Cypht – Unique Open Source Webmail
cypht.orgThe opening paragraph cracked me up:
"Cypht is not your father's webmail. Unless you are one of my daughters, in which case it is your father's webmail. Cypht is like a news reader, but for E-mail."
This project has been a labor of love for me over the last 2.5 years. I'm interested in any feedback you have, and happy to answer any questions!
Do you know about Sandstorm and its app market?
https://sandstorm.io/news/2014-07-21-open-source-web-apps-re...
I did not, thanks for the info. Looks interesting.
Sandstorm is an interesting idea.
The design is so ugly, though...
I am impressed with the 100% code coverage [1] of your project. It would be cool to have the installation instructions [2] in a Vagrant or Docker script, or as someone else suggested, a Heroku button. I like the website, very clean and most possible questions regarding the license, security, tests, and such are addressed in an easy-to-access section, very good, something that many other HN featured projects lack. Thanks for your work.
Wow, thanks for the kind words! I submitted this last night hoping to drum up some support for the project. I never dreamed it would be on the front page when I woke up!
It looks nice, but may I suggest a couple more screenshots and/or GIFs to really showcase it (email edit/compose view, RSS reader view, etc).
As a marketer it kills me the amount of cool projects whose adoption may be hurt by a lack of a couple extra screenshots.
I appreciate the suggestion, and will get a screenshot page added to the site. In the meantime, here are a few blog posts with more shots:
https://unencumberedbyfacts.com/2016/09/08/cypht-webmail-scr... https://unencumberedbyfacts.com/2016/10/04/cypht-webmail-scr...
Looks very nice.
Was about to ask about support for 2-factor authentication, then saw this:
A quick-setup page might help.Support for 2 factor authentication with any TOTP compatible authenticator appWhy GPL v2?
I felt that it most accurately represented my intentions for the software.
I use rainloop currently on a Cloudron. Would be great to have this as a cloudron.io app! (It's just based on Docker)
I can't find any mention of PGP anywhere on the site. That it is supported, or in-development, or planned. Which is a shame, because there are good Webmail implementations out there with PGP support. Roundcube via plugins, Rainloop built in.
We have an open issue at github for PGP support, and it's something I definitely want to pursue. The big concern is private key security and how to balance that with usability.
Is there a way to hook into keybase? https://keybase.io/ This project looks great, I use Fastmail but would like to have an IMAP web front end I host (I used to host my own stack), so I may give this a go. Thanks for sharing it!
I would love this. Appreciate it isn't simple. Keep up the good work.
Any chance that/another issue would cover s/mime?
Many mainstream (read: Apple/Microsoft) mail clients need plugins (which eg on iOS aren't an option) for PGP Mail, but S/MIME is handled out of the box.
Don't these typically require access to the private key though?
I'm not comfortable uploading my private key to a webmail server, even when its my own server
> Don't these typically require access to the private key though?
Yes, but not on the server. The key is typically stored encrypted in the browser storage. Never hits the server.
But there is still the problem where the server could send "bad" javascript which copies the key and uploads to the server.
However, if it's my server and I'm running the webmail, I might be ok with that. And if the server is being run by somebody I trust, I might still be ok with making that decision.
And even if I don't want to add my own private key, it would still be nice if the webmail could verify messages signed by other people. There's nothing risky about that.
I can recommend adding a faster way to try it, either a demo online or even better a docker image.
Thanks for the feedback, and I agree. I love the idea of a docker image to create a demo environment.
Could also setup a heroku deploy button.
Definitely needed. Nice clean layout, the cleaner the better.
mmh. what about Security? If they download locally via imap all your email for all your accounts or there is something more. anyway it is nice to read on Security page "Oauth2 over IMAP/SMTP "
Thanks for your feedback! Cypht is a thin client that only accesses E-mail using IMAP (or POP3). No E-mail content is maintained locally except in the server side session, and the browser local storage (session only). Cypht does store your E-mail account credentials between logins if you chose to (this behavior can be disabled). Outside of that, we only aggregate content in the browser, not on the server or in any permanent manner. There is a performance price, but it's worth it IMO.
Also, thanks for the Oauth2 recognition. It's perfect for a client like Cypht (I wish more providers supported it!).
I'm hosting my own e-mail; do you know if it's possible to set up exim / dovecot to support OAuth2 and what benefit would that provide over using e.g. LOGIN over tls?
Note that this seems to implement the Google-specific XOAUTH2, and doesn't implement the RFC7628 standard[0]. There is currently no open-source implementation of the Google-specific method on the server side, and a partial implementation of RFC7628 for Cyrus SASL[1]. Dovecot, unfortunately, contains its own SASL implementation which doesn't work with this, so you'd have to write your own from scratch.
[0] https://tools.ietf.org/html/rfc7628 [1] https://github.com/sweetums/SASL-OAuth
Lacks a decent name easy to pronounce
I'm terrible at naming things. It is supposed to be a homophone for "sift", and it's just odd enough that the domains were super cheap :) I toyed around with adding a phonetic "sift" under the logo on the site, maybe I should revive that effort.
It is easy to pronounce, like 'sift'
But that takes some time to realize, because there's nothing in the context of the word to suggest the vowel be pronounced short rather than long, and neither is predominant in American English usage.
PHP???