Looks like the only options for backing up a mailbox are offlineimap (a Python 2 tool that claims it's not under development anymore), imapfw (its replacement with last commit in 2017), and mbsync (a C tool).
Is there really nothing better?
I guess Python 2 > C, but =(
Conversation
Thanks to everyone who mentioned imapsync! I had not realized this was not the same as isync/mbsync.
It's written in a memory-safe language (Perl), under active development, and packaged by Homebrew, perfect! imapsync.lamiral.info
5
4
37
OfflineIMAP, no.
4
2
26
Replying to
But how would you have it do it? Ideally it'd support DANE. Webpki isn't really suitable for this.
1
Replying to
What? Every public IMAP endpoint I ever used had WebPKI certificates. Half their docs are about using Gmail.
And self-hosted setups should use free WebPKI certificates or their own roots, and likewise should require secure configuration by default, not be hung to dry.
1
1
Replying to
Oh, apparently IMAP has a separate IMAPS port so that kinda works. I forgot that. Still DV is meh for non-https usages.
1
STARTTLS services can still be used while enforcing TLS with valid Web PKI certificates. DANE is nice but relying on DNS with DNSSEC has other threats (registrars, etc.) and doesn't give cert transparency. DV certainly sucks but CT is very valuable and Web PKI is being improved.
The right way to use DANE is pinning keys. I don't think it makes much sense to use it to pin certificates. As a key pinning mechanism it's perfectly suited to be an additional security check and can live happily alongside Web PKI. CT is a nice check on registrars, not just CAs.
1
If you're thinking about DANE for HTTPS, yes PKIX-EE(1) is reasonably fit for purpose, if/when (some day) the browsers actually implement DANE.
For SMTP, web PKI is not a good fit. See section 1.3 of RFC7672. MTA-STS is a kludge.
WebPKI btw., is just as vulnerable to registrars
1
1
Show replies
Registrar is absolutely NOT a (new) threat with DANE. This is debunked FUD. With webpki 💩 certificates are issued based on unauthenticated DNS and have a strict superset of threats. CT equiv for DS delegations would be desirable tho.