Email client

Anemail client,email readeror, more formally,message user agent(MUA) ormail user agentis acomputer programused to access and manage a user'semail.

Aweb applicationwhich provides message management, composition, and reception functions may act as aweb email client,and a piece ofcomputer hardwareor software whose primary or most visible role is to work as an email client may also use the term.

Retrieving messages from a mailbox

Like most client programs, an email client is only active when a user runs it. The common arrangement is for an email user (the client) to make an arrangement with a remoteMail Transfer Agent (MTA) server for the receipt and storage of the client's emails. The MTA, using a suitablemail delivery agent(MDA), adds email messages to a client's storage as they arrive. The remote mail storage is referred to as the user'smailbox.The default setting on many Unix systems is for the mail server to store formatted messages inmbox,within the user'shome directory.Of course, users of the system can log-in and run a mail client on the same computer that hosts their mailboxes; in which case, the server is not actuallyremote,other than in a generic sense.

Emails are stored in the user's mailbox on the remote server until the user's email client requests them to be downloaded to the user's computer, or can otherwise access the user's mailbox on the possibly remote server. The email client can be set up to connect to multiple mailboxes at the same time and to request the download of emails either automatically, such as at pre-set intervals, or the request can be manually initiated by the user.

A user's mailbox can be accessed in two dedicated ways. ThePost Office Protocol(POP) allows the user to download messages one at a time and only deletes them from the server after they have been successfully saved on local storage. It is possible to leave messages on the server to permit another client to access them. However, there is no provision for flagging a specific message asseen,answered,orforwarded,thus POP is not convenient for users who access the same mail from different machines.

Alternatively, theInternet Message Access Protocol(IMAP) allows users to keep messages on the server, flagging them as appropriate. IMAP provides folders and sub-folders, which can be shared among different users with possibly different access rights. Typically, theSent,Drafts,andTrashfolders are created by default. IMAP features anidleextensionfor real-time updates, providing faster notification than polling, where long-lasting connections are feasible. See also theremote messagessection below.

TheJSON Meta Application Protocol(JMAP) is implemented using JSON APIs over HTTP and has been developed as an alternative to IMAP/SMTP.

In addition, the mailbox storage can be accessed directly by programs running on the server or viashared disks.Direct access can be more efficient but is less portable as it depends on the mailbox format; it is used by some email clients, including somewebmailapplications.

Message composition

Email clients usually containuser interfacesto display and edit text. Some applications permit the use of a program-external editor.

The email clients will perform formatting according toRFC 5322forheadersandbody,andMIMEfor non-textual content and attachments. Headers include the destination fields,To,Cc(short forCarbon copy), andBcc(Blind carbon copy), and the originator fieldsFromwhich is the message's author(s),Senderin case there are more authors, andReply-Toin case responses should be addressed to a different mailbox. To better assist the user with destination fields, many clients maintain one or more address books and/or are able to connect to anLDAPdirectory server. For originator fields, clients may support different identities.

Client settings require the user'sreal nameandemail addressfor each user's identity, and possibly a list of LDAP servers.

Submitting messages to a server

When a user wishes to create and send an email, the email client will handle the task. The email client is usually set up automatically to connect to the user's mail server, which is typically either anMSAor anMTA,two variations of theSMTPprotocol. The email client which uses the SMTP protocol creates an authentication extension, which the mail server uses to authenticate the sender. This method eases modularity and nomadic computing. The older method was for the mail server to recognize the client's IP address, e.g. because the client is on the same machine and uses internal address 127.0.0.1, or because the client's IP address is controlled by the sameInternet service providerthat provides both Internet access and mail services.

Client settings require the name or IP address of the preferredoutgoing mail server,theport number(25 for MTA, 587 for MSA), and theuser nameandpasswordfor the authentication, if any. There is a non-standard port 465 forSSLencrypted SMTP sessions, that many clients and servers support for backward compatibility.

Encryption

With no encryption, much like for postcards, email activity is plainly visible by any occasional eavesdropper.Email encryptionenables privacy to be safeguarded by encrypting the mail sessions, the body of the message, or both. Without it, anyone with network access and the right tools can monitor email and obtain login passwords. Examples of concern include the governmentcensorshipandsurveillanceand fellow wireless network users such as at anInternet cafe.

All relevant email protocols have an option to encrypt the whole session, to prevent a user'snameandpasswordfrom beingsniffed.They are strongly suggested for nomadic users and whenever theInternet access provideris not trusted.^[1]When sending mail, users can only control encryption at the first hop from a client to its configuredoutgoing mail server.At any further hop, messages may be transmitted with or without encryption, depending solely on the general configuration of the transmitting server and the capabilities of the receiving one.

Encrypted mail sessions deliver messages in their original format, i.e. plain text or encrypted body, on a user's local mailbox and on the destination server's. The latter server is operated by anemail hosting serviceprovider, possibly a different entity than the Internetaccessprovider currently at hand.

Encrypting an email retrieval session with, e.g., SSL, can protect both parts (authentication, and message transfer) of the session.^[2]^[3]

Alternatively, if the user hasSSHaccess to their mail server, they can use SSHport forwardingto create an encrypted tunnel over which to retrieve their emails.^[4]

Encryption of the message body

There are two main models for managing cryptographic keys.S/MIMEemploys a model based on a trustedcertificate authority(CA) that signs users' public keys.OpenPGPemploys a somewhat more flexibleweb of trustmechanism that allows users to sign one another's public keys. OpenPGP is also more flexible in the format of the messages, in that it still supports plain message encryption and signing as they used to work beforeMIMEstandardization.

In both cases, only the message body is encrypted. Header fields, including originator, recipients, and often subject, remain in plain text.

Webmail

In addition to email clients running on a desktop computer, there are those hosted remotely, either as part of a remote UNIX installation accessible bytelnet(i.e. ashell account), or hosted on theWeb.Both of these approaches have several advantages: they share an ability to send and receive email away from the user's normal base using aweb browseror telnet client, thus eliminating the need to install a dedicated email client on the user's device.

Some websites are dedicated to providing email services, and manyInternet service providersprovide webmail services as part of their Internet service package. The main limitations of webmail are that user interactions are subject to the website's operating system and the general inability to download email messages and compose or work on the messages offline, although there are software packages that can integrate parts of the webmail functionality into the OS (e.g. creating messages directly from third party applications viaMAPI).

Like IMAP and MAPI, webmail provides for email messages to remain on the mail server. Seenext section.

Remote messages

POP3 has an option to leave messages on the server. By contrast, both IMAP and webmail keep messages on the server as their method of operating, albeit users can make local copies as they like. Keeping messages on the server has advantages and disadvantages.^[5]

Advantages

Messages can be accessed from various computers or mobile devices at different locations, using different clients.
Some kind of backup is usually provided by the server.

Disadvantages

With limited bandwidth, access to long messages can be lengthy, unless the email client caches a local copy.
There may be privacy concerns since messages that stay on the server at all times have more chances to be casually accessed by IT personnel, unlessend-to-end encryptionis used.

Protocols

Popular protocols for retrieving mail includePOP3andIMAP4.Sending mail is usually done using theSMTPprotocol.

Another important standard supported by most email clients isMIME,which is used to sendbinary file email attachments.Attachments are files that are not part of the email proper but are sent with the email.

Most email clients use aUser-Agent^[6]header fieldto identify the software used to send the message. This header field is defined for Netnews, but not-for e-mail, and, as such, is non-standard^[7]in e-mail headers.

RFC 6409,Message Submission for Mail,details the role of theMail submission agent.

RFC 5068,Email Submission Operations: Access and Accountability Requirements,provides a survey of the concepts of MTA, MSA, MDA, and MUA. It mentions that "Access Providers MUST NOT block users from accessing the external Internet using the SUBMISSION port 587"and that"MUAs SHOULD use the SUBMISSION port for message submission."

RFC 5965,An Extensible Format for Email Feedback Reports,provides "an extensible format and MIME type that may be used by mail operators to report feedback about received email to other parties."

Port numbers

Email servers and clients by convention use theTCP port numbersin the following table. For MSA, IMAP and POP3, the table reports also the labels that a client can use to query theSRV recordsand discover both the host name and the port number of the corresponding service.^[8]

Protocol	Use	Plain text or encrypt sessions	Plain text sessions only	Encrypt sessions only
POP3	incoming mail	110 _pop3._tcp		995 _pop3s._tcp
IMAP4	incoming mail	143 _imap._tcp		993 _imaps._tcp
SMTP	outgoing mail	25		587
MSA	outgoing mail	587 _submission._tcp		465^[9] _submissions._tcp
HTTP	webmail		80	443

While webmail obeys the earlier HTTP disposition of having separate ports for encrypt and plain text sessions, mail protocols use theSTARTTLStechnique, thereby allowing encryption to start on an already established TCP connection. WhileRFC 2595used to discourage the use of the previously established ports 995 and 993,RFC 8314promotes the use of implicitTLSwhen available.

Proprietary client protocols

Microsoftmail systems use theproprietary Messaging Application Programming Interface(MAPI) in client applications, such asMicrosoft Outlook,to accessMicrosoft Exchangeelectronic mail servers.

References

^C. Hutzler; D. Crocker; P. Resnick; E. Allman; T. Finch (November 2007)."Message Submission Authentication/Authorization Technologies".Email Submission Operations: Access and Accountability Requirements.IETF.sec. 5.doi:10.17487/RFC5068.BCP 134.RFC 5068.Retrieved24 August2011.This document does not provide recommendations on specific security implementations. It simply provides a warning that transmitting user credentials in clear text over insecure networks SHOULD be avoided in all scenarios as this could allow attackers to listen for this traffic and steal account data. In these cases, it is strongly suggested that an appropriate security technology MUST be used.
^Sill 2003,p. 353: "Like SMTP, POP3 is unencrypted. Unlike SMTP, however, it needs authentication: Users have to identify themselves and prove they're who they claim to be. Unfortunately, the authentication usually consists of presenting a username and a password known only to the user and the POP3 server. Because the POP3 dialogue is unencrypted, an eavesdropper can obtain a user's username and password and reuse them to access the user's mailbox. So, plain POP3 exposes the contents of the mail messages the user retrieves, and it exposes their username and password, which can then be reused by someone else.
Wrapping the POP3 dialogue with transport-layer security such as SSL solves both of these problems. Because SSL-wrapped POP3 sessions are encrypted from beginning to end, no messages, usernames, or passwords are exposed in cleartext.
The optional POP3 command,APOP,replaces the standardUSER/PASSauthentication with a challenge-response authentication mechanism. This solves the problem of the disclosure of reusable passwords, but does nothing to prevent eavesdroppers from reading users' mail messages as they're being retrieved. "
^Updated Transport Layer Security (TLS) Server Identity Check Procedure for Email-Related Protocols.doi:10.17487/RFC7817.RFC 7817.
^Flickenger, Rob (2003).Linux Server Hacks: 100 Industrial-Strength Tips & Tools.O'Reilly Media.p.146.ISBN 978-0596004613.In addition to providing remote shell access and command execution, OpenSSH can forward arbitrary TCP ports to the other end of your connection. This can be very handy for protecting email, web, or any other traffic you need to keep private (at least, all the way to the other end of the tunnel).
sshaccomplishes local forwarding by binding to a local port, performing encryption, sending the encrypted data to the remote end of thesshconnection, then decrypting it and sending it to the remote host and port you specify. Start ansshtunnel with the-Lswitch (short for Local):
root@laptop:~#ssh -f -N -L110:mailhost:110 -lusermailhost
Naturally, substituteuserwith your username, andmailhostwith your mail server's name or IP address. Note that you will have to be root on the laptop for this example since you'll be binding to a privileged port (110, the POP port). You should also disable any locally running POP daemon (look in/etc/inetd.conf) or it will get in the way.
Now to encrypt all of your POP traffic, configure your mail client to connect to localhost port 110. It will happily talk to mailhost as if it were connected directly, except that the entire conversation will be encrypted.
^"Is IMAP Right for Me?".IT Services.Stanford University.4 March 2010.Retrieved14 April2013.
^"User-Agent".Netnews Article Format.IETF.November 2009. sec. 3.2.13.doi:10.17487/RFC5536.RFC 5536.Some of this information has previously been sent in non-standardized header fields such as X-Newsreader, X-Mailer, X-Posting-Agent, X-Http-User-Agent, and others
^J. Palme (February 1997)."Use of gatewaying headers".Common Internet Message Headers.sec. 2.doi:10.17487/RFC2076.RFC 2076.RetrievedMay 11,2015.Headers defined only in RFC 1036 for use in Usenet News sometimes appear in mail messages, either because the messages have been gatewayed from Usenet News to e-mail, or because the messages were written in combined clients supporting both e-mail and Usenet News in the same client. These headers are not standardized for use in Internet e-mail and should be handled with caution by e-mail agents.
^Cyrus Daboo (March 2011).Use of SRV Records for Locating Email Submission/Access Services.IETF.doi:10.17487/RFC6186.RFC 6186.Retrieved17 April2013.
^Keith Moore; Chris Newman (January 2018).Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access.IETF.doi:10.17487/RFC8314.RFC 8314.Retrieved12 February2018.

Bibliography

Sill, Dave (2003).The qmail Handbook.Apress.ISBN 9781430211341.
Partridge, Craig (April–June 2008)."The Technical Development of Internet Email"(PDF).IEEE Annals of the History of Computing.30(2): 3–29.doi:10.1109/mahc.2008.32.ISSN 1934-1547.S2CID 206442868.Archived fromthe original(PDF)on 2011-05-12.

[1] C. Hutzler; D. Crocker; P. Resnick; E. Allman; T. Finch (November 2007)."Message Submission Authentication/Authorization Technologies".Email Submission Operations: Access and Accountability Requirements.IETF.sec. 5.doi:10.17487/RFC5068.BCP 134.RFC 5068.Retrieved24 August2011.This document does not provide recommendations on specific security implementations. It simply provides a warning that transmitting user credentials in clear text over insecure networks SHOULD be avoided in all scenarios as this could allow attackers to listen for this traffic and steal account data. In these cases, it is strongly suggested that an appropriate security technology MUST be used.

[sill-security-2] Sill 2003,p. 353: "Like SMTP, POP3 is unencrypted. Unlike SMTP, however, it needs authentication: Users have to identify themselves and prove they're who they claim to be. Unfortunately, the authentication usually consists of presenting a username and a password known only to the user and the POP3 server. Because the POP3 dialogue is unencrypted, an eavesdropper can obtain a user's username and password and reuse them to access the user's mailbox. So, plain POP3 exposes the contents of the mail messages the user retrieves, and it exposes their username and password, which can then be reused by someone else.
Wrapping the POP3 dialogue with transport-layer security such as SSL solves both of these problems. Because SSL-wrapped POP3 sessions are encrypted from beginning to end, no messages, usernames, or passwords are exposed in cleartext.
The optional POP3 command,APOP,replaces the standardUSER/PASSauthentication with a challenge-response authentication mechanism. This solves the problem of the disclosure of reusable passwords, but does nothing to prevent eavesdroppers from reading users' mail messages as they're being retrieved. "

[3] Updated Transport Layer Security (TLS) Server Identity Check Procedure for Email-Related Protocols.doi:10.17487/RFC7817.RFC 7817.

[4] Flickenger, Rob (2003).Linux Server Hacks: 100 Industrial-Strength Tips & Tools.O'Reilly Media.p.146.ISBN 978-0596004613.In addition to providing remote shell access and command execution, OpenSSH can forward arbitrary TCP ports to the other end of your connection. This can be very handy for protecting email, web, or any other traffic you need to keep private (at least, all the way to the other end of the tunnel).
sshaccomplishes local forwarding by binding to a local port, performing encryption, sending the encrypted data to the remote end of thesshconnection, then decrypting it and sending it to the remote host and port you specify. Start ansshtunnel with the-Lswitch (short for Local):
root@laptop:~#ssh -f -N -L110:mailhost:110 -lusermailhost
Naturally, substituteuserwith your username, andmailhostwith your mail server's name or IP address. Note that you will have to be root on the laptop for this example since you'll be binding to a privileged port (110, the POP port). You should also disable any locally running POP daemon (look in/etc/inetd.conf) or it will get in the way.
Now to encrypt all of your POP traffic, configure your mail client to connect to localhost port 110. It will happily talk to mailhost as if it were connected directly, except that the entire conversation will be encrypted.

[5] "Is IMAP Right for Me?".IT Services.Stanford University.4 March 2010.Retrieved14 April2013.

[6] "User-Agent".Netnews Article Format.IETF.November 2009. sec. 3.2.13.doi:10.17487/RFC5536.RFC 5536.Some of this information has previously been sent in non-standardized header fields such as X-Newsreader, X-Mailer, X-Posting-Agent, X-Http-User-Agent, and others

[7] J. Palme (February 1997)."Use of gatewaying headers".Common Internet Message Headers.sec. 2.doi:10.17487/RFC2076.RFC 2076.RetrievedMay 11,2015.Headers defined only in RFC 1036 for use in Usenet News sometimes appear in mail messages, either because the messages have been gatewayed from Usenet News to e-mail, or because the messages were written in combined clients supporting both e-mail and Usenet News in the same client. These headers are not standardized for use in Internet e-mail and should be handled with caution by e-mail agents.

[8] Cyrus Daboo (March 2011).Use of SRV Records for Locating Email Submission/Access Services.IETF.doi:10.17487/RFC6186.RFC 6186.Retrieved17 April2013.

[9] Keith Moore; Chris Newman (January 2018).Cleartext Considered Obsolete: Use of Transport Layer Security (TLS) for Email Submission and Access.IETF.doi:10.17487/RFC8314.RFC 8314.Retrieved12 February2018.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]