Comments (21)
@Shadow243 wrote: "However, this works in the case of someone managing (centralizing) his accounts in one place for himself"
So please try and let us know :-)
I'm now working on a good way to handle this even with multiple users using one instance.
from cypht.
Thank you for the kind words.
Related: #470
For .env, let's ask the author @Shadow243 for some advice.
from cypht.
Where are the imap creds stored now? I was not able to quickly find them. I saw there were some blobs in the mysql db. There?
from cypht.
Thank you for the kind words.
Related: #470
For .env, let's ask the author @Shadow243 for some advice.
IMAP_AUTH_ is primarily used when AUTH_TYPE=IMAP to authenticate during the connection (on the login page) and of course to automatically add the server once connected.
Configuring multiple accounts via .env will complicate this file, but I think we can do it through a configuration file, as we did for LDAP Contact (config/ldap.php).
'imap_accounts' => [
'Personal' => [
'server' => '',
'port' => '',
'tls' => '',
'sieve' => '',
'username' => '',
'pwd' => ''
],
'OtherName' => [
'server' => '',
'port' => '',
'tls' => '',
'sieve' => '',
'username' => '',
'pwd' => ''
],
]
This could allow us to anticipate the accounts (servers) to add on the server page automatically while retaining the IMAP_AUTH_ functionality with its initial function.
from cypht.
Thank you for the kind words.
Related: #470
For .env, let's ask the author @Shadow243 for some advice.IMAP_AUTH_ is primarily used when AUTH_TYPE=IMAP to authenticate during the connection (on the login page) and of course to automatically add the server once connected.
Configuring multiple accounts via .env will complicate this file, but I think we can do it through a configuration file, as we did for LDAP Contact (config/ldap.php).
'imap_accounts' => [ 'Personal' => [ 'server' => '', 'port' => '', 'tls' => '', 'sieve' => '', 'username' => '', 'pwd' => '' ], 'OtherName' => [ 'server' => '', 'port' => '', 'tls' => '', 'sieve' => '', 'username' => '', 'pwd' => '' ], ]
This could allow us to anticipate the accounts (servers) to add on the server page automatically while retaining the IMAP_AUTH_ functionality with its initial function.
However, this scenario does not work in all cases. For example, we may have 10 IMAP accounts, but each account belongs to a different person. Therefore, each person must log in with their own account. By putting the accounts in the configuration file, everyone who is logged in will have access. However, this works in the case of someone managing (centralizing) his accounts in one place for himself
from cypht.
@Shadow243 my goal is to use the unified inbox with all these accounts, so no separate logins.
from cypht.
@jonocodes Will more than one person use your Cypht instance?
from cypht.
@jonocodes Will more than one person use your Cypht instance?
My current use of cypht is much like how I use Thunderbird. I have a single profile/user. I use thunderbird to access all my accounts when at my main desktop. And I use a selfhosted cypht to access all my email accounts when I am away from my desktop.
from cypht.
Ok so then the .env should work for you. Please let us know how it goes.
from cypht.
Ok so then the .env should work for you. Please let us know how it goes.
I don't think I understand. Are you saying the env file ready supports this? Or that I should develop that support? My understanding is it does not support it now.
from cypht.
@Shadow243 wrote: "However, this works in the case of someone managing (centralizing) his accounts in one place for himself"
So please try and let us know :-)
from cypht.
Is there a recommended way to do this? Perhaps set it up once and use USER_CONFIG_TYPE=file then copy that file to my new system?
Both config storage options would work - file or db as long as you copy the file or db to your new system and use the same user password for your account login to cypht (password is used as an encryption key for the data stored in local file or db). To keep things simpler, I suggest you use file storage for config and copy your user settings dir to the new system.
Mixing user configuration with system configuration from env or config php files might get tricky here...
from cypht.
I am trying to understand the file storage option. I ran this
version: '3'
services:
db:
image: mariadb:10
volumes:
- ./db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=root_password
- MYSQL_DATABASE=cypht
- MYSQL_USER=cypht
- MYSQL_PASSWORD=cypht_password
cypht:
image: sailfrog/cypht-docker:latest
volumes:
- ./cypht/users:/var/lib/hm3/users
ports:
- "81:80"
environment:
- CYPHT_AUTH_USERNAME=admin
- CYPHT_AUTH_PASSWORD=admin_password
- CYPHT_DB_CONNECTION_TYPE=host
- CYPHT_DB_HOST=db
- CYPHT_DB_NAME=cypht
- CYPHT_DB_USER=cypht
- CYPHT_DB_PASS=cypht_password
- CYPHT_SESSION_TYPE=DB
- CYPHT_USER_CONFIG_TYPE=file
Then logged in and created some imap accounts. Now here is what the file system looks like:
/var/lib/hm3 # ls -lR
.:
total 3
drwxr-xr-x 2 www-data www-data 2 Apr 26 18:35 app_data
drwxr-xr-x 2 www-data www-data 2 Apr 26 18:35 attachments
drwxr-xr-x 2 www-data www-data 3 Apr 26 18:36 users
./app_data:
total 0
./attachments:
total 0
./users:
total 5
-rw-r--r-- 1 www-data www-data 2716 Apr 26 19:41 admin.txt
of course admin.txt is giberish. Is this the encrypted payload that has all the imap credentials in it? And if so, is there a manual way for me to decrypt it outside cypht and see whats there?
from cypht.
Yes, admin.txt is the encrypted storage for admin user settings including server details. Decryption is possible using the https://github.com/cypht-org/cypht/blob/master/lib/crypt.php#L75 Hm_Crypt_Base::plaintext function and passing your password as a key. You could also do it outside PHP using openssl descrypt but you should construct the initialization vector and other parameters manually from the encrypted string like the PHP function does.
from cypht.
Yes, admin.txt is the encrypted storage for admin user settings including server details. Decryption is possible using the
master
/lib/crypt.php#L75 Hm_Crypt_Base::plaintext function and passing your password as a key. You could also do it outside PHP using openssl descrypt but you should construct the initialization vector and other parameters manually from the encrypted string like the PHP function does.
Ah. So the encrypted blob is the part I am trying to work around. Why is it encrypted? I understand perhaps wanting to hide the password, but the whole file? Is this a common practice in other like-software?
If blob was exposed and had an understood structure (yaml, json, etc) we could just edit and add accounts there.
from cypht.
Why is it encrypted? I understand perhaps wanting to hide the password, but the whole file? Is this a common practice in other like-software?
https://www.cypht.org/security.html
https://en.wikipedia.org/wiki/Zero_trust_security_model
from cypht.
Server-side storage encryption is needed to make it more secure against tampering or data-leak attacks. You can still make a small script to encrypt/decrypt the file and add the info you need manually. We can also think about adding this in scripts folder, so you can use the command line to add accounts and do other config modification programatically.
from cypht.
I understand the sentiment but are there other projects that encrypt whole config files? Is the concern that you are trying to protect things like imap host and username as well as the password? If you want to protect data, thats one thing. But I would think the structure of the config (ie- where you put what keys etc) should be exposed, like the other configs like the config/app.php or hm3.ini . This is also how certs and ssh keys work.
But without ruffling too many feathers, yes, perhaps adding an encrypt/decrypt script would be the lightest touch here.
from cypht.
I understand the sentiment but are there other projects that encrypt whole config files?
@jonocodes It was like that when I started getting involved in Cypht. I don't know the precise background information / motivation / trade-offs, etc. In any case, it's an Open Source community project, and a do-ocracy, so let's work together to make Cypht better for various use cases :-)
from cypht.
@jonocodes It was like that when I started getting involved in Cypht. I don't know the precise background information / motivation / trade-offs, etc. In any case, it's an Open Source community project, and a do-ocracy, so let's work together to make Cypht better for various use cases :-)
Yes. I may put some scripting around this to automate at some point.
Side note, I am also looking at introducing a Makefile or something like it that will help with these kinds of operations.
from cypht.
Exposing the config file structure and encrypting only the sensitive information might be a configuration thing for Cypht 3.0. As Marc said, encryption of that file was pretty much around for the whole cypht lifetime, so not an easy one to change.
from cypht.
Related Issues (20)
- Some stats about emails
- Unraid Docker Compose access denied for user 'cypht'@'172.17.0.1' HOT 1
- Can't edit local contacts HOT 1
- "Everything" view not updating correctly HOT 3
- Unclosed divs when there are more than one alert messages from backend
- Improve error and message logging HOT 10
- Autosave HOT 2
- Ability to select text in inline emails. HOT 1
- Prepare a test plan and run it. Mostly for testing JMAP, but it makes sense to test IMAP/SMTP as well
- Allow for renaming account HOT 1
- What should be the scope of Cypht?: Minimalistic? kitchen sink? Something in the middle? HOT 5
- Running config_gen.php fails due to missing files
- Rework and harmonize tagline and descriptions HOT 2
- There is no pagination in this view HOT 7
- Subfolders do not appear in IMAP account HOT 2
- Document / facilitate the migration from https://hub.docker.com/r/sailfrog/cypht-docker to https://hub.docker.com/u/cypht HOT 31
- Rethinking Hm_Functions HOT 1
- jonocodes/cypht container comments (latest/v2.0.1-wip) HOT 4
- Release Cypht 2.1
- AMA with Jason Munro
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cypht.