[slau]

I was mainly responding to OP’s claim that this is “a security leak”. Likewise, from OP, I mainly understood that this was only an issue when giving a third party the headers of emails you have received.

However, you (and other commenters) appear to be indicating it’s also in the headers of all sent emails?

I’ve been using Fastmail for nigh on a decade, however if this turns out to be true, I may accelerate my migration towards Migadu.

[reilly3000]

Migadu and don’t look back

[k_roy]

This is a bit of an interesting take from: https://www.migadu.com/procon/

"We could enable 2FA on the webmail, but IMAP/POP/SMTP accesses remain unprotected which beats the purpose. We are working on solution here which will allow sand-boxing a username/password pair to a webmail use only."

That's an incredibly misguided sentiment

[dejan]

Why?

[k_roy]

Because it's the difference between someone gaining access to a single mailbox versus the whole config.

[dejan]

I think you're reading that wrong. It's an issue with the protocol. IMAP/SMTP as implemented in most clients do not support 2FA. You can add 2FA on your own on the webmail, but you could still circumvent it by using the protocol directly. It's not a Migadu-specific thing.