It is 2020 and while hosting my own mail servers, I had a thought of opting for a secure, modern and robust web-mail clients for friends and family as a few of them might use my own mail servers without configuring it on a desktop or mobile email client. Upon basic web search I figured that Rainloop and Roundcube are the only two usable options for web-mail today. Let us talk about these webmail clients later in the post.
I wanted a web-mail to be modern, easy-to-maintain yet as simple as good old Squirrelmail. After digging more on the subject, I came across a Switzerland based small and interesting email provider called Migadu. They currently deploy Rainloop for web-mail. Albeit, they are worried and expressive on the topic of a modern secure webmail solution.
We currently use Rainloop open source webmail within Migadu. However, we have found it to be buggy and difficult to maintain. Furthermore, from system administration aspects, we wanted something that is as simple as single executable. That has lead us to investing into a new open source webmail called Alps.
Alps is a simple and extensible webmail client. It is free and open software licensed under MIT license with source-code freely available for you to audit, contribute and share. It is being developed in collaboration with Sourcehut’s free software consultancy’s engineer Simon Ser (aka emersion) who did work on Go’s email ecosystem including libraries for great good. It is so kind, open and generous effort of Migadu and its developers to join hands with Sourcehut and co-develop a webmail client together. Is it not intriguing enough? Sure is for me. It got me so excited that I communicated and conversed with both to jot down their thoughts and to put an end to my curiosity.
When asked about working on other popular webmail choices including Roundcube, emersion from Sourcehut said, php makes it easy to write insecure software. He also pointed at the enormous size of webmail project like Roundcube, which makes it complicated to audit and hence delicate from security point of view. Further, I was told, php does not make it any easy to host. Alps on the other hand is basically a no-configuration webmail. Also, Alps makes use of modern web-browser features to further isolate HTML emails, for instance with iframe sandbox. Mr Simon aka emersion quickly pointed out the much required need for efforts and other motivations to develop a good plugin system for the new webmail project. With this information, it is getting obvious as to why Migadu wanted Sourcehut to work on Alps with available Go’s email ecosystem and libraries developed by Mr Simon himself.
According to Mr Simon, go shines for everything network-related and hence the choice of Go language for Alps is a natural fit. It is a simple language and do not use any JavaScript libraries and very little JavaScript code. I totally want this to be LibreJS complaint. Although, there was no official regarding this owing to development stage of the webmail project.
Alps being a joint venture kind of open project between Migadu and Sourcehut. It really got me thinking whether or not there are going to be two different binaries or versions of same software. Obviously, if this happens, Migadu’s version gets most amazing features. I am startled to hear that there is no such plan for two versions or anything. All the work done is going to be shared openly. Kudos to both! If we check their source-code, very little work is being done on Alps, which is going to resume soon as per the developer who loves working on this project.
I am pumped for Alps myself. I am already running it for my personal domain internally for testing purposes. Once a release candidate even without any actively working Calender feature is rolled out, I am going to ask others to try it without a doubt. I am impressed by what I see even in its current state of development. Before you ask, I know it is barebones but it is not a big deal. It just works and that is enough to test the most prominent functionality i.e. sending and receiving emails and letters.
According to Dejan Štrbac from Migadu, all open source webmail solutions in use today are sadly based on PHP. Not go bashing PHP itself, but it is a mess to deploy and maintain, even for us who are well versed system admins. There is place for a webmail utility which is, single binary, easy to install via your default package manager and is executed just as any other unix tool. It is just an IMAP client after all. No dependencies, databases etc – install & run. This is where we are heading with Alps.
Our own need is to be able to build around the webmail and integrate it into our own systems easily. We do not want to go into hacking of cruft code someone wrote ages ago.
When asked why not continue with Rainloop or switch to Roundcube or SoGo? Here is what Mr Dejan had to say:
Rainloop is in principle nice to use. However, when you need to alter something on it, there be dragons. It also comes with a bad license and it is as close to abandoned as it gets. There is no real community effort around Rainloop. Plugins? Only for adventurous. The author also ripped out the code from AfterLogic which gives it a bad karma.
Then, there is Roundcube. Besides the kickstarter fiasco where they raised money to basically deliver a new theme, it is a historical product full of cruft. Webmail should not be so complex. It is also pain to extend.
SoGo does not fit with our vision as it is too integrated into the SoGo bundle. Webmail should not have a Card/CalDav server and should not depend on a database. If someone wants SoGo, they can install it, however, we dislike the project to maintain. They could have chosen to make SoGo modular, with a separate CalDav server, separate ActiveSync modules, separate clients which can all be re-utilized by the community. However, the agenda of company behind SoGo is different. The bundle is what brings them support contracts. Email hosting is a complicated beast on its own, and adding a big chunk of 3rd party “open source” Objective-C code on top only one company maintains (three developers in total!)? That is exactly the business model which left us with the existing webmail carcasses.
Alps: easy to deploy, use and audit for everyone
We need something KISS, light and fresh that is easy to audit, extend, modify and administer. We initially started building our own webmail client and looked into languages that have most complete IMAP libraries as we did not really want to go into reinventing the wheel over and over again. We then found out Go cuts the bill and the libraries for IMAP and email were mostly written and maintained by a single man – Simon Ser. Instead of building a product around libraries ourselves that would really make 90% of the final product, we decided to sponsor Simon & Drew (from SourceHut) to take the lead on the task. This approach serves everyone and further builds the email libraries for the community. Webmail is not our business but we benefit from a good, maintained webmail out there. This makes it perfect case for supporting it as open-source.
Alps webmail is meant to be a framework for building up webmails rather than another opinionated webmail that does same things as done past decades. It should work without JavaScript but utilize it to improve UX if enabled. Security & Privacy wise – Migadu will stand behind it rather than let it rot as other webmails. It is meant to be simple and easily extendible both via Go or Lua plugins. We are working on Cal/CardDav & ManageSieve client extensions and 2FAuth is coming too. Themes, auto-configuring via SRV records, easy deployment are just some of the already built-in features.
I hope that gives you a bit of our thinking around going into Alps development. We are still far from the finish line here, but the development will speed up in the coming months.
To conclude, Alps is filling the gap and offering us a robust solution written in a secure programming language versus PHP. It also utilizes Go’s email ecosystem developed by free/libre software developer like Mr Simon, who also happens to be the lead developer for Alps at Sourcehut. I am convinced that this free/libre webmail project has what it takes to thrive into what Squirrel-mail was back in the days. It is a promising vanilla modern webmail project with focus on privacy and security from day 1. I cannot wait any further to deploy it on all personal and professional mail servers I know of.
lack of most wanted features.. like multiaccount, gpg advanced and tagging! sorry but i will not use it!
All these features are being developed and surely would be deployed by soon. Gpg should never be used on webmail, esp. when not hosted by you on a local machine. Thanks!
Hey! Nice insight and some great screenshots – I joined Migadu recently and was wondering what Alps looked like, can’t wait to try it. Although it seems like there is little movement or development on Alps in recent months???
I’m too waiting to see more on Alps being deployes, they had announced it would be operational by september….
What do you like the most about it?