How Mailiverse Works: Technical Version(__VERSION__)
Server
Receiving mail from an external source
When mail is received from an external source it is accepted using an SSL connection
manufactured via an authority issued SSL certificate.
We must use an authority based SSL certificate
as option, because some mail servers (hotmail,others) refuse to deliver mail when the SSL certificate
has been self generated.
In the future, we will set up another mail receiving server which does not use an authority issued SSL certificate.
All external mail will first attempt on the non authority issued SSL certificate.
For the time being, the second non authority based SSL certificate server does not exist.
We will update this page when it does.
Receiving mail from an internal source (two internal users mailing each other)
When mail is sent from one user to another, the mail never passes through an external server.
It also is sent to our server using an RSA public key which we have created privately.
Mail from one internal user to another never passes through an external network unencrypted, or encrypted using any
authority issued encryption key.
Writing mail
When mail is received by our server, whether internally or externally, the server
looks up the client's RSA PublicKey, encrypts (RSA-AES-CBC-256-EmbedIV)
the mail and writes it to the user's store.
Because of performance problems surrounding the javascript client parsing actual Mime messages,
the server also parses the mail into a JSON container, encrypts the JSON string with the RSA PublicKey
(RSA-AES-CBC-256-EmbedIV) and writes that as well to the user's store.
Client
Sign up
The javascript client creates all of the RSA keys and configuration locally.
It also uses the user's password to generate a
VerificationKey and CryptoKey [PKDF2-HMAC-SHA256,#iter=131072,kl=256,public salts].
In order to transfer the VerificationKey the client uses an RSA Public Key we have
created privately. The VerificationKey never is transmitted plain text or encrypted with an
authority issued encryption key.
The client block is first encrypted using the CryptoKey and then
transfered to the server using an SRP encrypted connection based on the VerificationKey.
Login
The javascript client logs into our server using SRP. (SRP provides protection from MIM attacks.)
- Use password to generate VerificationKey and CryptoKey [PKDF2-HMAC-SHA256,#iter=131072,kl=256,public salts]
- Use the VerificationKey as the password for SRP authentication
- Use the CryptorKey to decrypt the user block (AES-CBC-256-EmbedIV)
- Obtain the user RSA KeyPair from the decrypted block
Parsing Mail
The client uses the RSA Private Key to decrypt (RSA-AES-CBC-256-EmbedIV) json container mail stored on
the user's storage. It then creates cache files to allow information to be more quickly loaded.
These cache files are encrypted (AES-CBC-256-EmbedIV) with an AES key, generated from
a combination of a secret seed and the file name.
iOS Client
The iOS client works exactly like the web client. No caches are stored on the device.