> MTA's and other mail servers add header fields tha not only uniquely identify sender and recipient but details about the conversation and attachments.
That really depends on how the server is configured. If the servers used are under the participants' control, then other than Received headers, nothing else should be exposed if the client does not include or encrypts the headers in addition to the body.
So, if the sender were to send an email using the following SMTP session:
EHLO random_string
MAIL FROM: <random.email@addr>
RCPT TO: <recipient@email.addr>
DATA
<PGP BLOCK>
.
then other than the received headers that are added by the MTAs, it wouldn't expose much information at all.
Even if you control your mail server, all of your recipients will also need to run their own mail server. and even then they may slip up and add X-headers. You will need to encrypt the subject and attachment names. If one recipient uses a different client/provider the whole scheme might fall apart.
If you need everyone to run their own mail servers and a specific client then why bother with email at all?
> You will need to encrypt the subject and attachment names.
That's why I specified that the DATA session should consist solely of a PGP encrypted block of text. This means that the headers and body are included and there's no unencrypted text in that phase other than the CRLF.CRLF that terminates it. This means that it wouldn't be possible for the MTA to determine what the subject or attachment names are.
> If you need everyone to run their own mail servers and a specific client then why bother with email at all?
TBF, the article has the following statement:
>> Delta Chat doesn’t have their own servers but uses the most massive and diverse open messaging system ever: the existing e-mail server network.
It can't be considered open if everyone is just using the big mail providers.
MTAs, if configured correctly, do not talk to anything outside your network that is not specified by MX DNS records. Unless we are talking about emails traversing internal networks and even then competent admins do not transmit data in cleartext, so sniffing is out of question.
Of course, some metadata is always leaked, but that is the reality of most internet protocols, HTTPs notwithstanding. Now if we're talking about backdoors, it's a game over in any scenario.
That really depends on how the server is configured. If the servers used are under the participants' control, then other than Received headers, nothing else should be exposed if the client does not include or encrypts the headers in addition to the body.
So, if the sender were to send an email using the following SMTP session:
then other than the received headers that are added by the MTAs, it wouldn't expose much information at all.