hascheksolutions / opentrashmail Goto Github PK

Would it be possible to make the logs/accounts list only accessible by the admin, possibly something similar to the site password but for these specific pages instead of the whole site.

Could also make it such that if the user is "logged in" with the admin password the home page shows all emails instead of needing to open a specific address

Change 935d11a wraps strtolower($_REQUEST['email']) in basename(realpath(...)), which is important for preventing path traversal attacks... but breaks much of the functionality.

Making this change means that the $email variable contains a path, not an email address, and so subsequent calls to filter_var($email, FILTER_VALIDATE_EMAIL) always return false. Therefore, the API does not work.

Suggested change: perform all email filtering at the top, before running basename/realpath, and return the error only if (a) an email request parameter is passed and (b) the filter returns false. Then just use and trust the $email variable in the attachment, load, and list methods.

When using this, bots are using the mailserver to send out SPAM.

Are there any way you could tell the mailserver, only to accept outgoing connections from localhost?

Opentrashmail's docker image is currently hosted on dockerhub, which has released a new policy that might endanger your hosting there (see also). Do you have any plans for migrating hosting elsewhere?

I've been messing with migrating the install and found that after I move the install to a new server opentrashmail fails to load previous emails.
It will only display emails up to the point in which it started receiving new emails.

So if it possible to tell opentrashmail to list old emails that are still on disk in the data dir?

With DISCARD_UNKNOWN set to true emails sent to an address using a wildcard domain are discarded.

For example;
Domain: *.domain.tld,domain.tld
Address: [email protected]
Log message: Discarding email for unknown domain: rand.domain.tld

Settings should be overwritable per address.

So i can set cleanup time for a few hours but only on one addres, etc.

Also opens possibilities for configuring forwarding emails to different (real) mailboxes on a per-address basis

I'm in the US, and the date format opentrashmail is using doesn't make sense to me at first glance since we use Month/Day/Year format.

moment.js would be great for this type of date formatting to allow others to use the format they're used to.

This could be a quick add by using an option inside config.ini to define the string format, then have PHP grab the string format when it loads $settings, and adding that to the $o array. JavaScript can then grab that string format and format the epoch accordingly.

I have a working example and can submit a PR if you'd like?

Edit: here's the working example: https://github.com/poblabs/opentrashmail/commit/f82d50b56e27fe4df6e07f74a740284d5cbde352

Emails signed by OpenPGP seem to be encoded as base64, in older versions of OpenTrashMail these messages were decoded by the mail server on arrival, but on the latest version the raw base64 is shown instead.

Check here for multiple examples sent over 2 separate versions with and without digital signing
https://tmp.totallylegit.link/address/[email protected]

Hi there. It would be nice to have a RSS feed available for each email addresses.

can you help me set MX records for the domain greenfether.com whats should be the A and MX records with hostname. Someone help me I stuck here

While the admin page and password are enabled the logs/accounts list pages are still accessible without a password by going to /logs and /listaccounts respectively

Steps to reproduce:

1. run using docker as described in readme
2. send e-mail

expected behaviour:

• e-mail gets saved to disk
• e-mail gets displayed on webinterface

actual behaviour:

• e-mail gets saved to disk
• e-mail doesn't get displayed on webinterface

Starting Open Trashmail
From https://github.com/HaschekSolutions/opentrashmail
6fec905..cc7b184 master -> origin/master
Updating 6fec905..cc7b184
Fast-forward
web/api.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[+] Starting php
[+] Starting nginx
[+] Setting up config.ini
[i] Active Domain(s): mytestdomain.xyz
[i] Setting up dateformat to: 'D.M.YYYY HH:mm'
[+] Starting Mailserver
[i] Starting Mailserver on port 25
2021-07-11 15:13:15,569 - main - DEBUG - Receiving message from: 1.2.3.4
2021-07-11 15:13:15,570 - main - DEBUG - Message addressed from: [email protected]
2021-07-11 15:13:15,570 - main - DEBUG - Message addressed to: ['[email protected]']
2021-07-11 15:13:15,578 - main - DEBUG - Subject: Test

Mailserver and Addresses have been replaced by example.com, mytestdomain.xyz and 1.2.3.4

Hey there,

As there isn't a SECURITY.md or contact address in your repository, I am not sure how to contact you regarding a potential security issue.

Would you kindly provide an email so I can send you the details? Else, simply add a SECURITY.md file with an e-mail to your repository. GitHub recommends this as the best way to ensure security issues are responsibly disclosed. Or perhaps I should just email @geek-at directly?

Look forward to hearing from you, thanks!

Error is repeated for several emails over and over again, in the UI no information is shown, however, the file stored seems to be half written

Error;

error: uncaptured python exception, closing channel <smtpd.SMTPChannel connected <IP>:4996 at 0x7ff4397f57d0> (<type 'exceptions.UnicodeDecodeError'>:'utf8' codec can't decode byte 0xe0 in position 6753: invalid continuation byte [/usr/lib/python2.7/asyncore.py|read|83] [/usr/lib/python2.7/asyncore.py|handle_read_event|449] [/usr/lib/python2.7/asynchat.py|handle_read|165] [/usr/lib/python2.7/smtpd.py|found_terminator|181] [mailserver.py|process_message|145] [/usr/lib/python2.7/json/__init__.py|dump|189] [/usr/lib/python2.7/json/encoder.py|_iterencode|434] [/usr/lib/python2.7/json/encoder.py|_iterencode_dict|408] [/usr/lib/python2.7/json/encoder.py|_iterencode_dict|390])
error: uncaptured python exception, closing channel <smtpd.SMTPChannel connected <IP>:61516 at 0x7ff4397f57d0> (<type 'exceptions.UnicodeDecodeError'>:'utf8' codec can't decode byte 0xe0 in position 6753: invalid continuation byte [/usr/lib/python2.7/asyncore.py|read|83] [/usr/lib/python2.7/asyncore.py|handle_read_event|449] [/usr/lib/python2.7/asynchat.py|handle_read|165] [/usr/lib/python2.7/smtpd.py|found_terminator|181] [mailserver.py|process_message|145] [/usr/lib/python2.7/json/__init__.py|dump|189] [/usr/lib/python2.7/json/encoder.py|_iterencode|434] [/usr/lib/python2.7/json/encoder.py|_iterencode_dict|408] [/usr/lib/python2.7/json/encoder.py|_iterencode_dict|390])

Let me know if you'd like the partial file sent over in private

Hey there!

I was looking over your project and setting it up to use it myself. As I was going through the README, I noticed a handful of spelling and grammar errors.

Would you have an interest in me submitting a PR to fix those? They're already up on my branch here.

Have you build a docker for ARM? I am interested to use opentrashmail on raspberrypi.

Not sure if I'm misunderstanding the limited docs, but when attempting to set the admin account with the docker image I'm unable to view all emails sent to the server, instead only seeing messages sent to the set address.
Docker logs confirm that the value has been read with [i] Set admin to: "[email protected]"

I have tried setting the ADMIN environment variable to different values such as admin and [email protected] to no success, even attempting addresses that are not on the hosted domain.

http://code.activestate.com/recipes/534131-pypopper-python-pop3-server/

Setting the DATEFORMAT variable for the container the WebUI displays no changes.

For example;
Date format; dddd, MMMM Do YYYY, h:mm:ss a
Expected output; Wednesday, November 8th 2023, 3:36:17 pm
Actual output; 2023-11-08T15:36:17+00:00

This is a fun project, thanks for creating it! Today when I was playing around with it in a Docker container, I used Outlook to send an attachment of a screenshot saved in JPG, and when I received the email in opentrashmail, I get the subject and body. When I click on the attachment link I received:

Fatal error: Uncaught Error: Call to undefined function mime_content_type() in /var/www/opentrashmail/web/api.php:34 Stack trace: #0 {main} thrown in /var/www/opentrashmail/web/api.php on line 34

I'm not sure how else to help, my docker troubleshooting skills aren't the best. Let me know how I can assist.

It'd be nice to increase the randomness of addresses generated to help reduce the effectiveness of brute-force API checks.

For example, being able to swap a word for a number of random characters in either the username or subdomain if using wildcard domains.

This would make addresses less memorable but it could be recommended that users bookmark the URL to regain access upon generating a new address.

I'd like to be able to set an environment variable, e.g. MAXAGE, to say how many days old an email should be before it's deleted. An automated job can then delete ones over that age.

(My opentrashmail server gathered multiple gigabytes of junk!)

Hi
I have a problem with blocking emails that do not come from a specific domain.
The mailfrom.endswith element works independently in test but in the server all received mails are "Email not trusted".
if (not mailfrom.endswith("@mydomain.com") or not mailfrom.endswith("@mydomain2.com")): raise Exception("Email not trusted")

Docker output

Starting Open Trashmail
 [+] Starting php
 [+] Starting nginx
 [+] Setting up config.ini
   [i] Active Domain(s): 0xfs.eu
   [i] Setting up DISCARD_UNKNOWN to: true
   [i] Using default dateformat
 [+] Starting Mailserver
[i] Starting Mailserver on port 25
2022-07-27 08:06:17,750 - __main__ - DEBUG - Receiving message from: 209.85.222.174:44678
2022-07-27 08:06:17,751 - __main__ - DEBUG - Message addressed from: xyz
2022-07-27 08:06:17,751 - __main__ - DEBUG - Message addressed to: ['[email protected]']
2022-07-27 08:06:17,776 - __main__ - DEBUG - Subject: test
2022-07-27 08:06:17,777 - __main__ - INFO - Discarding email for unknown domain: 0xfs.eu

I get an error starting mailserver on port 25, even though I chose a different port.
Google says, it is because it is being started as non-privileged user nginx.
su - nginx -s /bin/ash -c 'cd /var/www/opentrashmail/python;python mailserver.py'

https://aiosmtpd.readthedocs.io/en/latest/

Hi there,
Firstly, thank you for the great app!
Since I installed it 2 weeks ago It was working for me smoothly . Unfortunately today I started receiving error message like this on every email I've got.

error: uncaptured python exception, closing channel <smtpd.SMTPChannel connected 209.85.160.180:40637 at 0x7f906b043320> (<type 'exceptions.NameError'>:global name 'em' is not defined [/usr/lib/python2.7/asyncore.py|read|83] [/usr/lib/python2.7/asyncore.py|handle_read_event|449] [/usr/lib/python2.7/asynchat.py|handle_read|165] [/usr/lib/python2.7/smtpd.py|found_terminator|181] [mailserver.py|process_message|92])��Starting Open Trashmail

Could you add the possibillity to limit the attachment size? or the total email size to lets say 2Mb?

Hi there,

first off, i love this project. I set this one up in no time using docker. Regular emails work fine, but when adding attachments, i am getting:

500 Error: (TypeError)
'NoneType' object is not subscriptable (in reply to end of DATA command)

i am using hascheksolutions/opentrashmail:latest

I ran a password-less opentrashmail for a few months, which of course has attracted spammers/robots, etc. I start it the following way:

docker run -d --restart=always --name opentrashmail -e "DOMAINS=XXXXX" -e "DATEFORMAT='YYYY-M-D HH:mm'" -p 80:80 -p 25:25 -v /home/qdii/opentrashmail/data:/var/www/opentrashmail/data hascheksolutions/opentrashmail

However I noticed that the emails are stored either as user "uuidd" (group id 101), or "root"

$ ls -l | tail
drwxr-xr-x 2 root  root  4096 Jan 23 16:42 [email protected]
drwxr-xr-x 2 root  root  4096 Jan 23 16:42 [email protected]
drwxr-xr-x 2 root  root  4096 Jan 23 16:42 [email protected]
drwxr-xr-x 2 uuidd uuidd 4096 Jan 12 07:11 [email protected]
drwxr-xr-x 2 uuidd uuidd 4096 Jan 12 07:11 [email protected]
drwxr-xr-x 2 uuidd uuidd 4096 Jan  2 01:22 [email protected]
drwxr-xr-x 2 root  root  4096 Jan 24 12:14 [email protected]
drwxr-xr-x 2 root  root  4096 Jan 23 16:42 [email protected]
drwxr-xr-x 2 root  root  4096 Jan 23 16:42 [email protected]
drwxr-xr-x 2 root  root  4096 Jan 23 16:42 [email protected]

That sounds a bit wrong.

Clicking the Refresh button in the Webinterface calls loadAccount, which starts a updateEmailTable Interval, but does not remove the existing one.
This causes update (list) requests to be spammed after clicking refresh multiple times.

I suspect it is due to nginx running under nginx user but files being created under root.
What's the fix for that?

When I try to open any attachment I get this message: {"status":"err","reason":"File not found"} in the browser.
The file is stored in the file system in the attachments directory
Any idea how to fix?

Thanks

I'm working on a PR for a few bugs I'm seeing, but I wanted to document this one too. When you first open the site and you first access the admin account, the setInterval(updateEmailTable, 5000) isn't invoked. Don't know why yet.

If you load another non-admin account, it works, and if you then go to the admin account, it works because the setInterval is already set.

In some cases, the setInterval is set two times.

Awesome project! I really love it because more and more trash mail providers end up on blacklists.

Three improvements (a.k.a. Feature Requests):

• Adding TLS-Support: https://pypi.org/project/smtpd-tls/
• Add a "Copy-to-Clipboard"-Icon for the random generated email address
• When logged in as Admin into the GUI, add a button to tail the maillog inside the browser -> http://websocketd.com/

Attached images in HTML preview section do not render. Here is an example:

The images' src is always a non-URL. For example:

cid:[email protected]

A fix for this issue is to rewrite the image tag's src in the HTML preview section. cid:[email protected] would become http://example.com/api.php?a=attachment&[email protected]&id=12345&filename=test.jpg.

Also, < and > is getting rendered inside the Raw Email section as HTML. These characters need to be escaped.

Would it be possible to allow for domains with random subdomains?

If I have example.com as my domain, I would like to generate <adjective>.<noun>@<other random word>.example.com

The $nouns $adjectives arrays are set twice.

I was wondering why i kept getting the same email addresses.
found that it was set twice. For now i commented the duplicate out.

worth fixing :)

-Dennis

.

It seems like the random generation button does not work . nothing seems to pop up in the console log.

Edit
localhost are logged in the console only

Hi,

deleting an email does not delete the attachment.

nothing in the logs,.

-Dennis

Config:

• Run in docker
• No domain configured

Command: docker run -it -p 25:25 -p 80:80 hascheksolutions/opentrashmail

Then try to Generate Random

From my test, it seems like it randoms something like this: duddy-window@localhost and loadAccount does not accept this as it is not a valid email.

Maybe adding an alert if the domain is not set?

Hi,

First, thanks for your job.

I would like to configure multiple domain and tried this command :

docker run -d --restart=unless-stopped --name opentrashmail -e "DOMAINS=test.fr, test2.fr test3.fr" -e "DATEFORMAT='D.M.YYYY HH:mm'" -e "DISCARD_UNKNOWN=true" -e "DELETE_OLDER_THAN_DAYS=1" -p 80:80 -p 25:25 hascheksolutions/opentrashmail

But that did not works.

Is it possible ?

Thanks

Hi there,

rss.xml.php needs some fixing.

The view raw email link is not pointing to the actual email.

It should look like this:

<a href="<?= $url ?>/api/raw/<?= $email ?>/<?= $id ?>">View raw email</a> <br/>

lack of https security while reading mail - even trash mail.. sounds like a crazy thing.
Even self-signed sertficate would be "good" and enough for such service.

The newly added admin page can be accessed without being prompted for a password.

From a quick read of the code it appears that the environment variable ADMIN_PASSWORD isn't being passed to the config file within start.sh, not sure if this is the cause but it very well may be.

When accessing account for ADMIN user, the AJAX call makes the header th's start to stack instead of reloading properly.

on docker

As per the title, cannot view/delete emails when logged in with the admin account

Requests to the API within the new WebUI, such as viewing/deleting an email, are returning a 500 status code.

Attempting to make an API request to the container's IP directly to rule out the proxy gives the same 500 status code, full log: https://haste.dunk.dev/mf5HrI1KI7NW

The new URL value has been set and the container has been recreated multiple times

View errors in the browser's console here https://tmp.totallylegit.link/address/[email protected]