"Cypht is not your father's webmail. Unless you are one of my daughters, in which case it is your father's webmail. Cypht is like a news reader, but for E-mail."
I am impressed with the 100% code coverage [1] of your project. It would be cool to have the installation instructions [2] in a Vagrant or Docker script, or as someone else suggested, a Heroku button. I like the website, very clean and most possible questions regarding the license, security, tests, and such are addressed in an easy-to-access section, very good, something that many other HN featured projects lack. Thanks for your work.
Wow, thanks for the kind words! I submitted this last night hoping to drum up some support for the project. I never dreamed it would be on the front page when I woke up!
I can't find any mention of PGP anywhere on the site. That it is supported, or in-development, or planned. Which is a shame, because there are good Webmail implementations out there with PGP support. Roundcube via plugins, Rainloop built in.
We have an open issue at github for PGP support, and it's something I definitely want to pursue. The big concern is private key security and how to balance that with usability.
Is there a way to hook into keybase? https://keybase.io/ This project looks great, I use Fastmail but would like to have an IMAP web front end I host (I used to host my own stack), so I may give this a go. Thanks for sharing it!
Many mainstream (read: Apple/Microsoft) mail clients need plugins (which eg on iOS aren't an option) for PGP Mail, but S/MIME is handled out of the box.
> Don't these typically require access to the private key though?
Yes, but not on the server. The key is typically stored encrypted in the browser storage. Never hits the server.
But there is still the problem where the server could send "bad" javascript which copies the key and uploads to the server.
However, if it's my server and I'm running the webmail, I might be ok with that. And if the server is being run by somebody I trust, I might still be ok with making that decision.
And even if I don't want to add my own private key, it would still be nice if the webmail could verify messages signed by other people. There's nothing risky about that.
mmh. what about Security? If they download locally via imap all your email for all your accounts or there is something more. anyway it is nice to read on Security page "Oauth2 over IMAP/SMTP "
Thanks for your feedback! Cypht is a thin client that only accesses E-mail using IMAP (or POP3). No E-mail content is maintained locally except in the server side session, and the browser local storage (session only). Cypht does store your E-mail account credentials between logins if you chose to (this behavior can be disabled). Outside of that, we only aggregate content in the browser, not on the server or in any permanent manner. There is a performance price, but it's worth it IMO.
I'm hosting my own e-mail; do you know if it's possible to set up exim / dovecot to support OAuth2 and what benefit would that provide over using e.g. LOGIN over tls?
Note that this seems to implement the Google-specific XOAUTH2, and doesn't implement the RFC7628 standard[0]. There is currently no open-source implementation of the Google-specific method on the server side, and a partial implementation of RFC7628 for Cyrus SASL[1]. Dovecot, unfortunately, contains its own SASL implementation which doesn't work with this, so you'd have to write your own from scratch.
I'm terrible at naming things. It is supposed to be a homophone for "sift", and it's just odd enough that the domains were super cheap :) I toyed around with adding a phonetic "sift" under the logo on the site, maybe I should revive that effort.
But that takes some time to realize, because there's nothing in the context of the word to suggest the vowel be pronounced short rather than long, and neither is predominant in American English usage.
"Cypht is not your father's webmail. Unless you are one of my daughters, in which case it is your father's webmail. Cypht is like a news reader, but for E-mail."