JMAP: Like IMAP but Not Really

I've been a happy Fastmail customer too, until I was made aware that you can impersonate other Fastmail customers by just spoofing the email address. Their servers just happily accept it. SPF and DKIM all pass with flying colours, and the only way you'd know it's happened is if you have DMARC on and happen to notice a pass in the report you don't remember sending. Well, that is if the recipient doesn't reply to the spoofed message - hope the damage wasn't already done though. It's effectively impossible for the recipient to know it's been spoofed.

The worst part is I think Fastmail is aware of it and just don't care (believe that's why they mark their emails with a green tick and text). I understand that email has never been really authenticated, but this just throws any trust I had in Fastmail out the window.

I will be evaluating other mail hosts at the end of my subscription.

> after a trial realized that Gmail does many things well, except for being a good email service.

This.

I remember back when Gmail was new and hot. It was unlike any other email service out there, and ridiculing people for using inferior email-solutions could to a certain extent be justified.

While other webmails were slow, had constantly reloading pages and what not, Gmail was fast. It was amazingly fast. Gone where the 5 minutes making the webmail work for you. You just sent the email and you were done. Just like that. Back then, this was unheard of.

These days though? Everyone is still pretending like GMail is the only game in town, when I think they have one of the worst webmail-interfaces out there. And it's slow. Oh god it is slow. And god forbid you try to load it in a browser not Chrome, because then it just grinds to a complete halt.

So yeah. Happy Firefox-using FastMail-customer here. You couldn't get me back to GMail even if you paid me.

I considered FM a while back but... you pay per account! $50/account no less! I separate my email into three accounts across two domains and my wife does the same and I have kids who'll have their own email addresses at some point.

I can't even begin to consider using it at the price point I presume I'd be in.

> Also from what I understand JMAP should be friendly for mobile usage.

I read the FM blogs and I remember them mentioning that low battery consumption was one of the design goals.

The JMAP site [0] has:

> JMAP is designed to make efficient use of limited network resources. Multiple API calls may be batched in a single request to the server, reducing round trips and improving battery life on mobile devices.

[0]: https://jmap.io/spec-core.html

> Also from what I understand JMAP should be friendly for mobile usage. They kept notifications out of it, you're supposed to implement notifications using whatever the mobile platform provides. Interacting via JMAP is via plain HTTP requests, which is super cool.

Sounds actually not cool. Is there really no standardized way to do notifications? The world consists not only of shitty mobile walled gardens which insist on or strongly favor their proprietary implementations.

> ...Gmail does many things well, except for being a good email service.

Gmail/Gsuite seem to be good email services from my perspective as lay user and occasional admin. Can you expand on why you think they are not good email services?

REST is what Roy Fielding wrote about in his thesis. It is an architectural style, not a protocol.

It involves two endpoints exchanging the state of a shared resource. It needs to be compliant with the constraints of that style.

People think that REST must be over HTTP, but it can be over any protocol. The essence is that it is a style of systems design, so JMAP can be considered RESTful as described in the link above.

REST is one of the real patterns in software architecture, a set of constraints, not a set of structural elements.

REST doesn't really have anything to do with the HTTP methods you use. It's about handing off state between the client and server using stateless requests instead of maintaining a persistent, stateful session. This blog post is a good overview: https://programmingisterrible.com/post/181841346708/what-the...

They have an FAQ item concerning that: https://jmap.io/#why-is-it-not-rest-based?

At this point I guess any API that runs on top of HTTP is REST? Strange world.

Maybe unpopular opinion, but i'd take this any day over a "proper" REST api requiring DELETE and PUT.

Also i'd classify a REST api as anything that does http requests and consumes proper JSON. As long as this is true , the rest is squabbling :)

Yes, postfix has been around for so long and it is very solid. However, to run a mail server nowadays, it still needs a lot of configuration work and even additional daemons to add SPF checks, forwarding with SRS, and DKIM signatures. All of this is possible to be added though, which speaks for the flexibility of the postfix design.

Email is "good enough".

The real hole is "instant messaging". Somehow every few years we got from ICQ to AIM to Paltalk to Skype to Facebook Messenger to Slack to ... (at least Altassian had the decency to take HipChat behind the woodshed and shoot it)

The strange thing is that these services dry up, blow away, get replaced, but they don't seem to improve on what came before.

There is a standard, XMPP, but the only people who care about it are firefighters, cops, and soldiers. For all the anger at internet giants these days, I can't see for the life of me why people aren't pushing for open instant messenging.

> if someone had just jammed XMPP and SMTP together.

Xmpp is/supports federated/ion (user1@server1.com can message user2@server2.com).

But the major players (by numbers) wanted silos: Google (talk) and fasebook (first gen of messenger).

They basically went lol, screw users (arguably because: spam. But hello, Gmail? And today fb spam...).

So thank Google and Facebook for deliberately gimping it so you can't fb message user@gmail.com or gtalk first name.lastname123@facebook.com.

"if someone had just jammed XMPP and SMTP together" - wasn't that kind of what Google Wave was aiming for?

It was sometimes possible to hold realtime conversations over email, before the amount of required spam processing became too high. There's no protocol reason why you can't do that between servers, although getting it into a client requires either IMAP push or something more modern.

> make an account

You are required to make an account somewhere so your account can be banned if you spam, basically.

Apache James is a great smtp and imap server that has a lot of really great features, like distributed storage in cassandra and some support for jmap.

Honestly I'm surprised no one has suggested replacing SMTP with a HTTP POST request. All you would need is an email address -> HTTP URL conversion (which I believe something like WebFinger already has). Then just POST your message to that URL and you're done. ISPs can run proxies that just authenticate that requests are from users and forwards them on.

Emails are perfectly fine as they are. We also don't keep re-inventing forks, umbrellas, hammers and such.

> What would (imnsho opinion) have fixed spam is sender pays. I've debated this with a lot of people. We're 50/50 on it. Fifty agree with me, fifty million don't.

I propose a scheme where the sender pays e.g. 5 ct per e-mail (low enough that it does not matter for legitimate use, but high enough to make spam unprofitable). BUT with the following twist: The receiver can generate API tokens that allow free e-mail delivery.

So when I sign up for e.g. Twitter, I can give them an API token for my mail address so they can send notification mails to me for free. If they decide to start spamming me, or if they decide to sell my token to a spammer, I can just revoke the token and the spam flood stops instantly.

I have not found any flaws in this idea yet. RFC!

If paying to send email is your suggested solution, I can see why you don't like the meme in question. But the suggestion is rife with problems. How exactly are you going to get everyone to start paying for email, which is free today? If it's a parallel system, how are you going to get people to switch? Who are they going to pay?

> What would (imnsho opinion) have fixed spam is sender pays. I've debated this with a lot of people. We're 50/50 on it. Fifty agree with me, fifty million don't.

Along with the billions of spam SMS that are also supposed to be sender-pays, sadly

> What would (imnsho opinion) have fixed spam is sender pays.

Alternate but similar - sender holds the email until the receiver fetches: https://cr.yp.to/im2000.html

I'm not sure it actually helps that much to cut down spam but anything is worth a try at this point.

How about a combination of sender-pays and a whitelist for everyone else? Essentially, have a web-standard for what linkedin is doing.

Paying might reduce the spam, but some spammers are perfectly fine with paying. Just look at text spam and robocallers.

Sender pays to stuff junk in my physical mailbox and I have a lot more trouble with spam there than I do in my email.

You could pay with computing power.

https://en.m.wikipedia.org/wiki/Hashcash

Note that "RESTful" in JMAP's case means "everything over JSON HTTP POST", methods to be invoked are embedded in the JSON request.

As for XMPP battery consumption I didn't see major problems, Conversations.im is always <1% (I just checked and it shows 0%). On the other hand Conversations can use push to optimize battery usage.

Storing sent mails is really one of the oldest problems of the SMTP/IMAP combination.

BURL [1] is an SMTP extension that allows to submit a mail that is already stored on an IMAP server. This still requires to make a separate connection to send the mail, but at least it does not require uploading it to both SMTP and IMAP only to store it in the Sent folder.

However, this extension is rarely implemented or deployed, although the RFC itself is already twelve years old. As an example, Dovecot started to support it by acting as a SMTP proxy [2] as of version 2.3 in 2017. I am not aware of any mail clients that support BURL.

[1] https://tools.ietf.org/html/rfc4468

[2] https://wiki.dovecot.org/Submission

JMAP actually does support replacing both. My next TODO item for Cypht is integrating SMTP support with JMAP.

Why do you think you need a new protocol for this? Instead what you want is a different IMAP server.

Editor of the JMAP specs here. The JMAP calendar spec is currently just a draft, but now JMAP core and mail are (more or less) finalised and JSCalendar (https://tools.ietf.org/html/draft-ietf-calext-jscalendar-11) is in last call too, we will be looking to take the JMAP Calendar spec through the IETF process in the very near future. Since it is essentially just combing core with the JSCalendar data format, this should be reasonably straight forward.

Current state of calendaring is horrible, it's basically not possible right now to create compatible and reliable library/application.

I've sadly been looking for, and never found, an open source EWS <-> IMAP/(Cal/Card Dav) gateway. I'd love it if my users could get a full experience using Outlook for Mac for example. Right now I recommend them to just use Apple Mail/Calendar/Contacts or Thunderbird with the tb-sync extensions.

Most mail clients are running on mobile (judging by number of devices). Long-running connections on mobile are a bad idea because of network reliability and battery concerns.

Understand that JMAP is an object synchronisation protocol. It’s most interested in the problems that are out of scope for GraphQL.

You could have a variant of JMAP with GraphQL syntax and semantics, but there would be a fair bit of mismatch, for their purposes and focuses are quite different: JMAP is concerned with object identity and synchronisation, for what you might call thick clients (and JMAP Mail needs to be broadly IMAP compatible), while GraphQL is UI-focused, for what might reasonably be considered to be thin clients (not that they are logicless, but that they are very much focused on offloading burden to the server). I see no compelling case for a JMAP-like GraphQL thing.

It could still be an interesting task to develop a object synchronisation protocol like the JMAP core on top of GraphQL.

Reading through the JMAP website [0], I'm actually wondering whether whoever's behind JMAP has looked at GraphQL. There seem to be a lot of similarities (especially the "why not REST" section).

[0] https://jmap.io/index.html

Actually, Outlook GraphQL reusing the idea of batch JMAP calls. https://docs.microsoft.com/en-us/previous-versions/office/of...

I'm not sure I understand: JMAP is designed for communication between the client and the mail server. But you still would need a mail server, always on, to receive the incoming mail from other servers, right ?

Did I miss something about JMAP?

Why?

Mail is decentralized already. Part from relying on DNS.

And you seem very eager to put everything in the amazon basket.

If everyone hosts their email with Amazon it's gonna be quite centralised.

The first problem is actually the more serious one, sadly.

If you are mention Ios/Android, yes you need the proxy to redirect push calls from JMAP server to the push services of apple/google.

> most of the web is moving to gmail

This isn't true; there's a LOT of industry on Exchange of some sort, and plenty of older institutions running their own email. Especially in IETF land.

And it's a huge risk increase if everyone moves everything to gmail.

It fakes it, at the very least - you can do a “show original message” and see all the RFC.822 and mine headers.

Microsoft Exchange used to not bother with actually SMTPing when talking to another exchange server (or itself), I don’t know what it does these days.

I hear of a lot more people moving away from Gmail than moving to Gmail.