Claws-mail - which plugin for html mails?

[Aldo Maggi]

It is now more than one year I have to manually send html content to a
browser to see it
I know that fancy plugin, which formerly did that job very well
automatically, was dismissed because of problems of security with a
library, I remember, though, that, formerly, dillo-plugin existed, and
BTW I've Dillo installed and working, how is it that when I try to load
such plugin it isn't available?

Thanks!

Aldo :-)

[Patrick Bartek]

I checked around the last time you posted this query. Couldn't
find it. Perhaps the Dillo-plugin is no longer supported. I use the
fancy-plugin to display directly in the Claws-Mail window. Although, I
don't use it that much. HTML emails are so artsy-fartsy and a waste of
bandwidth.

I'm sure that "security problem" has been fixed. That was from when
Wheezy was Stable.

B

[to...@tuxteam.de]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, Jun 27, 2018 at 02:47:17PM -0700, Patrick Bartek wrote:
> On Wed, 27 Jun 2018 22:19:53 +0200
> Aldo Maggi <aldo....@poste.it> wrote:
>
> > It is now more than one year I have to manually send html content to
> > a browser to see it

[...]

> I checked around the last time you posted this query. Couldn't

> find it [...]

> I'm sure that "security problem" has been fixed. That was from when
> Wheezy was Stable.

To be fair, HTML mails dont "have" this or that "security problem", they
are a *constant source* of security problems. Be it that they use links
that auto-resolve (yes, you can disable loading images, and most sensible
MUAs do it, but what about CSS? Do you know what other resources HTML is
set to load?).

For one recent example on how HTML mail can subvert (S-MIME) encryption,
see efail [1] (and no, don't follow EFF's recommendation quoted there
to disable PGP -- better disable HTML).

The biggest problem (apart from its sheer complexity) is that HTML is
a moving target: soon it won't be HTML without Javascript. Me? I don't
want my mail user agent executing programs sent by some random spammer,
thankyouverymuch.

Cheers

[1] https://arstechnica.com/information-technology/2018/05/decade-old-efail-attack-can-decrypt-previously-obtained-encrypted-e-mails/

- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAls0gkcACgkQBcgs9XrR2kZWMACfbZRSQtidhrjCHXMdkTJDvq3s
NlgAnArXEipedrlOcZonvIddiT7ECYnY
=K7jn
-----END PGP SIGNATURE-----

[Ben Oliver]

On 18-06-28 08:37:59, to...@tuxteam.de wrote:
>
>For one recent example on how HTML mail can subvert (S-MIME) encryption,
>see efail [1] (and no, don't follow EFF's recommendation quoted there
>to disable PGP -- better disable HTML).

Agreed - pretty bad advice from the EFF. If you have PGP turned on it's
for a reason, why would you want to forego that just for some dumb HTML
email?

[Aldo Maggi]

Ok, I understand your point, but, I wonder, are you using just lynx or
links2 for going on Internet? The problems you correctly point out are
not the same with Chromium, Firefox etc.?

Thanks

Aldo


Il giorno Thu, 28 Jun 2018 08:18:44 +0100
Ben Oliver <b...@bfoliver.com> ha scritto:

[Aldo Maggi]

[to...@tuxteam.de]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Jun 29, 2018 at 10:05:47AM +0200, Aldo Maggi wrote:
> Ok, I understand your point, but, I wonder, are you using just lynx or
> links2 for going on Internet? The problems you correctly point out are
> not the same with Chromium, Firefox etc.?

I wouldn't be so sure about lynx et al. Here [1] is a rough but readable
explanation on how eFail works. There are two components into it: (1)
a format like HTML, in which the client possibly follows links without
user interaction (more on that below) and (2) how to bury a MIME
boundary within HTML's baroque syntax so that for the HTML parser,
the whole (now decrypted) message forms part of that link, which will
be "given" readily to a server out there, waiting to harvest it.

More on (1): the example uses an img tag. You might argue that HTML
capable mail readers have learnt these days to not follow automatically
img tags (on privacy grounds), but there is a multitude of other links
which might be followed automatically: CSS, iframes...

Are you sure your l{ynx,inks} doesn't download any of them? Do you know
by heart all of those? Do you even know where to look them up? [2]

I for one wouldn't know better than to look into lynx/links source
code. Good luck with that.

Cheers

[1] https://thehackernews.com/2018/05/efail-pgp-email-encryption.html
[2] This isn't to make you look bad: I don't myself either! This is
to drive home the message that "HTML" is a huge, ill-defined mess
of standards, and that all HTML renderers out there have to be
a steaming pile of pragmatism which is practically impossible to
validate.

- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAls18w4ACgkQBcgs9XrR2kbxXQCaA+z9BNrpjkLJUnmhJi5+/d+t
bRMAnjfgq7HjAXqAi66RDMsYNEYYN34L
=CSa/
-----END PGP SIGNATURE-----

[Greg Wooledge]

On Fri, Jun 29, 2018 at 10:05:47AM +0200, Aldo Maggi wrote:

> Ok, I understand your point, but, I wonder, are you using just lynx or
> links2 for going on Internet? The problems you correctly point out are
> not the same with Chromium, Firefox etc.?

I use a web browser to browse the web, but I use mutt to read and
send email.

The two things are completely separate for me. And, I suspect, for
many other Debian users.

If someone sends email which contains only HTML and not a textual part,
mutt shows me the raw HTML. And then I delete the email, because if
they can't be bothered to send their words in an ordinary plain text
message, then I can't be bothered to go out of my way to convert it for
them. Plus, it'll either be spam, or a stupid question that I have
no interest in reading in the first place, because what kind of
intelligent question could you possibly get from someone who sends
pure-HTML email? None.

[to...@tuxteam.de]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Jun 29, 2018 at 08:24:36AM -0400, Greg Wooledge wrote:

[...]

> I use a web browser to browse the web, but I use mutt to read and
> send email.

...which of course is perfectly capable of calling out into a viewer
for HTML (lynx or somesuch). But yeah...

> The two things are completely separate for me. And, I suspect, for
> many other Debian users.

Same for me, but see below.

> If someone sends email which contains only HTML and not a textual part,
> mutt shows me the raw HTML. And then I delete the email, because if
> they can't be bothered to send their words in an ordinary plain text

> message [...]

Sometimes you gotta compromise. I spent a short period of my life in
a corporate environment. I may have lost what's left of my sparse
sanity had I been forced to use Outlook. So I actually managed to get
fetchmail to talk to their Exchange server (IMAP). Needless to say,
most company mails were HTML (few people even knew that, and I was
in the computer tech department!).

My HTML viewer was html2text. Most probably immune to the vulnerability
we're talking about, although I wouldn't bet my farm [1] on it :-)

Cheers
[1] that one I don't have :-)

- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAls2LlAACgkQBcgs9XrR2kZnbgCeINm7ixI/pD3Bh8wP8p9XRHE5
kvEAnR1eEaAx0ZGtvHG+AyehlWaMv4DJ
=a8w4
-----END PGP SIGNATURE-----

[Ben Oliver]

On 18-06-29 08:24:36, Greg Wooledge wrote:
>If someone sends email which contains only HTML and not a textual part,
>mutt shows me the raw HTML. And then I delete the email, because if
>they can't be bothered to send their words in an ordinary plain text
>message, then I can't be bothered to go out of my way to convert it for
>them. Plus, it'll either be spam, or a stupid question that I have
>no interest in reading in the first place, because what kind of
>intelligent question could you possibly get from someone who sends
>pure-HTML email? None.

Hard line but I like it, and do the same. Most decent services do good
multipart anyway.

I do have a macro to pipe an email to firefox if I absolutely *must*
read it in html.

[Greg Wooledge]

On Fri, Jun 29, 2018 at 03:04:16PM +0200, to...@tuxteam.de wrote:
> Sometimes you gotta compromise. I spent a short period of my life in
> a corporate environment. I may have lost what's left of my sparse
> sanity had I been forced to use Outlook.

Yes, work is a different story. They're paying me to do this job, and
part of this job entails communicating with people who use Microsoft
stuff exclusively (it's the desktop standard here).

For the times when it's actually important for my job to be able to read
what someone is saying in the format that they're using ("my corrections
are shown in red below"), I will open the mail in Outlook Web App (OWA).
Which I use in google-chrome-stable.

But for non-work emails? Forget it.

[Aldo Maggi]

I perfectly agree with you, in fact I wonder why one should use a
graphic mail reader (claws-mail) which cannot show html mail just
like the really very powerful mutt (which I myself used many years
ago)?
The conclusion is: claws-mail, at the moment, is completely useless,
better disinstall it.

Thanks

Aldo

Il giorno Fri, 29 Jun 2018 08:24:36 -0400
Greg Wooledge <woo...@eeg.ccf.org> ha scritto:

[Hans]

Hi,

there is a "claws-mail-html2-viewer" package in Ubuntu, it might also work in
debian.

On the other hand, they are telling, that "gtkhtml2-viewer.so" as a plugin
shall produce better results.

Hope this helps.

Best regards

Hans

[Gene Heskett]

Rant on

+10,000 folks. Send me pure html mail and it goes straight back
to "sa-learn spam". And that training has probably sent 20 such messages
a day to the spam folder already, where its chances of being read are
very poor, and a reply is once in a blue moon event.

Email was intended to be plain text. And since email is sent to a common
server, which in turn relays it to every subscriber to the list
regardless of where on the planet the recipient is, he is going to see
it, and all your legal dept gets for appending a big if not the intended
recipient, delete this unread, of course its only seen after reading
that far down in the message that this is seen. The only thing the legal
folks are getting out of such a message, is a paycheck that is a drain
on your resources, there has not been a court rendering anyplace on the
planet that I'm aware of ordering the reader of such a message to pay
damages.

/rant off
--
Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

[Aldo Maggi]

Thank you, Hans!

But I think that package is obsolete, in fact it appears in Precise
Pangolin 12.04, furthermore the package refers to claws-mail 3.8.0, my
version is 3.16.0

What I find very strange (I should be used to strange things since I'm
Italian :-D ) is that I do not see the reason to having a graphical
mailer if it doesn't show html messages, much better a textual one,
open in a xterm (let's hope there are not terrible securities issues
:-D )e.g. mutt (faster, just to mention an advantage, and folders in the
left side do not disappear from time to time with the need to find out
how to see them again!

BTW purists didn't install Xfree86, because of security issues, I do
not think problems have been solved with Xorg :-D

Thank you again,

Aldo :-)


Il giorno Fri, 29 Jun 2018 15:30:21 +0200
Hans <hans.u...@loop.de> ha scritto:

[Gene Heskett]

On Friday 29 June 2018 09:04:16 to...@tuxteam.de wrote:

> On Fri, Jun 29, 2018 at 08:24:36AM -0400, Greg Wooledge wrote:
>
> [...]
>
> > I use a web browser to browse the web, but I use mutt to read and
> > send email.
>
> ...which of course is perfectly capable of calling out into a viewer
> for HTML (lynx or somesuch). But yeah...
>
> > The two things are completely separate for me. And, I suspect, for
> > many other Debian users.
>
> Same for me, but see below.
>
> > If someone sends email which contains only HTML and not a textual
> > part, mutt shows me the raw HTML. And then I delete the email,
> > because if they can't be bothered to send their words in an ordinary
> > plain text message [...]
>
> Sometimes you gotta compromise. I spent a short period of my life in
> a corporate environment. I may have lost what's left of my sparse
> sanity had I been forced to use Outlook.

Certainly a step in that direction.

> So I actually managed to get
> fetchmail to talk to their Exchange server (IMAP). Needless to say,
> most company mails were HTML (few people even knew that, and I was
> in the computer tech department!).
>
> My HTML viewer was html2text. Most probably immune to the
> vulnerability we're talking about, although I wouldn't bet my farm [1]
> on it :-)

Bet only what you can afford to lose. And generally, that amount donated
to a charity will do more good.

>
> Cheers
> [1] that one I don't have :-)

> -- tomás

I don't consider this postage stamp of yellow clay a farm. But its been
paid off for 20+ years now.

[to...@tuxteam.de]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, Jun 29, 2018 at 10:13:08AM -0400, Gene Heskett wrote:

[farm]

> I don't consider this postage stamp of yellow clay a farm. But its been
> paid off for 20+ years now.

Hey, at least a tiny yellow farm :-)

Cheers
- -- t

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAls2QF4ACgkQBcgs9XrR2kbKDACfcd0sxZl5Q2HV49qGaNUSbHHH
6HUAn2Pm20TmU079b7vVwXVZJ4v3Uq/B
=ZOEY
-----END PGP SIGNATURE-----

[Gene Heskett]

On Friday 29 June 2018 10:21:18 to...@tuxteam.de wrote:

> On Fri, Jun 29, 2018 at 10:13:08AM -0400, Gene Heskett wrote:
>
> [farm]
>
> > I don't consider this postage stamp of yellow clay a farm. But its
> > been paid off for 20+ years now.
>
> Hey, at least a tiny yellow farm :-)

Actually, its summer in this hemisphere so its green, covered with weeds
that seriously need mowing. :(

And which I've been slowly covering with roof's, a shed for this, a shed
for that, and 10 years ago a very well insulated garage on the end of
the house, which immediately got loaded up with wood and metalworking
machinery, quite a bit of which is run by linuxcnc, after I converted
them so motors could move them by the micron. Retired for 15+ years
now, this stuff keeps me out of the bars. ;-) That and caring for a now
invalid wife. Any "housekeeping" done is done by me. But I still manage
to work in some time to harass (my interests are best described as
eclectic) about 40 mailing lists. :)

Thanks Tomas.

> Cheers
> -- t

[David Wright]

On Fri 29 Jun 2018 at 10:51:26 (+0200), to...@tuxteam.de wrote:
> On Fri, Jun 29, 2018 at 10:05:47AM +0200, Aldo Maggi wrote:
> > Ok, I understand your point, but, I wonder, are you using just lynx or
> > links2 for going on Internet? The problems you correctly point out are
> > not the same with Chromium, Firefox etc.?
>
> I wouldn't be so sure about lynx et al. Here [1] is a rough but readable
> explanation on how eFail works. There are two components into it: (1)
> a format like HTML, in which the client possibly follows links without
> user interaction (more on that below) and (2) how to bury a MIME
> boundary within HTML's baroque syntax so that for the HTML parser,
> the whole (now decrypted) message forms part of that link, which will
> be "given" readily to a server out there, waiting to harvest it.
>
> More on (1): the example uses an img tag. You might argue that HTML
> capable mail readers have learnt these days to not follow automatically
> img tags (on privacy grounds), but there is a multitude of other links
> which might be followed automatically: CSS, iframes...
>
> Are you sure your l{ynx,inks} doesn't download any of them? Do you know
> by heart all of those? Do you even know where to look them up? [2]
>
> I for one wouldn't know better than to look into lynx/links source
> code. Good luck with that.

When an email is HTML-only, I use lynx to read it. It doesn't download
anything because I set commandline options to prevent it (both
automatically and if I select a link). Here's the line from my
~/.mutt/mailcap-mutt file:

# the next line is used only when an html attachment is selected in the attachments menu
text/html; /usr/bin/lynx -force-html -localhost -stdin

which is configured in my ~/.mutt/muttrc file:

set mailcap_path=$HOME/.mutt/mailcap-mutt

I think elinks has a similar option ( -localhost 1 ), but I don't know
about the links program. I like lynx because it doesn't just dump the
output but scrolls it like the interactive mode, highlighting the
(gagged) links.

> [1] https://thehackernews.com/2018/05/efail-pgp-email-encryption.html
> [2] This isn't to make you look bad: I don't myself either! This is
> to drive home the message that "HTML" is a huge, ill-defined mess
> of standards, and that all HTML renderers out there have to be
> a steaming pile of pragmatism which is practically impossible to
> validate.

Cheers,
David.

[Celejar]

I suppose everyone's browsing habits are different. I dislike HTML mail
as much as the next guy (well, perhaps not as much as the true
believers / fanatics), but I do have to deal with banks, businesses,
and other commercial entities who send HTML mail (with a text part that
isn't readable).

Celejar

[Celejar]

On Fri, 29 Jun 2018 10:07:04 -0400
Gene Heskett <ghes...@shentel.net> wrote:

...

> Email was intended to be plain text. And since email is sent to a common
> server, which in turn relays it to every subscriber to the list
> regardless of where on the planet the recipient is, he is going to see
> it, and all your legal dept gets for appending a big if not the intended
> recipient, delete this unread, of course its only seen after reading
> that far down in the message that this is seen. The only thing the legal
> folks are getting out of such a message, is a paycheck that is a drain
> on your resources, there has not been a court rendering anyplace on the
> planet that I'm aware of ordering the reader of such a message to pay
> damages.

I think some of the purists in this thread are disgregarding Postel's
Law. It's all very nice to yearn after an ideal world in which no
serious mail is in HTML form, but in the real world, there's still a
fair bit of legitimate, even essential, mail that is. Do we really want
to drop all of it, falling on our swords in the name of abstract
principle?

Celejar

[Ben Oliver]

On 18-06-30 22:31:49, Celejar wrote:
>I suppose everyone's browsing habits are different. I dislike HTML mail
>as much as the next guy (well, perhaps not as much as the true
>believers / fanatics), but I do have to deal with banks, businesses,
>and other commercial entities who send HTML mail (with a text part that
>isn't readable).

My pet peeve is when they do provide a plaintext part, but it's just the
HTML anyway...

[Jason]

Or if they include it but it contains different content than the HTML,
or is devoid of any content.

--
Jason

[Ben Oliver]

On 18-07-02 10:22:57, Jason wrote:
>Or if they include it but it contains different content than the HTML,
>or is devoid of any content.

The blank plaintext is the ultimate middle finger to the user. At least
when it's not there you can fall back to html if you want to. When you
put a blank one in you get a blank email...!