Those are orthogonal though. There’s nothing that dictates that one needs webpack when using, say react vs jQuery for example. The point of the post stands.
What puzzles me is that they use jQuery. You don’t need jQuery. Browser JavaScript APIs are well standardized and already include most, if not all jQuery functionalities. Perhaps with a little bit less syntax sugar.
Old school simple script tags are underrated. I made a simple game last year in JavaScript using only a single HTML file and a single script. No npm modules, no libraries. I think the work of setting up/understanding the whole load of glue and piping of “modern JavaScript” alone would require more effor than the whole project.
I’m in the emailing business, too. We are hosting our own MTAs with our own IP address space totaling under 500 EUR a month on bare-metal in a data center in Frankfurt, Germany.
But you can have it even cheaper: You can get a /24 for around 100 EURs a month, you can announce that address space using cloud hosters such as Vultr who are super fast, reliable and not really expensive. You can use all of thoses IPs on one VM or split them up like you want.
Out of curiosity, how many watts of power are you getting at 500eur/mo? My vague recollection from a few years ago was that colo providers would hand out rack units for negligible money but charge something like 100eur/mo per ~200W since every Joule the servers consume has to be paid for twice - once at the point of use, then again for the HVAC required to dump the heat. (But all the colo providers I worked with had racks and ranks going spare because servers are so power dense now that their AC and PSUs couldn’t keep up if all the space was filled with hot servers)
My numbers are not really representative, but we pay around 30 EUR per 150 W ish. Luckily for us we are housed in a shared rack and heat was only once an issue where the data center provider was having an AC outage.
I agree, some DCs are housing some super old hardware which are dissipating a lot of power in form of heat so they didn’t only maxing out the available power, but were also forced to keep spare units.
Question from someone who doesn’t know anything about MTAs: Why do you need so many IP addresses? Is it just that you need many servers to handle the amount of emails and thus 1 IP address per server, or is it something else that I am missing?
So you basically spread out the traffic over the IP addresses to keep your reputation stable. I’d love to know more about how that works. Do you rotate through the addresses? Have a container for every address?
Setting up PTR (or rDNS) record on AWS is only achievable via a request ticket and requires several exchanges. In comparison, on UpCloud (our current cloud provider) this could be done directly on the dashboard.
A lot of people use EC2 VMs as “stable” servers, and it’s fine, but my theory is that they were not designed as such in the first place. I mean, it’s in the name: Elastic Compute Cloud. For an elastic server, rDNS is typically not a hard requirement, neither is a “clean” IP address. That may explain why there isn’t a simple and easy UI to change rDNS records.
Did you consider hosting your own MTAs in a datacenter? It may be quite expensive (maybe around 1-2k€/mo in Paris for a half-rack and a /28 of addresses), but you can have your long-term IP addresses blocks and make sure your IPs are always clean.
I have experience with only one DC in Paris, which is “Zayo Poissonière”, located in the 2nd ward. The security is good, and the location is super convenient (which is important if you have employees based in Paris). I guess other datacenters located in the suburbs are more affordable, but much less convenient.
You can always buy this management service to a company.
In a previous job, we used to have racks in 2 equinix datacenters in Paris, operated by another company. We had access to servers (even the management interface), but we had to go through tickets when asking for networking changes (because we were connected to their network infrastructure to avoid running ours), but also all physical maintenance like changing disks or racking new servers. They took care of our IPs too (we had a /26), so all BGP etc.
I found that this solution was the perfect mix between not using a cloud provider, and still not running everything ourselves.
If you want to go self hosted to that point, I think this is a really neat approach.
Agree, renting a bunch of servers can be a very nice solution. You get exactly the specs you want, you get real hardware (and you can get an actual physical private network for them), and you still never have to go to a datacenter.
This seems like a really useful project! I’m wondering what kind of mail backends this would support? I think using this with GMail might be out of the question, the forwarded mail might be stopped due to SPF. The document gives information about setting up DKIM/SPF, but the way I read this it’s only for outgoing mail (from me to the party I’m hiding my real address from). Or is there some rewriting in place?
Maybe I’ll try setting this up, but I’m not a big fan of Docker, especially when the application has specific network requirements. I didn’t check the Dockerfile yet, but I hope this will be easy enough to run in a FreeBSD jail.
Anyway, great work! We need more projects like these.
wondering what kind of mail backends this would support?
What do you mean by “mail backend”? SimpleLogin uses Postfix to send and receive emails. You could also config Postfix for it to send emails from other mail servers (e.g. Gmail) but then SPF check would fail.
forward received emails to your personal email inbox
Ah, from the diagram I see you use SRS rewriting. I’m not sure about this, but I was kinda hoping ARC (Authenticated Receive Chain) would solve this without rewriting?
ARC is indeed a good idea to handle email forwarder case. Its status is still experimental though.
ARC wouldn’t be useful for SimpleLogin though as it rewrites both the “from” and “to” header to implement the “reply flow” so when user replies, the email is routed through SimpleLogin.
An open source project, where there is also a cloud-hosted version by the author, is not necessarily a spam post. Goat Counter does exactly the same thing and got a lot of upvotes on Lobste.rs. Whether the link goes to the Github README or a separate blog shouldn’t make much of a difference methinks?
The only sketchy thing here is that the Lobste.rs username matches the project name. But that doesn’t make the project itself bad. Maybe they’ll change their username to something more personal.
I’m really careful in not promoting/spamming GoatCounter too much here. For example, I wrote some things on my website about it that I didn’t post here, and I tend to refer to it as “the project I’m working on” in comments when I don’t really need to reference it by name. Additionally, I’ve been posting here for a while with quite a number of comments/submissions. I also just happen to be developing this product, but that’s not why I’m here.
I’m sure Son has the best of intentions (SimpleLogin uses GoatCounter, and provided some pretty useful feedback), but I’ve seen several SimpleLogin stories in the last few weeks, and IMHO it’s a little bit too much. Self-promotion is fine IMHO, but it’s all about the balance.
Hey what’s funny is some trending posts about SimpleLogin aren’t even posted by us, I learnt about them when they are trending on Reddit.
We are preparing an official launch so are posting about “the project we’ve been working on” ;) a bit everywhere. Lot of constructive feedbacks, some haters (obviously) but so far so good.
Yeah, it’s just some things I noticed here. Maybe my impressions are wrong 😅 Also, as someone else pointed out having the username “simplelogin” probably isn’t helping. You can change it in Lobsters on your profile at any time.
Self-advertising is not bad per se, I discovered some cool projects by their authors and I have met a lot of amazing people who support SimpleLogin via my “self-promotion” posts. For me, what’s more important is the content itself.
It’s sad that people don’t even look at the post before classifying it as “spam”.
I think maybe the match between your username here and the name of the product causes a knee-jerk reaction. Have you considered using the same username here that you use on Github?
I use the product name as username on reddit and HN so anyone could know immediately that I’m self-promoting and not trying to fake a positive review. Anw just changed my username :).
I’ve been working on an email forwarder service https://github.com/simple-login/app. It uses a rather standard Flask stack: sqlalchemy for ORM, alembic for database migration, flask-login for authentication, etc.
Hi guys, author here. I made this tool to hide my personal email by using “email alias”. The project is fully open source and can be self-hosted. The self-hosting instruction is relatively simple and the most complex part is maybe DNS setup on your DNS registrar.
The code has been deployed in production since several months now and is stable. It also comes with some niceties like a Chrome/Firefox/Safari extension and (soon) mobile apps.
I’ve been doing this for a few years and find it useful for two reasons: 1) it’s really easy to block spam by email address, when a site gets too liberal in its use, it’s easier just to send all email to the bit bucket rather than try to figure out their unsubscribe process that usually doesn’t work: 2) the curiosity of seeing who shares email addresses. Since I create unique addresses it’s more likely that someone sending to that address got it from the site.
The easiest way I’ve found to do this is to register a domain with a host that gives you an MX dns record. I’ve been registering a domain for 15 years or so and hosting with a cheap Linux cpanel host for $30/year. I have multiple sites so it’s not a direct cost, but I would think you could do this for $30-60/year depending on your dns name and host.
I have a default address set up [0] to forward all mail on the domain that doesn’t have a mailbox to an account I monitor. I don’t have to set up anything beforehand to use a “new” address. To make it easier to remember the account, I just use the site’s domain name at my domain (eg, if I register with cnn.com, I would use cnn@prepend.com).
I’ve been doing this so long, I would probably keep the domain and host even if I didn’t need web hosting any more.
The weakness is that if sites learned of my personal system they could exploit it for spam or misdirection purposes, but that seems like a pretty rare probability since I’m just a scrub.
I’ve thought about making this a product because it’s so easy to use, but explaining the concept of abstraction and pointers and redirects has been hard for me to do to non-technical people who think mailboxes are physical things.
I would suggest using an email alias solution that can handles the forwarding and custom domain management for you to 1)reduce cost and 2)have other features like alias management interface, browser extension, etc. 3) someone to monitor and fix issues if something wrong happens.
I would obviously recommend mine (SimpleLogin) but a lot of other email alias solutions work too. If you prefer you could also deploy SimpleLogin on your own server. The deployment is actually relatively easy as it’s based mostly on Docker.
Thanks for the suggestion. Simple login looks neat, but is more effort than my current approach since I don’t need to preregister anything. I just use the address. This is really handy as when I’m at Home Depot and they ask for my email, there’s no way I could pull out my phone and set up an email but I can easily say “homedepot@prepend.com” and know that I’ll get the email two seconds later. (It’s also easy because the cashier can recognize the address and type it in)
If I didn’t have this functionality as a by product of my hosting setup, I’d be more likely to try it. I can only run PHP and CGI apps given my hosting, but since you run in a docker container, I’ve added your stuff to my mental list of things to play around with on my home servers.
#1 is probably a big deal for most people. #2 isn’t important to me. I’ve never had a need for #3.
One of the big reasons I do this is for privacy, so #3 is kind of a downside as I don’t want to have a third party that if they get breached will reveal info I don’t want. The DNS thing is nice because there is no alias config anywhere.
There’s email addresses stored by third parties that are mostly unique. And there’s a mailbox with lots of email. My mail server doesn’t keep logs and I can search and filter pretty well with my email clients and services. Self-hosting simplelogin is important to me to prevent the third party risk.
After I decided to self-host my emails, I started doing that.
It is a pain to manage, as your email address then becomes a second password that you must keep track of. You have to be extremely organized so you don’t forget what your email address was in case you forget the password and want to recover it.
I’ve found myself in the situation where I am 100% sure of the password, and I had to try the email 3-4 times before I get it right (does it includes the “-” in the name? Is it the company name only ? …). It can also gets complicated for administrative papers when you have to spell out your email address to someone (I had someone tell me “I want YOUR email address, not ours”, because I gave them an alias with the company name in it, and they found it suspicious).
After some time, I decided to go with more generic addresses like “shop@”, and now it blurs the line even more and I’m completely lost.
As I didn’t record the aliases I created, and decided to simply forward any single address to my user, I am today unable to know how much aliases I created, and which ones were used.
Requiring to create the alias manually before you can use it is painful though…
Hopefully, I still have all my archives so I can still scrap all the To: fields to get them back.
So yeah, we should have one email per website, but it requires a lot of discipline.
This is indeed the only option I have. Unfortunately not all email applications give you this kind of granularity for searching (eg, my phone stock app).
You still need some discipline though, as for this to be true, you must keep at least 1 email with the alias in the to: field (I save all the confirmation links email for this exact purpose).
I use a separate domain with a catch-all redirect on my mail server. That way I know anything coming to that domain is from something I registered. I can just use the site name @mydomain.
I would suggest using an email alias solution instead. Self hosting emails is feasible but requires a lot of time and doesn’t come with other niceties an email alias solution could provide like browser extension, alias management UI, etc. Our solution (SimpleLogin) is relatively easy to self host so you can deploy it on your server to manage your alias. The self-hosting instructions are based on Docker so should be compatible with most of servers.
I decided to self-host my emails so I am in charge of handling my emails, and not a company. Having the ability to use one address per website was only a consequence to this move.
I am however not dedicated enough to this practice to justify using an external solution just for this. grepping my To: fields is enough for my needs given that I use a catchall alias.
Your solution might not be for me, but this is definitely good that you provide this solution for people that might need that for use with email services they do not control.
I’ve never looked back and it lets you trivially identify (and filter) spam sources. Also you can use tagging for your normal mail steering rules (eg. bob+mailinglistname@)
Except you can’t reply from a + address from gmail. I’ve been unable to talk to support for some services because I wasn’t replying from the email address on file.
Besides, spammers know how to strip it away by now. With a full address, they have to guess.
For the issue of stripping it away I just reject email addressed to the untagged address. I also have a totally separate untagged address solely for personal use.
I like that alternative form though, as I’ve struggled with services/sites that don’t support + addresses (like Microsoft last I checked), having to resort to aliases.
To help with remembering alias and able to generate quickly an alias on-the-fly, SimpleLogin (my startup) also creates a similar feature called directory: basically you reserve a directory, let’s say my-dir, then you can create alias quickly by using my-dir/anything_here@my_domain.com. It works similarly to the + trick but we find that easier to remember as this is similar to how directory/file works. We also plan to support + trick for users who prefer Gmail style.
The + is more than just a trick, as specified in rfc5233:
Subaddressing is the practice of augmenting the local-part of an [RFC2822] address with some ‘detail’ information in order to give some extra meaning to that address. One common way of encoding ‘detail’ information into the local-part is to add a ‘separator character sequence’, such as “+”, to form a boundary between the ‘user’ (original local-part) and ‘detail’ sub-parts of the address, much like the “@” character forms the boundary between the local-part and domain.
It makes it much more easier for the website to extract your actual email address.
Apple recognises this email problem and created this solution. However there are 2 downsides:
this only works on website that implements this “Sign in with Apple” button and
user has to trust Apple, although better than the other Big Tech in terms of privacy, has other businesses (Apple also has its own ads business) and is not open source.
Both good points. Since apple handles the forwarding, while this gives the user the ability to modify the forward target and/or disable it at any point, does mean that apple is a party to the content (eg. middleman) of the email.
I tried this once, years ago. I found it unmanageable, and eventually had to stop due to the maintenance overhead. Also, since it implies self-hosting your email, it introduces additional attack surface such as what’s described in the essay How I Lost My $50,000 Twitter Username.
What I really wish is that there were a viable alternative to email and that sites had an incentive to adopt it. With many sites, the sole benefit to users is that email allows account recovery. It’s ridiculous to have to give out such a valuable identifier just for that.
The more I see the $50k twitter username story as a case against self-hosted email, the more I wonder what is it really a case against, and how applicable is it to an average case.
The whole thing still smells like the attacker is not telling the whole truth, and an accomplice inside either Paypal or Godaddy was required. Recovering your account as a lawful owner is hard enough.
Anyway, to the point, I’d like to hear new ideas for account recovery.
Sadly, it seems like requiring a phone number is becoming new normal, which is far worse than giving away your email!
That’s fair. It’s hard to really know the specifics. It’s clear that using self-hosted email for account recovery does add additional attack surface, and I mention it only as a caution; people can decide for themselves what it means for them.
I’m not really the best person to speculate about what would be better; my needs are far different from the typical user’s. I’d be happy to have to sign password-reset requests with an offline key, but that’s not an option any site should really take seriously, the education hurdles are too big.
I think email is going to stay at least for a while. In the meantime, it’s important that we apply the same protection to email address as to the password, at least this will make the hacker job 2x difficult.
One caveat I’ve run into while doing this is that while sites always have a “forgot your password” flow, they rarely have a way to handle “forgot your email address”. Make sure to keep track of the email used on each site in your password manager!
You can always try all of your aliases (assuming you know them), but if they were extra vicious, they could collect them for spamming. I guess it could also get you banned on some services.
Can’t speak for other email alias solution but for ours (SimpleLogin), we avoid forgetting what aliases are used where by either:
“prefixing” the alias with the name of the website, for ex I would use groupon....@... as alias on Groupon.
or using SimpleLogin Chrome/Firefox extension: the information (alias, website) is saved so the extension would suggest you the same alias the next time you visit this website.
I was thinking about doing this last week when I moved from AWS WorkMail to Fastmail, thanks to the fact that Fastmail lets you not only receive emails at aliases, but also send them as such (which some sites might need for authentication purposes when contacting support, etc.).
I’d like to hear the downsides of this approach, if any.
I’ve done this for over a decade, and at Fastmail for the last few years. In my experience the downsides are:
This doesn’t work so well for mailing lists. It’s best to use your real address for mailing lists.
Gravatars are obnoxious — there’s no such thing as a catch-all Gravatar. Of course, Gravatar is problematic from a privacy perspective anyway, but many sites don’t allow you to configure an avatar any other way.
Otherwise it works great when you use Fastmail’s (okayish) web UI to respond — it automatically selects the correct identity.
Fastmail also lets you configure a catchall address, which allows you to make up addresses on the fly. (Of course, then you can also get spam at addresses that someone else made up… That said, it has worked well for me.)
To be more precise, here are features I’m looking for in an IDE:
auto completion (obviously) and auto-import: I like the fact that I don’t need to import module before starting using them as Pycharm will suggest it for me. For example, I can just type os.environ.get("MY_VAR") and Pycharm will help me importing the os module.
code navigation works with lib: it happens quite often in Python that we need to read the source code of a library and Pycharm supports this navigation very well.
Formatting done right: I find that Pycharm formatting in several languages is really nice. Not too strict but still enough to have a consistent code. I feel they optimize formatting for humans. Now that Python has black formatter which is really good, this point is rather for other languages like js, html, css. A similar feature that Pycharm gets it right is optimize import: it can remove all unused imports.
debugging done right: breakpoint just works. VSCode is also really good in this regard.
Find & edit: I really like the fact that I can search for something and edit the file right away in Pycharm. In Pycharm find opens a modal that I can edit the code.
Emacs in a terminal window has been my daily editor for over 15 years, and I’ve found it perfectly capable of doing everything I need. And Emacs itself has a bit of a learning curve, but if you’re already familiar with it, the Python-specific tooling is pretty easy to pick up. I use:
elpy, which provides a lot of the IDE-style features, if you want them. I primarily use it for Python-aware navigation and its linting and formatting integrations.
flycheck is the syntax-checking backend I’m using for that.
I don’t have big Python files but the libs we use have. I feel Pycharm spends a lot of time indexing and scanning directories and doing that very often, even when there are no changes.
This really sounds like a bug that they fixed around 2019.2 or so. Is it possible/have you tried deleting and recreating the PyCharm project files with one of the newer builds?
The code I write is open source, so I use the community version (2019.2). While I prefer VS Code for C++, I still prefer PyCharm for Python. I’m on a mac. It’s possible I got used to the slowness. I agree we could do with snappier IDEs. I suspect that, as someone else was suggesting, your best solution might be to use some of the older editors. These editors don’t slow down your raw typing when the code intelligence response is delayed. You could also start to turn off PyCharm features you don’t really use so much and see if that makes things snappier.
I used to have the same problem with Webstorm (Jetbrains’ Javascript IDE) on my underpowered laptop. Have you tried power-saving mode? I believe it turns off all indexing, and some other more intensive features.
It seems a useful particular piece of information that using Facebook SDK for OAuth login via Facebook leaks more information than using third-party OAuth libraries for OAuth login via Facebook.
That’s what I think this article is saying, although I can’t say I’m sure of the details; in particular, how much more information does this iframe give Facebook compared to the plain OAuth flow?
You’re guessing it right, that’s one of the takeaways from the article. Using iframe allows facebook to know at least the website you are on (the parent website) and informations about your browser, ip, etc. They could also in theory get the content you’re seeing on the parent website too but I doubt they can exploit it.
That depends on how the library is implemented actually. For facebook, I recommend using an oauth2 library with the code flow. This is a backend integration so no iframe is involved. If you happen to use Flask (python), I also wrote an article on this topic https://dev.to/simplelogin/create-a-flask-application-with-sso-login-f9m
I don’t see this information mentioned in Facebook SDK or elsewhere so decided to write this post.
Facebook is still used by a lot of my friends and family so removing it completely it not feasible for me for now …
But what about WhatsApp and Instagram? WhatsApp in particular is pretty important for me to connect to people all across the world. Signal just doesn’t have the same market share…
Well, you’re using jQuery and tags in HTML files so…sure. You don’t need Webpack. You also have a Python app, not a JavaScript-based SPA.
Those are orthogonal though. There’s nothing that dictates that one needs webpack when using, say react vs jQuery for example. The point of the post stands.
What puzzles me is that they use jQuery. You don’t need jQuery. Browser JavaScript APIs are well standardized and already include most, if not all jQuery functionalities. Perhaps with a little bit less syntax sugar.
Old school simple script tags are underrated. I made a simple game last year in JavaScript using only a single HTML file and a single script. No npm modules, no libraries. I think the work of setting up/understanding the whole load of glue and piping of “modern JavaScript” alone would require more effor than the whole project.
Yep the jquery is just for sugar syntax. As it’s already included by some libraries, I’m just too lazy to use the Browser API …
I’m in the emailing business, too. We are hosting our own MTAs with our own IP address space totaling under 500 EUR a month on bare-metal in a data center in Frankfurt, Germany.
But you can have it even cheaper: You can get a /24 for around 100 EURs a month, you can announce that address space using cloud hosters such as Vultr who are super fast, reliable and not really expensive. You can use all of thoses IPs on one VM or split them up like you want.
Sounds like a good option, thanks! Can I know where could I buy the /24 range?
There are a couple of options:
We also got spare IP space available. PM me if you’re interested in leasing.
AWS supports hosting your own IP range on EC2 now, as well: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html
Good point! However it’s not yet available in all regions without all netblock statuses either.
Out of curiosity, how many watts of power are you getting at 500eur/mo? My vague recollection from a few years ago was that colo providers would hand out rack units for negligible money but charge something like 100eur/mo per ~200W since every Joule the servers consume has to be paid for twice - once at the point of use, then again for the HVAC required to dump the heat. (But all the colo providers I worked with had racks and ranks going spare because servers are so power dense now that their AC and PSUs couldn’t keep up if all the space was filled with hot servers)
My numbers are not really representative, but we pay around 30 EUR per 150 W ish. Luckily for us we are housed in a shared rack and heat was only once an issue where the data center provider was having an AC outage.
I agree, some DCs are housing some super old hardware which are dissipating a lot of power in form of heat so they didn’t only maxing out the available power, but were also forced to keep spare units.
Thanks! I have a feeling my numbers might be really off, it’s been a while
Question from someone who doesn’t know anything about MTAs: Why do you need so many IP addresses? Is it just that you need many servers to handle the amount of emails and thus 1 IP address per server, or is it something else that I am missing?
It’s mostly the per IP reputation which can go southwards by the volume you are sending out.
So you basically spread out the traffic over the IP addresses to keep your reputation stable. I’d love to know more about how that works. Do you rotate through the addresses? Have a container for every address?
A lot of people use EC2 VMs as “stable” servers, and it’s fine, but my theory is that they were not designed as such in the first place. I mean, it’s in the name: Elastic Compute Cloud. For an elastic server, rDNS is typically not a hard requirement, neither is a “clean” IP address. That may explain why there isn’t a simple and easy UI to change rDNS records.
Did you consider hosting your own MTAs in a datacenter? It may be quite expensive (maybe around 1-2k€/mo in Paris for a half-rack and a
/28of addresses), but you can have your long-term IP addresses blocks and make sure your IPs are always clean.1-2k per month is a bit too expensive for us at the moment but we might need that in the future, which data center do you recommend for this option?
I have experience with only one DC in Paris, which is “Zayo Poissonière”, located in the 2nd ward. The security is good, and the location is super convenient (which is important if you have employees based in Paris). I guess other datacenters located in the suburbs are more affordable, but much less convenient.
You can always buy this management service to a company.
In a previous job, we used to have racks in 2 equinix datacenters in Paris, operated by another company. We had access to servers (even the management interface), but we had to go through tickets when asking for networking changes (because we were connected to their network infrastructure to avoid running ours), but also all physical maintenance like changing disks or racking new servers. They took care of our IPs too (we had a /26), so all BGP etc.
I found that this solution was the perfect mix between not using a cloud provider, and still not running everything ourselves. If you want to go self hosted to that point, I think this is a really neat approach.
Agree, renting a bunch of servers can be a very nice solution. You get exactly the specs you want, you get real hardware (and you can get an actual physical private network for them), and you still never have to go to a datacenter.
Thanks for the advice!
Thanks, the location is perfect! Just bookmarked their website for future use.
This seems like a really useful project! I’m wondering what kind of mail backends this would support? I think using this with GMail might be out of the question, the forwarded mail might be stopped due to SPF. The document gives information about setting up DKIM/SPF, but the way I read this it’s only for outgoing mail (from me to the party I’m hiding my real address from). Or is there some rewriting in place?
Maybe I’ll try setting this up, but I’m not a big fan of Docker, especially when the application has specific network requirements. I didn’t check the Dockerfile yet, but I hope this will be easy enough to run in a FreeBSD jail.
Anyway, great work! We need more projects like these.
What do you mean by “mail backend”? SimpleLogin uses Postfix to send and receive emails. You could also config Postfix for it to send emails from other mail servers (e.g. Gmail) but then SPF check would fail.
I created a small diagram to show how SimpleLogin works here https://whimsical.com/2BfXodQqkWi2p12QXJyfAH Basically what it does is to rewrite the email headers to:
I think you could deploy SimpleLogin without Docker as it mostly used Python and its dependencies are relatively simple.
Ah, from the diagram I see you use SRS rewriting. I’m not sure about this, but I was kinda hoping ARC (Authenticated Receive Chain) would solve this without rewriting?
ARC is indeed a good idea to handle email forwarder case. Its status is still experimental though.
ARC wouldn’t be useful for SimpleLogin though as it rewrites both the “from” and “to” header to implement the “reply flow” so when user replies, the email is routed through SimpleLogin.
Add a “show” tag, and perhaps consider not having your username be your project name (looks like advertisement).
Yeah. I PMd to tell him to knock off the self-promotion.
An open source project, where there is also a cloud-hosted version by the author, is not necessarily a spam post. Goat Counter does exactly the same thing and got a lot of upvotes on Lobste.rs. Whether the link goes to the Github README or a separate blog shouldn’t make much of a difference methinks?
The only sketchy thing here is that the Lobste.rs username matches the project name. But that doesn’t make the project itself bad. Maybe they’ll change their username to something more personal.
I’m really careful in not promoting/spamming GoatCounter too much here. For example, I wrote some things on my website about it that I didn’t post here, and I tend to refer to it as “the project I’m working on” in comments when I don’t really need to reference it by name. Additionally, I’ve been posting here for a while with quite a number of comments/submissions. I also just happen to be developing this product, but that’s not why I’m here.
I’m sure Son has the best of intentions (SimpleLogin uses GoatCounter, and provided some pretty useful feedback), but I’ve seen several SimpleLogin stories in the last few weeks, and IMHO it’s a little bit too much. Self-promotion is fine IMHO, but it’s all about the balance.
Hey what’s funny is some trending posts about SimpleLogin aren’t even posted by us, I learnt about them when they are trending on Reddit.
We are preparing an official launch so are posting about “the project we’ve been working on” ;) a bit everywhere. Lot of constructive feedbacks, some haters (obviously) but so far so good.
Yeah, it’s just some things I noticed here. Maybe my impressions are wrong 😅 Also, as someone else pointed out having the username “simplelogin” probably isn’t helping. You can change it in Lobsters on your profile at any time.
Yeah I just changed my username.
He’s pushing it too much (see his previous submission and the discussion underneath).
Self-advertising is not bad per se, I discovered some cool projects by their authors and I have met a lot of amazing people who support SimpleLogin via my “self-promotion” posts. For me, what’s more important is the content itself.
It’s sad that people don’t even look at the post before classifying it as “spam”.
I think maybe the match between your username here and the name of the product causes a knee-jerk reaction. Have you considered using the same username here that you use on Github?
I use the product name as username on reddit and HN so anyone could know immediately that I’m self-promoting and not trying to fake a positive review. Anw just changed my username :).
Not sure to understand why you thought this is “arrogant”. Anw I guess it’s not helpful to discuss further.
Because you presume people didn’t look at the post before flagging it as a spam.
I’ve been working on an email forwarder service https://github.com/simple-login/app. It uses a rather standard Flask stack: sqlalchemy for ORM, alembic for database migration, flask-login for authentication, etc.
Hi guys, author here. I made this tool to hide my personal email by using “email alias”. The project is fully open source and can be self-hosted. The self-hosting instruction is relatively simple and the most complex part is maybe DNS setup on your DNS registrar.
The code has been deployed in production since several months now and is stable. It also comes with some niceties like a Chrome/Firefox/Safari extension and (soon) mobile apps.
The github repo is on https://github.com/simple-login/app Let me know if you have any feedbacks/questions!
I’ve been doing this for a few years and find it useful for two reasons: 1) it’s really easy to block spam by email address, when a site gets too liberal in its use, it’s easier just to send all email to the bit bucket rather than try to figure out their unsubscribe process that usually doesn’t work: 2) the curiosity of seeing who shares email addresses. Since I create unique addresses it’s more likely that someone sending to that address got it from the site.
The easiest way I’ve found to do this is to register a domain with a host that gives you an MX dns record. I’ve been registering a domain for 15 years or so and hosting with a cheap Linux cpanel host for $30/year. I have multiple sites so it’s not a direct cost, but I would think you could do this for $30-60/year depending on your dns name and host.
I have a default address set up [0] to forward all mail on the domain that doesn’t have a mailbox to an account I monitor. I don’t have to set up anything beforehand to use a “new” address. To make it easier to remember the account, I just use the site’s domain name at my domain (eg, if I register with cnn.com, I would use cnn@prepend.com).
I’ve been doing this so long, I would probably keep the domain and host even if I didn’t need web hosting any more.
The weakness is that if sites learned of my personal system they could exploit it for spam or misdirection purposes, but that seems like a pretty rare probability since I’m just a scrub.
I’ve thought about making this a product because it’s so easy to use, but explaining the concept of abstraction and pointers and redirects has been hard for me to do to non-technical people who think mailboxes are physical things.
[0] https://www.namecheap.com/support/knowledgebase/article.aspx/912/31/how-to-create-a-catchall-email-address-in-cpanel
I would suggest using an email alias solution that can handles the forwarding and custom domain management for you to 1)reduce cost and 2)have other features like alias management interface, browser extension, etc. 3) someone to monitor and fix issues if something wrong happens.
I would obviously recommend mine (SimpleLogin) but a lot of other email alias solutions work too. If you prefer you could also deploy SimpleLogin on your own server. The deployment is actually relatively easy as it’s based mostly on Docker.
Thanks for the suggestion. Simple login looks neat, but is more effort than my current approach since I don’t need to preregister anything. I just use the address. This is really handy as when I’m at Home Depot and they ask for my email, there’s no way I could pull out my phone and set up an email but I can easily say “homedepot@prepend.com” and know that I’ll get the email two seconds later. (It’s also easy because the cashier can recognize the address and type it in)
If I didn’t have this functionality as a by product of my hosting setup, I’d be more likely to try it. I can only run PHP and CGI apps given my hosting, but since you run in a docker container, I’ve added your stuff to my mental list of things to play around with on my home servers.
#1 is probably a big deal for most people. #2 isn’t important to me. I’ve never had a need for #3.
One of the big reasons I do this is for privacy, so #3 is kind of a downside as I don’t want to have a third party that if they get breached will reveal info I don’t want. The DNS thing is nice because there is no alias config anywhere.
There’s email addresses stored by third parties that are mostly unique. And there’s a mailbox with lots of email. My mail server doesn’t keep logs and I can search and filter pretty well with my email clients and services. Self-hosting simplelogin is important to me to prevent the third party risk.
This feature is actually already available in SimpleLogin, it’s called “catch-all” or wildcard alias.
Please let me know if you see anything that can be improved in the self-hosting instructions!
After I decided to self-host my emails, I started doing that.
It is a pain to manage, as your email address then becomes a second password that you must keep track of. You have to be extremely organized so you don’t forget what your email address was in case you forget the password and want to recover it. I’ve found myself in the situation where I am 100% sure of the password, and I had to try the email 3-4 times before I get it right (does it includes the “-” in the name? Is it the company name only ? …). It can also gets complicated for administrative papers when you have to spell out your email address to someone (I had someone tell me “I want YOUR email address, not ours”, because I gave them an alias with the company name in it, and they found it suspicious).
After some time, I decided to go with more generic addresses like “shop@”, and now it blurs the line even more and I’m completely lost.
As I didn’t record the aliases I created, and decided to simply forward any single address to my user, I am today unable to know how much aliases I created, and which ones were used. Requiring to create the alias manually before you can use it is painful though…
Hopefully, I still have all my archives so I can still scrap all the
To:fields to get them back.So yeah, we should have one email per website, but it requires a lot of discipline.
Isn’t it enough to do a search of your emails, and look at the “to:” field for the search hits?
This is indeed the only option I have. Unfortunately not all email applications give you this kind of granularity for searching (eg, my phone stock app).
You still need some discipline though, as for this to be true, you must keep at least 1 email with the alias in the to: field (I save all the confirmation links email for this exact purpose).
I use a separate domain with a catch-all redirect on my mail server. That way I know anything coming to that domain is from something I registered. I can just use the site name @mydomain.
I would suggest using an email alias solution instead. Self hosting emails is feasible but requires a lot of time and doesn’t come with other niceties an email alias solution could provide like browser extension, alias management UI, etc. Our solution (SimpleLogin) is relatively easy to self host so you can deploy it on your server to manage your alias. The self-hosting instructions are based on Docker so should be compatible with most of servers.
I decided to self-host my emails so I am in charge of handling my emails, and not a company. Having the ability to use one address per website was only a consequence to this move. I am however not dedicated enough to this practice to justify using an external solution just for this.
grepping my To: fields is enough for my needs given that I use a catchall alias.Your solution might not be for me, but this is definitely good that you provide this solution for people that might need that for use with email services they do not control.
Alias’ing is really tedious, better to just use tagging (gmail and Fastmail amongst others support this):
bob+medium@example.com
Some sites struggle with ’+’s so fastmail support an alternative form transparently:
medium@bob.example.com
I’ve never looked back and it lets you trivially identify (and filter) spam sources. Also you can use tagging for your normal mail steering rules (eg. bob+mailinglistname@)
Except you can’t reply from a + address from gmail. I’ve been unable to talk to support for some services because I wasn’t replying from the email address on file.
Besides, spammers know how to strip it away by now. With a full address, they have to guess.
Fastmail’s method is a great compromise.
For the issue of stripping it away I just reject email addressed to the untagged address. I also have a totally separate untagged address solely for personal use.
I like that alternative form though, as I’ve struggled with services/sites that don’t support + addresses (like Microsoft last I checked), having to resort to aliases.
To help with remembering alias and able to generate quickly an alias on-the-fly, SimpleLogin (my startup) also creates a similar feature called
directory: basically you reserve a directory, let’s saymy-dir, then you can create alias quickly by usingmy-dir/anything_here@my_domain.com. It works similarly to the+trick but we find that easier to remember as this is similar to how directory/file works. We also plan to support+trick for users who prefer Gmail style.The
+is more than just a trick, as specified in rfc5233:It makes it much more easier for the website to extract your actual email address.
Isn’t this what sign-in with apple is doing?
ref: Hide My Email for Sign in with Apple
Apple recognises this email problem and created this solution. However there are 2 downsides:
Both good points. Since apple handles the forwarding, while this gives the user the ability to modify the forward target and/or disable it at any point, does mean that apple is a party to the content (eg. middleman) of the email.
I tried this once, years ago. I found it unmanageable, and eventually had to stop due to the maintenance overhead. Also, since it implies self-hosting your email, it introduces additional attack surface such as what’s described in the essay How I Lost My $50,000 Twitter Username.
What I really wish is that there were a viable alternative to email and that sites had an incentive to adopt it. With many sites, the sole benefit to users is that email allows account recovery. It’s ridiculous to have to give out such a valuable identifier just for that.
The more I see the $50k twitter username story as a case against self-hosted email, the more I wonder what is it really a case against, and how applicable is it to an average case. The whole thing still smells like the attacker is not telling the whole truth, and an accomplice inside either Paypal or Godaddy was required. Recovering your account as a lawful owner is hard enough.
Anyway, to the point, I’d like to hear new ideas for account recovery. Sadly, it seems like requiring a phone number is becoming new normal, which is far worse than giving away your email!
That’s fair. It’s hard to really know the specifics. It’s clear that using self-hosted email for account recovery does add additional attack surface, and I mention it only as a caution; people can decide for themselves what it means for them.
I’m not really the best person to speculate about what would be better; my needs are far different from the typical user’s. I’d be happy to have to sign password-reset requests with an offline key, but that’s not an option any site should really take seriously, the education hurdles are too big.
I think email is going to stay at least for a while. In the meantime, it’s important that we apply the same protection to email address as to the password, at least this will make the hacker job 2x difficult.
One caveat I’ve run into while doing this is that while sites always have a “forgot your password” flow, they rarely have a way to handle “forgot your email address”. Make sure to keep track of the email used on each site in your password manager!
You can always try all of your aliases (assuming you know them), but if they were extra vicious, they could collect them for spamming. I guess it could also get you banned on some services.
Can’t speak for other email alias solution but for ours (SimpleLogin), we avoid forgetting what aliases are used where by either:
groupon....@...as alias on Groupon.(alias, website)is saved so the extension would suggest you the same alias the next time you visit this website.I was thinking about doing this last week when I moved from AWS WorkMail to Fastmail, thanks to the fact that Fastmail lets you not only receive emails at aliases, but also send them as such (which some sites might need for authentication purposes when contacting support, etc.).
I’d like to hear the downsides of this approach, if any.
I’ve done this for over a decade, and at Fastmail for the last few years. In my experience the downsides are:
Otherwise it works great when you use Fastmail’s (okayish) web UI to respond — it automatically selects the correct identity.
Fastmail also lets you configure a catchall address, which allows you to make up addresses on the fly. (Of course, then you can also get spam at addresses that someone else made up… That said, it has worked well for me.)
To be more precise, here are features I’m looking for in an IDE:
auto completion (obviously) and auto-import: I like the fact that I don’t need to import module before starting using them as Pycharm will suggest it for me. For example, I can just type
os.environ.get("MY_VAR")and Pycharm will help me importing theosmodule.code navigation works with lib: it happens quite often in Python that we need to read the source code of a library and Pycharm supports this navigation very well.
Formatting done right: I find that Pycharm formatting in several languages is really nice. Not too strict but still enough to have a consistent code. I feel they optimize formatting for humans. Now that Python has
blackformatter which is really good, this point is rather for other languages like js, html, css. A similar feature that Pycharm gets it right isoptimize import: it can remove all unused imports.debugging done right: breakpoint just works. VSCode is also really good in this regard.
Find & edit: I really like the fact that I can search for something and edit the file right away in Pycharm. In Pycharm
findopens a modal that I can edit the code.A lot depends on how much “IDE” tooling you want.
Emacs in a terminal window has been my daily editor for over 15 years, and I’ve found it perfectly capable of doing everything I need. And Emacs itself has a bit of a learning curve, but if you’re already familiar with it, the Python-specific tooling is pretty easy to pick up. I use:
Here’s a guide that walks you through some Emacs basics, as well as setting up various Python-specific things.
Thanks, I used to use Vim before but for relatively big projects I feel more comfortable with full-fledged IDE.
Do you, by chance, have very large Python files? The only time I’ve had issues with PyCharm is when a single file has been very large (~1400 lines), say https://github.com/DataBiosphere/toil/blob/master/src/toil/cwl/cwltoil.py
With large files I think all IDEs will be slow with code intelligence.
I don’t have big Python files but the libs we use have. I feel Pycharm spends a lot of time indexing and scanning directories and doing that very often, even when there are no changes.
This really sounds like a bug that they fixed around 2019.2 or so. Is it possible/have you tried deleting and recreating the PyCharm project files with one of the newer builds?
Also, while this doesn’t help you at the moment, jetBrains is redoing the entire way indexing works in a way that’ll directly avoid the issue you’re hitting and then some (https://blog.jetbrains.com/idea/2019/12/intellij-platform-roadmap-for-2020/)
Thank for the information, will try to delete the
.idea/folder and reopen the project.It’s good to know that Pycharm finally take into account our complaints! Hope they will find a solution for this issue soon.
The code I write is open source, so I use the community version (2019.2). While I prefer VS Code for C++, I still prefer PyCharm for Python. I’m on a mac. It’s possible I got used to the slowness. I agree we could do with snappier IDEs. I suspect that, as someone else was suggesting, your best solution might be to use some of the older editors. These editors don’t slow down your raw typing when the code intelligence response is delayed. You could also start to turn off PyCharm features you don’t really use so much and see if that makes things snappier.
I used to have the same problem with Webstorm (Jetbrains’ Javascript IDE) on my underpowered laptop. Have you tried power-saving mode? I believe it turns off all indexing, and some other more intensive features.
Unfortunately in power saving mode all the niceties of Pycharm also go away.
I used to have a good experience with Komodo IDE but have not used for a few years now (ironically I switched to Pycharm). Might be worth a look.
Thanks, downloading it now. It seems a bit outdated though as the latest Python version it supports is Python 3.6.
Is this news? I’d suggest you could remove “JS SDK” from the title.
EDIT: I was being a bit sarcastic about Facebook in general and do not mean to slur the author or article content itself.
It seems a useful particular piece of information that using Facebook SDK for OAuth login via Facebook leaks more information than using third-party OAuth libraries for OAuth login via Facebook.
That’s what I think this article is saying, although I can’t say I’m sure of the details; in particular, how much more information does this iframe give Facebook compared to the plain OAuth flow?
You’re guessing it right, that’s one of the takeaways from the article. Using iframe allows facebook to know at least the website you are on (the parent website) and informations about your browser, ip, etc. They could also in theory get the content you’re seeing on the parent website too but I doubt they can exploit it.
And when I use some other library to implement “login with facebook”, don’t they also know the parent website?
That depends on how the library is implemented actually. For facebook, I recommend using an oauth2 library with the code flow. This is a backend integration so no iframe is involved. If you happen to use Flask (python), I also wrote an article on this topic https://dev.to/simplelogin/create-a-flask-application-with-sso-login-f9m
I don’t see this information mentioned in Facebook SDK or elsewhere so decided to write this post. Facebook is still used by a lot of my friends and family so removing it completely it not feasible for me for now …
Try a sabbatical. You might be surprised how little it actually provides for those bonds.
But what about WhatsApp and Instagram? WhatsApp in particular is pretty important for me to connect to people all across the world. Signal just doesn’t have the same market share…
Have you tried suggesting signal to your friends?
or “Facebook” and “SDK”