I think this sentence should be the first thing anyone sees when they go to the page. The text at the moment assumes everyone already knows roughly what Mailpile is, so I didn't figure it out until I read HN comments.
Also, are there screenshots somewhere?
In addition to it being confusing, because of dynamic IPs and residential port blocking you may be able to run it on your computer, you just won't be able to do anything with it due to other internet infrastructure... - Sending mail from home is almost guaranteed to fail sometimes/often, due to dynamic ip ranges which are frequently blocked. - Port 25 and port 80 are blocked by most major american ISPs these days for residential services. Making this unusable from a home server. Not to mention it's against many ISPs terms of service to run a server from home without paying for a business package. (That's right, it's not just google fibre) - SPF records and other forms of email authentication? You would also need a third party DDNS service if using a dynamic IP.
So with all of that said, I like the interface pictures. It could be a good competitor to webmail clients like roundcube and friends.
By the way, there seems to be a copy-paste typo in the description for 'Spam Detection'; it reads 'PGP encryption and verification of emails and recipients'.
On the project page you write
> An intuitive, modern user interface makes strong security accessible to everyone.
Can you share a bit more about the way you envision this?
Good luck!
What about perfect forward secrecy for server connections?
What about transparent text compression?
Edit: Just to clarify why I'm asking this, the project looks very interesting and I suppose the choice of AGPL wasn't made lightly, as it might slow down adoption by commercial organizations, so I'm interested in the reasoning behind this choice.
But in the current startup world several aynrandian douchebags would take it and make web services or paid apps. Put a lot of money on viral marketing. Pester them with feature requests. And never, ever contribute back to the community or acknowledge it helped their business.
I know a famous BSD developer who switched to *GPL because of this. Also, search for tptacek's explanation. It's counter-intuitive but this is the best license at the moment, mostly for reasons Stallman didn't forsee.
However, we are open to discussing, and if a significant fraction of our backers would prefer a more liberal license we will probably switch.
also, getmail is python and does pop and imap downloads, so could be used there.
[otherwise, this seems awesome and if i run out of my own dumb ideas i will seriously consider contributing]
of
http://www.indiegogo.com/projects/mailpile-taking-e-mail-bac...
What happened to building something and selling it?
According to the campaign page, the need is so great because:
"We're asking for a lot of money, so of course you should know why. $100.000 means paying two people $4166 a month for a year, including all taxes, insurance and other fees."
I suppose people get what they pay for, but I find it insulting to ask me to pay your salary for a year so that you can avoid risk.
If you were truly concerned about online privacy, you'd build it anyway. So is privacy the mission, or the pitch?
Since they are already providing it for free to those who need it, and producing at as free software, selling it as a finished product is unlikely.
> If you were truly concerned about online privacy, you'd build it anyway.
Many people do altruistic work during their free time. crowdfunding means you can do the same work, but not be limited by what scraps of time that exist after work.
The extremely few people in the world that would quit their job to do altruistic work is few. They are so few that almost every time it happens, it get posted here as news.
If I made a poll, asking how many people here cared strongly about something in the world, I would get close to 99% hands that said yes. If I then asked how many of those people would agree to quit work to work altruistic on that subject, how many hands would I see?
Um, you mean software consulting?
This model is beautiful. It's a bunch of email privacy advocates hiring a couple of skilled guys for a year to write the open source software we all wish existed.
Seems fair to me. I'm not so entitled as to demand someone altruistically create this for me.
And I explicitly _don't_ want them to make a business of it, because that changes the incentives completely.
I think your take on this is a function of our indoctrination into a particular form of capitalist mindset. We don't reward what's of value to society. We reward what can be sold. It's skewed.
In addition, there is this idea that we should be cogs in the machine as kind of a de facto life goal. Get an education and go to work for someone else. Want to be an entrepreneur and do more? Well, it will cost you dearly. You either go see the gatekeepers with capital and hope they smile on you, only to end up back in the position where you are essentially working for someone again (your investors). Or, you bootstrap and work your ass off trying to support yourself/family while holding down a day job. BTW, like you, I did the latter.
I think this is exactly why we don't have enough people using their talents to contribute something vs. just trying to make cash.
Society should encourage this, and if crowdfunding can help more people to pursue their talents/dreams (especially for the good of society), then I am all for it. We need more of this.
Isn't that the whole premise behind a huge chunk of the projects on indiegogo and Kickstarter? "I want to make a cool thing, but I can't afford to quit my day job; please pay me up front"?
I mean, I'm truly concerned about online privacy, but there are several barriers standing between me and my solution--not the least of which is the ability to eat and shield myself from the elements while crafting said solution. How is what these folks are asking any different from pitching a business plan to a VC? Sure, if you're going to a VC it's expected you'll actually have a business plan, but the function is the same: Convince people with resources that what you're doing is worthwhile and achievable, so they'll give their resources to you.
So this is exactly the Richard Stallman model of software. Pay people to develop it, don't charge anything for the software and give away the source.
There is no economic incentive for the donors (they might get a mail program, might not, but they will never get their money back or a return on that money.)
I suppose rms originally imagined that someone like the mailpile people would take the money they were given to create mailpile and give it to some other developer to create the tools they need. However, as we see in this campaign, all the money they get will go toward feeding, housing, and insuring themselves. (wait till they learn about payroll taxes, that will make them fiscal conservatives in a hurry :-)
Like the parent comment I can see how this works in the "old" world (make a company, product, sell it, rinse and repeat) but am curious to see if it can work in this other way.
The closest model I'm familiar with to what they're doing is the FreeBSD Foundation, so this is more classic "pay us for OSS" than anything else. So I don't think this is a startup proposal. Unusual for HN I know, but given the plan I doubt they're tracking pirate metrics or blabbering about pivots.
Which is sort of a pity because actually my problem isn't email (there is plenty of webmail I can deploy privately), my problem is group calendaring with multiple share/sync options (for which only Google Apps meets my requirements).
Suppose a third-party developer can make a major contribution to the project, to solve a nasty bug or add a technically challenging feature.
How does that developer get paid? How is their contribution valued?
I've spoken to someone who worked there, and they agreed it was hard to keep the balance - if you start hiring all open-source contributors, then the remaining coders out in the open will get de-motivated, since they weren't offered a job.
This is exactly what they are doing, by crowd funding it. They are essentially testing the market.
'pay us in advance for developing a product
that hasn't been market tested or validated,'
People will look at the app for themselves, decide whether it's a good value proposition for them or not. Nobody needs your bitching and moaning; if you don't like it, don't pay anything.
You're just demoralizing people for the sake of it. I'm disgusted that yours is the top ranked comment.
- This is an MUA, correct? Based on the features on the project page, it sounds like MailPile will not act as an MTA or MDA, and is predominantly interfacing with mbox/maildir. I see features for IMAP and POP3 on the roadmap, but its not clear if using those protocols is idiomatic for MailPile.
- How is PGP/GPG handled? The server-side code for MailPile must have access to my secret key, correct? Is MailPile's web interface then accessible via HTTPS (given the proper cert)?
- Is there a plan for a key management interface?
- It sounds like the MUA itself (MailPile) is a server, and it would access maildir/mbox directly. Is there any API planned for accessing that data through MailPile's programatically, or is MailPile's main goal to provide a browser interface?
- This might have been covered, but will the web interface support mobile as well?
Thanks for working on this...it really sounds like a great project!
And yes, API access to mail is something we already support, every "command" can return either HTML, plain text or JSON. Probably XML to come as well.
We'll have to help with key management, otherwise it won't be usable by normal folks.
Mobile web support, yes, probably sooner than later.
Hope this clarifies!
I personally use (al)pine over SSH, so I don't need this ... my email is already on my own mailserver and I already access it over a secure channel, etc.
But my wife ... she's not going to put up with pine. So then I run a pop daemon. And she pops from gmail. And her email is in third party hands, etc.
If there were a decent web mail client, I could turn off popd, one less open port, and access only over SSL. Which I would hide with port-knocking, of course. I can teach her port-knocking, right ?
a. Home server. Most people don't have a fixed IP or domain name, so it's going to be a pain for them to access their home server on the run. I do have a fixed IP, but I'd still hesitate to rely on my home connection whilst I'm roaming.
b. Localhost. No one can complain about reliability or accessibility when you are hosting the service right there on your own PC. But now I'm tied to that one PC - I can't check my e-mail from work, or from my phone.
c. Cloud / co-location. Now we have reliable hosting, but privacy?? I'd hesitate to upload my private key to a cloud server. Also, I now need 24/7 internet access even to read my old mail.
Perhaps localhost is the best place for it. My canonical e-mail store can remain IMAP in the cloud, but I can run an instance of Mailpile on each of my devices.
Will the client/server model work on a phone? - Surely most phones refuse to give enough CPU time to apps in "the background". I suppose you could weld a browser instance on to the front of it, and call it a standalone app.
So try to do the key management as automatic and "out of the way" for users as possible. That's the biggest hurdle with using PGP right now.
Dealbreaker right there.
Edit: Great, so the source is already available.
Also, if privacy is important for you, you shouldn't look into subscription services, whatever software package they use.
By subscription I mean that I am happy to support an open source project with regular funding. Initial funds from Indiegogo are not sufficient to maintain a long-term service and we'd be hesitant to move our most important business infrastructure to something that may not be updated regularly as the security environment changes. If you were to look into making this a business with recurring revenue I believe you would find there is a lot of support.
this doesn't make any sense to me. how exactly do you know what code a remote server is running as a subscriber (not an admin)?
you obviously can't just believe what what it prints when you click "see the source!" in a web page.
they could crypto sign the code you download, but that doesn't mean they gave you what they're actually running.
Gmail (which I'm not suggesting is an ideal, just what I happen to use) doesn't even bother to show me my spam folder - and, in the last week, it's redirected 1178 messages there.
Update: To clarify why we left it out of the pitch - we just took it for granted that you can't have a functional e-mail client without dealing with spam.
There are plenty of nice-enough webmail UIs around, and people complain about the speed of Gmail but I find it perfectly fine. Spam's the thing.
Contrasting Mailpile with other tools, one difference is that the basic design is that of a search engine, not a tool for reading mail from folders. Most current desktop mail clients are built on top of a bad paradigm, in my opinion.
Another exciting thing about this model, is that since the UI is a website (of sorts), we can leverage the collective experience and creativity of the web design community. That is a much, much larger pool of talent than UI designers who know C++ or Objective C, or whatever.
Finally, making the app a web server means you get an API to interact with your e-mail almost for free.
I abhor the idea that clients only ever interact with messages from a single folder.
Notmuch does two things:
- Indexes a Maildir and places messages into a Xapian fulltext database. - Provides an API for tagging, threading, retrieving, searching, creating template replies, etc. for the messages in its index.
Getting mail into the folder is the burden of another program (say offlineimap or getmail), and sending mail is also handled by other tools (say MSMTP or sendmail).
I think Notmuch would have made an absolutely killer framework to base Mailpile off of.
Seriously, it's not that hard to install and setup.
Once you have it all going the capabilities are immense. It also lives on your machine, using your SSL certs, and using as much in-place HDD encryption as you want.
This is how you take your privacy back. You care enough about it to do it yourself.
Mailpipe, if it ever happens, should help a lot getting some of that mail from the claws of Gmail and the likes. They can have my money.
[1] - https://blog.zimbra.com/blog/archives/2013/07/telligent-acqu...
I don't think this does much to stop snooping.
According to Paul Graham frightening startup ideas http://www.paulgraham.com/ambitious.html, email is a bad ToDo list, How are you going to implement a better Todo list?
I have created a alpha prototype which attacks these problems conceptually, namely, Message Classification, Message Sharing, Bidirectional Messaging, Pull Messaging, Sender Revocation, Message Expiry, Centralized Attachment etc as a Mobile App but approached this as a separate todo protocol using the Push Messaging Infrastructure.
You can download the working app from Google Play https://play.google.com/store/apps/details?id=priya.pullgrid... and can see a website created http://www.pullworld.com (Undocumented - You can download the Frontend App Html Source - Have not even shared in HN as Show HN because it is incomplete in documentation). The purpose of the Prototype is just as a proof of concept and not really to solve the email problem.
I would love to share my knowledge/architecture if you are interested, so that you can really attack this problem as envisaged by pg and since you are planning to do it open source and with email, would love to contribute if you are thinking of mobile in the future using Html/OpenGL based client.
Mostly, the reason we do things the way we do, is because one of our primary goals is to make an end-user desktop app. Packaging is therefore a significant task and minimizing dependencies will help a lot.
We still have quite a bit of work to do on our website and message.
I have a couple of questions:
- Any plans for a plugin/extension system?
- Are there any screenshots of the interface anywhere?
Thanks! : )
http://www.indiegogo.com/projects/mailpile-taking-e-mail-bac...
Additionally SPF gives us a way to check if the sender address has been forged. GPG signing is more robust, but again, more user overhead.
Not to mention, I already have S/MIME support in my mail application and can get GPG support via a plug-in, but I use neither, because few recipients can handle it.
So what is new with Mailpile? What is it supposed to change?
In my opinion, if the goal is to make email more secure, we should look into ensuring that all MTAs is setup to support TLS and use it when delivering mail to other hosts (AFAIK Exim4 only announces STARTTLS when connecting to its submission port).
Getting SPF records setup would also be a plus.
This would go a long way in making email more secure, and only requires action from administrators of mail domains.
¹ http://www.postfix.org/postconf.5.html#smtp_tls_security_lev...
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-...
Sure, I can set up my own mailserver already, but the amount of effort it takes is too much compared to just setting up a Gmail account. If they can get set-up and spam-protection right, then this could be huge!
Right now, every single email I receive is encrypted. I have my public GPG key on my mail server, and every incoming email that's not already encrypted is encrypted using that public key. That way if the anyone compels my VPS provider for access, they just get a bunch of encrypted email.
So my problem isn't receiving or encrypting email, it's reading it. The only real option I have right now is Thunderbird, which isn't great, and is no longer under development. Mailpile doesn't look like a mail service to me, it looks like a browser-based but locally-hosted MUA, which might be the remedy to Thunderbird that we need.
Thumbnails shouldn't be high-res pictures that actually are scaled to stamp proportions. It's slow to appear on poor connection and for a moment I thought there were no screenshots and just words like "compose". And it slows down my poor 2nd gen asus notebook.
I mean seriously, what's the appeal to paying for Mailpile when I could just use an open-source webmail client on my server? (Which I will by the way, thanks for the idea)
1: http://www.horde.org/apps/imp
PS: Here are more: http://www.noupe.com/ajax/10-ajax-webmail-clients.html
* It's a bit hard to find where the HTML/JS templates are. I think that's important for folks who are good at design and willing to help the project.
* search.py, looks like it stores indexes in memory, is that correct? Will it work if I run multiple instances of httpd?
Back in 2001 or 2002, I was following the progress of Zoe, what I thought to be a very promising new approach to email archives. It kept your email in mbox or eml files, used Lucene for indexing and search and then provided a web interface on an embedded web server.
The Zoe project is no longer active (the homepage is dead and the files are gone), but this MailPile sounds very much like it. Almost exactly like it. I hope it does better.
Mailpile stores in RAM about 180 bytes of metadata per message (actual size depends largely on the size of various headers), but Python overhead brings that to about 250B. This means handling a million messages should consume about 250MB of RAM - not too bad if you consider how much memory your browser (or desktop e-mail client) eats up.
If you're interested in this, you might also want to check out:
https://echoplex.us (overview) https://chat.echoplex.us (in action) https://github.com/qq99/echoplexus (github)
Lead developer here, FYI
The tech lead is from the Empire though - an ex-Googler - not exactly a privacy caring company :) Maybe that's why he left :)
Am I understanding this correctly that this is basically a selfhosted imap/pop/smtp frontend?
I am curious how you guys would use it, i.e. where would you actually host your emails? Running your own mailserver on a vserver sounds fun and not to expensive but I don't know if I want to maintain something like that in the long run. If something breaks this just sounds like a lot of work.
You guys pay for mail hosting? Use the one that comes with your website domain?