Hi, will Loomio work with this alternative mailin codebase?

https://github.com/vithalreddy/node-mailin

As the Mailin your docker file points to is no longer active, and hasn't been updated in 7 years, our internal filters found a series of vulnerabilities and license issues with the NPM mailin package. The version above was forked from flolagale's mailin and corrected and updated many of the security fixes, but most importantly is more current with node and other dependencies. It is different though, so I was hoping you could provide some input if this version should work the same with your codebase? And if not, could you suggest another mailin clone?

Hi, I don't know if that particular project works, I've tried some mailin clones in the past but they were slightly different and did not work.

This has been reliable for us for 9 years now. I've never seen a piece of software serve as well as mailin. It's wild.

Just to be clear: The app only accepts connections on port 25, then makes an API request to the rails server via https. So it's an email to https gateway. It writes no data to disk, stores no secret information, and is essentially self contained. A vulnerability in this cannot affect the main Loomio server more than any other HTTP request.

However It's not perfect, in particular if the Loomio server goes down, then inbound email can be dropped.

For a while I've been thinking that the best path forward is to drop mailin and adopt ActionMailbox directly within rails. You would then be able to use a commercial inbound email service (though I have no idea why you would want to), or something like Haraka with with an actionmailbox plugin (https://github.com/mailprotector/haraka-plugin-queue-rails). That would replace the mailin node in our case.

If you want to discuss sponsored development to address this please feel free to get in touch: rob@loomio.org

On further consideration I want to say that I appreciate you raising this. I take back what I said about this being an insignificant vulnerability - having a bad actor potentially spying on inbound emails is obviously big risk.

Mailin is a rather small package, Loomio could potentially fork it and make our own maintained version, or we drop it and adopt the ActionMailbox approach.

This would need to be undertaken with sponsored development. Please do make contact regarding this.

Is there some easy way to completely disable the incoming email functionality?

Technically, yes. Just don't run this container. But the email footers will still indicate you can reply by email.

Again, happy to work with your organization to find an appropriate solution.