1LEI-SECURITY(7)            public-inbox user manual            LEI-SECURITY(7)
2
3
4

NAME

6       lei - security information
7

SYNOPSIS

9       lei(1) is intended for use with both publicly-archived and "private"
10       mail in personal mailboxes.  This document is intended to give an
11       overview of security implications and lower^Wmanage user expectations.
12

DESCRIPTION

14       lei expects to be run as a regular user on a Unix-like system.  It
15       expects a case-sensitive filesystem with standard Unix permissions
16       support.
17
18       It does not use POSIX ACLs, extended attributes, nor any other
19       security-related functions which require non-standard Perl modules.
20
21       There is preliminary support for "virtual users", but it is incomplete
22       and undocumented.
23

INTERNAL FILES

25       lei runs with a umask of 077 to prevent other users on the system from
26       accessing each other's mail.
27
28       The git storage and Xapian databases are located at
29       "$XDG_DATA_HOME/lei/store" (typically "~/.local/share/lei/store").  Any
30       personal mail imported will reside here, so this should be on an
31       encrypted filesystem or block device.
32
33       "$XDG_RUNTIME_DIR/lei" (typically "/run/user/$UID/lei" or
34       "/tmp/lei-$UID") contain the socket used to access the lei daemon.  It
35       must only be accessible to the owner (mode 0700).
36
37       "$XDG_CACHE_HOME/lei" (typically "~/.cache/lei") will contain IMAP and
38       Maildir folder names which could leak sensitive information as well as
39       git repository names.
40
41       "$XDG_DATA_HOME/lei/saved-searches" (typically
42       "~/.local/share/lei/saved-searches") will contain aforementioned folder
43       names as well as (removable) search history.
44
45       The configuration for lei resides at "$XDG_CONFIG_HOME/lei/config"
46       (typically "~/.config/lei/config").  It may contain sensitive pathnames
47       and hostnames in the config if a user chooses to configure them.
48
49       lei itself will never write credentials to the filesystem.  However,
50       git-credential(1) may be configured to do so.  lei will only read
51       "~/.netrc" if "--netrc" is used (and it will never write to
52       "~/.netrc").
53
54       "$XDG_CACHE_HOME/public-inbox" (typically "~/.cache/public-inbox") can
55       contain data and Inline::C-built modules which can be shared with
56       public-facing public-inbox-daemon(8) instances; so no private data
57       should be in "public-inbox" paths.
58

EXTERNAL FILES

60       Locations set by lei-add-external(1) can be shared with public-facing
61       public-inbox-daemon(8) processes.  They may reside on shared storage
62       and may be made world-readable to other users on the local system.
63

CORE DUMPS

65       In case any process crashes, a core dumps may contain passwords or
66       contents of sensitive messages.  Please report these so they can be
67       fixed (see "CONTACT").
68

NETWORK ACCESS

70       lei currently uses the curl(1) and git(1) executables in $PATH for HTTP
71       and HTTPS network access.  Interactive authentication for HTTP and
72       HTTPS is not-yet-supported since all currently supported HTTP/HTTPS
73       sources are PublicInbox::WWW instances.
74
75       The Mail::IMAPClient library is used for IMAP and IMAPS.  Net::NNTP
76       (standard library) is used for NNTP and NNTPS.
77
78       Mail::IMAPClient and Net::NNTP will use IO::Socket::SSL for TLS if
79       available.  In turn, IO::Socket::SSL uses the widely-installed OpenSSL
80       library.
81
82       STARTTLS will be attempted if advertised by the server unless IMAPS or
83       NNTPS are used.  "-c imap.starttls=0" and "-c nntp.startls=0" may be
84       used to disable STARTTLS.
85
86       IO::Socket::Socks will be used if "-c imap.proxy" or "-c nntp.proxy"
87       point to a "socks5h://$HOST:$PORT" address (common for Tor).
88
89       The "--netrc" switch may be passed to curl and used for NNTP/IMAP
90       access (via Net::Netrc).
91

CREDENTIAL DATA

93       lei uses git-credential(1) to prompt users for IMAP and NNTP usernames
94       and passwords.  These passwords are not encrypted in memory and get
95       transferred across processes via anonymous UNIX sockets and pipes.
96       They may be exposed via syscall tracing tools (e.g. strace(1)), kernel
97       and hardware bugs/attacks.
98
99       While credentials are not written to the filesystem by default, it is
100       possible for them to end up on disk if processes are swapped out.  Use
101       of an encrypted swap partition is recommended.
102

AUTHENTICATION METHODS

104       LOGIN (username + password) is known to work over IMAP(S), as does
105       AUTH=ANONYMOUS (which is used by public-inbox-imapd(1) as part of our
106       test suite).  AUTHINFO may work for NNTP, but is untested.  Testers
107       will be needed for other authentication methods.
108

DENIAL-OF-SERVICE VECTORS

110       lei uses the same MIME parsing library as public-inbox-mda(1) with
111       limits header sizes, parts, nesting and boundary limits similar to
112       those found in SpamAssassin and postfix.
113
114       Email address parsing is handled by Email::Address::XS if available,
115       but may fall back to regular expressions which favor speed and
116       predictable execution times over correctness.
117

ENCRYPTED EMAILS

119       Not yet supported, but it should eventually be possible to configure
120       decryption and indexing of encrypted messages and attachments.  When
121       supported, decrypted terms will be stored in Xapian DBs under
122       "$XDG_DATA_HOME/lei/store".
123

CONTACT

125       Feedback welcome via plain-text mail to <mailto:meta@public-inbox.org>
126
127       The mail archives are hosted at <https://public-inbox.org/meta/> and
128       <http://4uok3hntl7oi7b4uf4rtfwefqeexfzil2w6kgk2jn5z2f764irre7byd.onion/meta/>
129
131       Copyright all contributors <mailto:meta@public-inbox.org>
132
133       License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
134

SEE ALSO

136       lei-overview(7), lei(1)
137
138
139
140public-inbox.git                  1993-10-02                   LEI-SECURITY(7)
Impressum