disable the PGP section if the mailbox is proton and not has PGP enabled (#1841)

* disable the PGP section if the mailbox is proton and not has PGP enabled * fix format --------- Co-authored-by: Son NK <son@simplelogin.io>
2023-08-09 09:56:53 +02:00 · 2023-08-09 09:56:53 +02:00 · 0435c745fd
parent 366631ee93
commit 0435c745fd
4 changed files with 120 additions and 76 deletions
--- a/app/dashboard/views/mailbox_detail.py
+++ b/app/dashboard/views/mailbox_detail.py
@ -30,7 +30,7 @@ class ChangeEmailForm(FlaskForm):
@dashboard_bp.route("/mailbox/<int:mailbox_id>/", methods=["GET", "POST"])
@login_required
 def mailbox_detail_route(mailbox_id):
-    mailbox = Mailbox.get(mailbox_id)
+    mailbox: Mailbox = Mailbox.get(mailbox_id)
    if not mailbox or mailbox.user_id != current_user.id:
        flash("You cannot see this page", "warning")
        return redirect(url_for("dashboard.index"))
@ -144,6 +144,15 @@ def mailbox_detail_route(mailbox_id):
                        url_for("dashboard.mailbox_detail_route", mailbox_id=mailbox_id)
                    )

+                if mailbox.is_proton():
+                    flash(
+                        "Enabling PGP for a Proton Mail mailbox is redundant and does not add any security benefit",
+                        "info",
+                    )
+                    return redirect(
+                        url_for("dashboard.mailbox_detail_route", mailbox_id=mailbox_id)
+                    )
+
                mailbox.pgp_public_key = request.form.get("pgp")
                try:
                    mailbox.pgp_finger_print = load_public_key_and_check(
--- a/app/dns_utils.py
+++ b/app/dns_utils.py
@ -34,7 +34,7 @@ def get_cname_record(hostname) -> Optional[str]:


 def get_mx_domains(hostname) -> [(int, str)]:
-    """return list of (priority, domain name).
+    """return list of (priority, domain name) sorted by priority (lowest priority first)
    domain name ends with a "." at the end.
    """
    try:
@ -50,7 +50,7 @@ def get_mx_domains(hostname) -> [(int, str)]:

        ret.append((int(parts[0]), parts[1]))

-    return ret
+    return sorted(ret, key=lambda prio_domain: prio_domain[0])


 _include_spf = "include:"
--- a/app/models.py
+++ b/app/models.py
@ -30,6 +30,8 @@ from sqlalchemy_utils import ArrowType
 from app import config
 from app import s3
 from app.db import Session
+from app.dns_utils import get_mx_domains
+
 from app.errors import (
    AliasInTrashError,
    DirectoryInTrashError,
@ -2569,6 +2571,27 @@ class Mailbox(Base, ModelMixin):
            + Alias.filter_by(mailbox_id=self.id).count()
        )

+    def is_proton(self) -> bool:
+        if (
+            self.email.endswith("@proton.me")
+            or self.email.endswith("@protonmail.com")
+            or self.email.endswith("@protonmail.ch")
+            or self.email.endswith("@pm.me")
+        ):
+            return True
+
+        from app.email_utils import get_email_local_part
+
+        mx_domains: [(int, str)] = get_mx_domains(get_email_local_part(self.email))
+        # Proton is the first domain
+        if mx_domains and mx_domains[0][1] in (
+            "mail.protonmail.ch.",
+            "mailsec.protonmail.ch.",
+        ):
+            return True
+
+        return False
+
    @classmethod
    def delete(cls, obj_id):
        mailbox: Mailbox = cls.get(obj_id)
--- a/templates/dashboard/mailbox_detail.html
+++ b/templates/dashboard/mailbox_detail.html
@ -71,7 +71,18 @@
        </form>
      </div>
      <!-- END Change email -->
-      {% if mailbox.pgp_finger_print and not mailbox.disable_pgp and current_user.include_sender_in_reverse_alias %}
+      <!-- Not show PGP option for Proton mailbox -->
+      {% if mailbox.is_proton() and not mailbox.pgp_enabled() %}
+
+        <div class="alert alert-info">
+          As an email is always encrypted at rest in Proton Mail, having SimpleLogin also encrypt your email is redundant and does not add any security benefit.
+          <br>
+          The PGP option on SimpleLogin is instead useful for when your mailbox provider isn't encrypted by default like Gmail, Outlook, etc.
+        </div>
+      {% endif %}
+      <div class="{% if mailbox.is_proton() and not mailbox.pgp_enabled() %}
+         disabled-content{% endif %}">
+        {% if mailbox.pgp_finger_print and not mailbox.disable_pgp and current_user.include_sender_in_reverse_alias and not mailbox.is_proton() %}

          <div class="alert alert-info">
            Email headers like <span class="italic">From, To, Subject</span> aren't encrypted by PGP.
@ -164,6 +175,7 @@
              </div>
            </form>
          </div>
+        </div>
        <hr />
        <h2 class="h4">Advanced Options</h2>
        {% if spf_available %}