Proxy & cache embedded email images and other resources

[infogulch]

Gmail is well-known for proxying embedded email image resources through their servers and caching them for future requests. This has the nice benefit of preventing busybodies and creepy marketers from getting the IP of users' client machines. And due to caching senders can only know the first time the user opened an email, as subsequent requests would be cached. Briefly in 2013 they also pre-downloaded and cached images as soon as the email was received which also prevented the sender from knowing when or even if the user opened the email.

I think this is right in line with mail-server's current security features like spam and phishing filters. Has a feature like this ever been considered?

[andreymal]

Gmail doesn't proxy anything when using IMAP

[infogulch]

I just checked and gmail does proxy images when using the web client. If gmail edited urls to point to their server I guess it would get messy when replying/quoting the original email if you're using a traditional email client.

So it seems this feature may be split between client-side and server-side parts.

I assume the server-side could just be some kind of generic authenticated caching proxy. (?)

Maybe a web-based client would use something like Proxy Auto-Configuration (PAC) to proxy requests? (I've never heard of PAC until I found it just now so idk.) Native apps would need to implement proxying however it works best in their environment...

[mdecimus]

Stalwart does check for malicious URLS in emails but it's hard to tell whether any of those URLs will track the IP.
In any case, this is a feature that should be handled by your mail client as Stalwart is just a mail server at the moment and does not deal with presenting the message to the user.

[infogulch]

it's hard to tell whether any of those URLs will track the IP

I think it's safe to assume that all external urls will track the IP.

I agree a large portion of this feature would need to be implemented by the client. However there is still a need for some server features:

• Clients will need to route their requests through a caching proxy, which has to be running somewhere...
• Pre-caching assets as emails arrive will require the server to use the same caching proxy as the clients

It seems logical to me that this proxy service should be run along with the email server.

The hard part may be coming up with a standard way to configure clients and the pre-caching server.

[infogulch]

While gmail no longer pre-caches remote resources, I found that Protonmail does now by default: Enhanced Tracking Protection, Loading images in Proton Mail.

[infogulch]

Now that you guys have a webmail client on the roadmap¹, do you think tracking protection is something you might look into? I'm not aware of any other open source product that supports tracking protection, and I suspect such a feature would be appreciated by kinds of people that run their own mail server. :)

Footnotes

1. https://stalw.art/blog/roadmap/ ↩

[mdecimus]

Do you mean removing trackers from HTML MIME parts or what do you mean exactly?