Three mail clients

So now we have the choice between three email clients:

  • the nectcloud integrated mail with an … improvable user interface, WITH s/mime, without PGP, with some issues around conflicts between data in database and data on imap server
  • the less good integrated nice snappyMail, with PGP, without S/Mime, not so perfect Addressbook integration
  • in future roundcube - lets hope for better integration into nextcloud/calendar and addressbook

What will be the best way into future? Keep all 3? Merge an improved roundcube GUI into the integrated mail?

Generally speaking: Mail security is flawed as long as

  • IMAP allows mails to be offloaded from (secure?) servers to inherently insecure mail clients
  • IMAP and SMTP servers allow bypassing 2FA authentication
  • Headers (including subject lines) are transported unencrypted to 3rd parties.

This means, communication and collaboration security needs to be pushed to some next level. Email is not dead, but it smells funny.

1 Like

First of all, it would be a basic question. You can use a normal email client such as Thunderbird or Outlook. With the three solutions you mentioned, the email client is located exclusively in the browser (Javascript, Cookies, Cache, …). Whether this is good or bad is another question. But it would also be a question of whether cloud-data (files) is really different from email content. I don’t think so. So if you use a web-based cloud for data, you can also use web-based email. If not, you should only use nextcloud clients for desktop and mobile devices and not the browser also for data.

Problem in Nextcloud Web Mail or what are you trying to say? Nextcloud can save the IMAP access data. Otherwise the mail client saves it. This has advantages and disadvantages. Outlook also uploads IMAP data from third-party providers to Microsoft without being asked.

Right. Nowadays, nobody would introduce this application for security reasons alone.


yes, this needs more explaining and discussing.
Regarding the storage location of emails: coming from a company background, my feeling is that it is better to keep emails in one place (on the server along with all the files and the rest of the company data) than to distribute that to potentially insecure clients. So, yes, secure webmail is preferrable in my opinion. That’s what all the three available clients stand for.

Regarding the IMAP/SMTP auth: This is not a problem of nextcloud mail, but a problem of the underlying services (name’em you hav’em: Dovecot, exim, gmail, outlook, postfix, whatever) and the RFCs. Nextcloud mail can only be as secure as the consumed services. On nextcloud side we can’t change that because IMAP and SMTP servers are and should be out of scope.


I would like to see Nextcloud Mail rebased on Roundcube. But I’m not a dev, so I have no idea how feasible that would be, and it doesn’t seem to be planned, at least for the time being. Roundcube will simply be an additional Nextcloud app.

I don’t think Nextcloud is up to re-invent the email system, nor do they intend to, so use whatever works best for you. Email will never be inherently secure but you can make it more secure by communicating only with users on the same secure email server/provider or by using one of the encryption methods you mentiond e.g. Protonmail to Protonmail (if you trust them and consider them secure). S/MIME to S/MIME, PGP to PGP.

But even if the provider/server implemets all the security best practices and everything from client to client or client to server to client is end-to-end encrypted, you still have no control over what the recipient does with your message. Eventually they have to read the message in clear text, they can print it, they can take screenshots, they can forward it, open it on a spyware infected device etc etc…

Don’t use it for sensitive messages then. Use Nextcloud Talk for messages that shouldn’t leave your server or a secure messenger like Signal or your own XMPP server with OMEMO encryption etc etc…


The advantage but also the disadvantage of email is that everyone can operate their own email server. Encryption therefore only works if both sides want to use it. This is usually not the case.

Signal is not a good example because there is - as I believe - only one provider like WhatsApp, … Better is to use XMPP (I think that’s practically dead) or distributed services such as Matrix with matrix-clients including web client e.g. from The Matrix.Org Foundation.

1 Like

Yes, it’s not decentrelized like Email or XMPP, and you can’t host your own server, but it’s probably still the best option out there for people who want an easy and turn-key solution that is secure, because it’s run by a non profit organisation, instead of Meta or Google.

Another, similiar solution would be Threema, which is based in Switzerland. Might be relevant for those who actually believe that Swiss intelligence services would not co-operate with intelligence services from the US and other countries, if state actors are a concern. :wink:

But at least both Signal and Threema are not funded by selling user data.

Self-hosted is always better, of course, If you have the time, motivation and knowledge to do it right. Email in particular is not the esiest thing to self-host, especially if you want to host it on premise. Matrix and XMPP is easier to do, and you can also host it on a residential connection, still it’s another thing you have to learn and maintain, which not everyone is willing to do.

1 Like

Yep, exactley. With decentralised solutions such as email, XMPP and Matrix, you have no control over how secure the other servers and clients are, and convincing everyone to either upgrade their security to your standards, by implementing and using encryption, or using your server (in which case it would no longer be decentralised) is an impossible task. You have a much better chance of convincing someone to install Signal or Threema :wink:

1 Like

I completely forgot. Another advantage of Matrix, for example, if you use your own domain, is that you can move your Maxtrix server (Synapse). This avoids vendor lock-in. Signal, Threema and WhatsApp have got vendor- lock-in.

if you have your matrix account at e.g. or another hoster, then you cannot keep the account when switching. However, you can continue to use the matrix protocol and client such as Element or Element X.


i gave up on the built in mail clients in NC, i have thunderbird as my main and use NC for calendars in thunderbird. no matter what i tried, email invites and normal daily business usage of coordination with email and calendar items was not working well.

Yes, indeed, that’s the weak point of those webmail clients. I’d loved to have better calendar integration in mail than those AI gimmics…
To be honest, mail NC improved a lot!

[quote=“joergschulz, post:10, topic:175398”]
Yes, indeed, that’s the weak point of those webmail clients. I’d loved to have better calendar integration in mail than those AI gimmics…[/quote]

We made some progress here, but yeah, it still can be better. You can turn an email into an appointment, and accept appointment requests directly, though, so we’ve got some integration already.

Good to hear. I’m personally not much of a webmail person (clients FTW) but when I use it, it does the trick these days, and that was not really the case before.

From a features pov, Roundcube and Nextcloud Mail are roughly in the same ballpark - each has its pro’s and con’s. Performance and stability-wise, I think Roundcube has a bit of an edge still but it’s older. Then, Mail has a bunch of new shiny things and is moving faster. Plus it has of course nice integration with other apps in Nextcloud. That’s also why we couldn’t decide to ditch one of them. There just isn’t a clearly better choice for everyone…

But I hope we can integrate Roundcube better in Nextcloud, and improve both - let’s see then, what the future brings.

Thank you for your response, I agree that’s the way to go. I still see issues in S/MIME with NC mail but it’s getting more mature with every release. For roundcube: Snappymail could be the template for the NC integration: Additionally to just being displayed in the NC GUI, they have direct access to NC files and the possibility to send links to attachments instead of the files. That’s the bare minimum for roundcube to aquire. Next on the wishlist would be an integration into the addressbook - this would make it superior because snappy only replicates that.

Unless you actually uses end 2 end encryption so the content itself - including attachments - are encrypted and cannot be decrypted by anyone else than the reciever, e-mails are not secure at all. Any “hop” in the path between the sender and the reciever can basically read the content. And then on top of that, you have to trust that the reciever uses a secure client.
In general mail cannot be considered secure in any form or shape.

1 Like