Known Bad Email Clients
60 comments
·July 19, 2025zettabomb
marcusb
Not defending the GNOME devs as being perfect, but I'd suggest reading this from the start: https://gitlab.gnome.org/GNOME/evolution/-/issues/3095 and then deciding if the author is really being affected by a "toxic development culture" at GNOME.
chucksmash
Reading the thread, I don't see how that's much of a defense.
A GNOME foundation member going through the thread to decorate the reporter's posts with clown emoji reactions is not great.
It seems reasonable to say "even if this is caused by one your library dependencies, users are using your application and you should try to find a mitigation."
If you get in a wreck because your brakes fail, imagine the car manufacturer saying "oh that's not a problem with the car, it's a problem with the brakes. Talk to the brake manufacturer."
"No warranty express or implied" and all that, but still.
zettabomb
Yeah ultimately the user doesn't install the dependencies, they install Evolution. So if there's a security issue, that's where they'll see it. There are also potential mitigation for this, for instance scrubbing the HTML (which it seems Geary actually does, just not for this).
zettabomb
That issue does not really work in GNOME's favor, based on reading that I'd say they're being pretty toxic.
dooglius
No one here comes out looking particularly good, but at the end of the day the issue is still unpatched and OP is doing a good thing spreading that information.
ryandrake
Honestly, I think the GNOME devs in that thread were really patient with a bug filer who kept escalating and inserting little taunting quips, and ultimately was barking up the wrong tree (project). He could have easily just accepted that the bug was in a different project, and go press that team instead. You're not going to get anywhere with such an argumentative tone.
dotancohen
A few years ago while working at a company that required Exchange, I was using Thunderbird with an addon called Owl. It was a paid addon, I think in the neighborhood of $10 to $20, and very much worth it. Full calendar integration and everything. Outlook users would be interested in my setup.
KetoManx64
I'm using this at the moment, works very smoothly. $10/year, with full support for calendar, shared mailboxes and accepting teams event invites.
esseph
"Exchange on Linux"?
You are looking for a minority of a minority of a minority - People using Linux, people using an email client, people using Linux that want all the MS Exchange features.
Tons of "general" email clients out there, sure, but you're talking about a largely proprietary system.
zettabomb
Have to disagree, having worked at multiple companies using Exchange for their email servers but with Linux workstations. It's not so uncommon for software devs to request a Linux system, depending on the field. I'll agree that it's less common, but the issue is more the small number of people using Linux rather than Exchange.
npodbielski
I like using edge for that. Desktop notifications works and I can log off from work by closing entire window. When I change company I am getting rid of profile.
Sophia95
Evolution is the only client on Linux (that I’m aware of) that fully supports Microsoft exchange and Google out of the box without any plugins. I used thunderbird for a long time, however I got frustrated so many times after things broke after every update because essential plugins stopped working. Yes, you may say Evolution UI is old, but the software is rock solid and softwares in general are more than their GUI. It’s good to bring awareness about the tracking but I’m not so bothered by it, as its hard to find software that doesn’t track you these days
nehal3m
>It’s good to bring awareness about the tracking but I’m not so bothered by it, as its hard to find software that doesn’t track you these days
That's a non-sequitur. Just because it's common does not mean it's okay.
fsckboy
they didn't say it was ok, they said it was good to be informed about it, they were not personally bothered by it, and they added that it's difficult to find software that doesn't do it. there is no non sequitor
ho_schi
Same here. Nowadays we've switched from Exchange and use IMAP. I stay with Evolution because the client and integration is good. I like some design decisions in the UI. Evolution allows to use client-side decorations and a traditional menu bar, at the same time. And they've added integrated Markdown support lately. While an upgrade to Gtk4 is hopefully coming. I would love to see support for notes via IMAP, similar to how iOS does for many years.
PS: If your E-Mails are stored on an Exchange-Server (or: worse Azure) the discussed problem is the least issue.
zettabomb
I feel like I should note that Exchange support is indeed a plugin, and isn't installed by default on (for example) Fedora. However, I believe it's a first party plugin.
forlorn
Thunderbird has reportedly added experimental Exchange support in 140. Though I haven't figured out how to enable and test it :)
newscracker
The support is only for the EWS protocol (MS Graph will probably come next year). You can enable it in beta by going to Config Editor (this is primarily for advanced users), searching for the preference "experimental.mail.ews.enabled" and setting it to true.
You would have to manually add the account. Currently only mail is supported. No calendar support.
See https://blog.thunderbird.net/2025/07/thunderbird-monthly-dev...
dotancohen
Thunderbird users who need full Exchange support today, including mail, are encouraged to try the Owl addon. I used it a few years ago, very happy with it. I think it costs between $10 and $20, not a big expense for business software.
ho_schi
It was postponed. The release page is wrong :)
Probably Thunderbird tries it again with 141.
thundarr
If only he made that much effort to get Chromium to fix the issue. The source of the problem is with a dependency of the email clients, not the email clients themselves.
He is bothering small free software projects so that those small free software projects ask Chromium to fix the issue.
mike-cardwell
If only the developers of Evolution Mail made any effort to get the issue fixed in the 15 months they've known about it.
It's unacceptable to sit on a privacy affecting bug like this for 15 months.
This continously repeated bullshit that the source of the problem lies elsehwere is tiring. They're knowingly using a library with a security bug, and they're doing:
1. Nothing to get the devs of that library to fix it
2. Nothing to fix the library themselves
3. Nothing to warn their users
4. Nothing in their local application to protect their users.
This is not how secure development works.
akerl_
You’re welcome to submit a request for a refund of the purchase price for Evolution.
Your Gitlab issue is a textbook example of why open source devs quit. And now you’re wandering around trying to drum up a mob to further pressure people to do free work for you.
mike-cardwell
I don't care if it's free or paid. If it has privacy flaws, they should be fixed, or people should be informed of them. Evolution Mail isn't interested in doing either of those things. So I'll do it for them. If you think that informing people is, "drumming up a mob", then you are wrong.
jadamson
If your response to the idea of sanitizing HTML is a clown emoji, I don't simply not care if you quit open source, I actively want you out of the entire industry.
Hope that helps.
zettabomb
This is hardly an unreasonable request. It's exactly the right move in this case. If you don't feel like fixing anything, declare the project unmaintained and close the issue tracker.
Spivak
They have done #1 and the library is WebKit and so #2 isn't happening. Not the least of which because of the lack of expertise to patch that code base but because it's dynamically linked and in most deployment scenarios they get the webkit provided by the distro. If Evolution even tried to vendor WebKit downstream packagers would patch it out so that it links to the system lib and gets security patches along with the rest of the system.
mike-cardwell
They really haven't done number 1. A bug report was submitted, and then it has stalled for 15 months.
As of this point in time, nobody has explained to me why it would be a bad idea to add a "Do not rely on for privacy. More info" message next to the feature in Evolution Mail.
That is 100% true. Users of Evolution Mail should not rely on that feature for privacy. Because Evolution Mail has chosen to add known flawed software to their application.
And despite lacking the will or ability to fix that software, they are unwilling to take a different path to patch over the problem until it is fixed in the library, by sanitising the html and stripping problematic tags/attributes.
These are all their choices. And all of their choices lead to end users being exposed to a privacy risk, and unaware of it.
jadamson
...so strip the offending HTML before passing it to WebKit? What is this, kindergarten?
astrobe_
Just my opinion, but the dependency on Chromium is a problem in itself. You don't need a full-blown browser to render HTML email. The fact that it is no more viable for a client to ignore HTML nowadays is something unfortunate, to say the least. Real people only need Emoji support at best (or at worst), because nowadays every from your bank to your local security expert tells you "don't click on links in emails", and your local privacy expert tells you to turn off every convenience feature related to HTML.
On another note, TFA talks about a "GNOME toxic development culture", which looks like a blanket statement. Does it really exist?
SoftTalker
I use w3m to format HTML email for reading in emacs. It does a pretty good job with tables which are still used a lot in email formatting.
ho_schi
There is no dependency on Chromium. The projects are using WebKitGtk.
PS: I'm thankful that they don't use that thing from Google.
mardifoufs
I thought the Evolution issue was related to WebKit. Same for the other one (Geary). Does chromium also have the same issue? Regardless, it seems like these issues are all related to WebKitGTK, not Chromium.
1over137
>The source of the problem is with a dependency of the email clients, not the email clients themselves.
For ends users, that's a distinction without a difference. Programmers are responsible for their choice of dependencies. If you've chosen to depend on it, it becomes your problem. Chromium is open source, no? So the email client programmer can fix that bug himself.
cmiles74
It’s their product, IMHO it’s their responsibility. They can pressure the upstream library developers (good luck with that) or submit a patch, or switch to another library. The “not my problem” attitude from these projects is likely another good reason to avoid these projects.
null
ChocolateGod
If the library they depend on isnt getting fixed then it needs to be worked around (doable with HTML sanitisation) or use another library that's usable for the purpose of an email client.
If neither of those are doable, the software needs a warning that it's vulnerable to a such a terrible privacy exploit. People over however many years this has been possible deserve to know that their email client has been allowing any random person in the internet to easily get their IP address or know they're on their computer.
If you can't do this why are you maintaining software, it's unmaintained at that point. The replies to the bug report are just terrible attitude even if factually correct.
shamiln
Of course, no commercial ones like Outlook are on the list…
mike-cardwell
The list is brand new. I will be updating it as I have time to test clients.
ipcress_file
Will you add a list of Known Good Email Clients? Or just "Tested Clients"? Since you can't possibly test them all, it would be nice to know which ones have been evaluated.
mike-cardwell
Yes. I will do that. Good idea.
gruez
FWIW I tested with gmail a few weeks ago and it was fine.
e-dant
What's all this controversy with GNOME? I must be missing something. Isn't it perfectly reasonable to say that some security issue in a dependency (which is maintained and open and funded, like WebKit or Linux) is not the fault of someone down the line to fix?
I can't imagine someone reporting a bug to one of my repos about some race condition in the kernel. Why the hell are you bothering me with that? Tell the LKML.
That's not to say I'm not sympathetic, it's just, like, what do you expect me to do?
dooglius
> what do you expect me to do?
Off the top of my head: you could broadcast it more publicly that there is a known issue (particularly important if this is a security issue). You could change code to avoid whatever kernel features trigger the race. You could print a warning if you detect the kernel version is an unpatched one and/or has Kconfig in whatever state exposes the issue.
kkfx
What I fails to understand it's why no one seems to offer the most logic MUE which is essentially offering the full download/sync of all accounts maildirs, like with OfflineIMAP, than offer powerful local indexing like notmuch/mu with a pre-made UI nice for end users.
Slogan: own your own messages, own a local GMail. We have all the code except the UI
tylerapplebaum
Geary has been crashing with some regularity over the past few weeks anyway. Guess I’ll migrate to Thunderbird.
mike-cardwell
I noticed that during my testing. Was difficult to keep it running for more than a few seconds at times. Thunderbird is a good choice.
curt15
Isn't Geary basically a one-person show? I remember evaluating Geary a couple years ago and it looked like there was only one active developer. I ended up going with Thunderbird + Davmail.
theyknowitsxmas
I have that problem. Too bad there is no html client that isn't a massive RAM hog.
esseph
Do you often run out of memory?
Want to understand this more. I know I'm talking from a position of privilege, but it's really hard to find a machine these days with less than 16 or 32GB of RAM from the factory.
Even going back several years, DDR4 has been extremely cheap for a long time, and DDR5 is finally closer to general ram prices.
Are you using mini PCs with soldered ram?
hexagonwin
seamonkey mail seems to work well for me
ho_schi
So much text instead of mentioning the WebKitGtk doesn't provides that feature (currently). WebKitGtk is a good engine but somebody should to address that issue. Feels like a developer had only Epiphany as web-browser in consideration and forgot, that mail-clients prefer to not load images.
Evolution is a good mail client in general.
PS: Prefer always text-mail. When sending. When receiving.
throw_a_grenade
[flagged]
veeti
Evidently you did not read the linked issue very carefully as:
1. The issue still persists in the most recent upstream code of Evolution, having nothing to do with Debian or any other distribution
2. No patch is available to correct the security issue, and despite the puck passing it is not actually the responsibility of distro packagers to fix your own security bugs.
throw_a_grenade
In upstream-unsupported versions, which are bore than 2 years old? Sure it is responsibility of the distro.
Even if it is unpatched upstream, it's perfectly fine to push the fix to master branch only and let distros backport. That's also why the bugs should be filed downstream, and distro maintainers will forward the bug upstream but only if not already fixed (so upstream won't get N duplicate bugs, where N is the number of packages).
At in any case, distro maintainers tend to behave better in upstream bugtrackers.
veeti
I don't see how any of that is relevant. Instead of addressing the fact that GNOME/evolution security issue number #2727 (https://gitlab.gnome.org/GNOME/evolution/-/issues/2727) about remote content leakage remains open and valid to this very moment, you are grasping onto straws about the author initially reporting the bug from an old version. However, the issue has been reproduced on newer versions, and no patch is available to fix it.
It all really boils down to one thing: the Evolution mail client makes a promise of protecting your privacy, and then fails to uphold that promise. Whether the fault lies in the WebKit project, somewhere in the GTK bindings or the Evolution client's source code is utterly irrelevant. Instead of throwing their hands in the air and hoping that WebKit maybe fixes the issue one day someone needs to take responsibility and mitigate the issue.
Of course these are probably unpaid volunteers just hacking on open source so I don't want to dunk on anyone in particular. But as a whole the GNOME project positions itself as a competitor to proprietary software, and this sort of myopic security attitude to the end product does not inspire confidence in their offering. It should not come as any surprise that people giving you full access to their inbox will warn others about the known insecurity of your product.
I think I'll stick to Thunderbird, where security reports aren't met with such indifferent handwaving. But you can keep engaging in academic thought exercises whether the bug should have been reported by the blessed Debian maintainer or something.
mike-cardwell
You forgot to say anything about the fact that they've been sitting on a privacy bug for 15 months and have done nothing to address it. You forgot to say anything about the multiple things that the bug report says they can do, to warn their users and patch over the problem on their side. You forgot to say anything about how those suggestions were met with arrogant clown and face-palm emojis.
You prefer to concentrate on the fact that I miss-directed my first bug report. You prefer to point at the fact that I requested submission to a bug bounty program, whilst ignoring the fact that I made effort to discover the issue and report it, without expecting a bounty.
It takes time and money to run https://www.emailprivacytester.com. I wont apologise for receiving the occasional bounty for doing it. Many email and webmail clients are more secure today than they would have been, thanks to my efforts.
Your comment exists only to generate drama.
throw_a_grenade
[flagged]
qweqwe14
[flagged]
I wasn't aware of Balsa or Geary, but it's interesting to note that the author has mentioned that they are affected by GNOME's culture. I also have found the GNOME devs to have issues with admitting any fault at all, security or otherwise, but I wasn't aware of them being linked to any email clients other than Evolution - which I have been using.
What's a good app for Exchange on Linux? I could use the web app, which my company has available, but I do appreciate having a dedicated email client sometimes, particularly for OS notifications (which will work without having the browser open).