This module is not much to look at—just an interface and calls to other modules. The
mailtools.SilentMailFetcher class (reused here from Chapter 13) uses the Python
poplib module to fetch mail over sockets. The silent class prevents mailtools print call
statements from going to the HTML reply stream (although any exceptions are allowed
to propagate there normally).
In this version, loadmail loads just the header text portions of all incoming email to
generate the selection list page. However, it still reloads headers every time you refetch
the selection list page. As mentioned earlier, this scheme is better than the prior version,
but it can still be slow if you have lots of email sitting on your server. Server-side da-
tabase techniques, combined with a scheme for invalidating message lists on deletions
and new receipts, might alleviate some of this bottleneck. Because the interface expor-
ted by loadmail would likely not need to change to introduce a caching mechanism,
clients of this module would likely still work unchanged.
POP Password Encryption
We discussed PyMailCGI’s security protocols in the abstract earlier in this chapter.
Here, we look at their concrete implementation. PyMailCGI passes user and password
state information from page to page using hidden form fields and URL query parameters
embedded in HTML reply pages. We studied these techniques in the prior chapter.
Such data is transmitted as simple text over network sockets—within the HTML reply
stream from the server, and as parameters in the request from the client. As such, it is
subject to security issues.
This isn’t a concern if you are running a local web server on your machine, as all our
examples do. The data is being shipped back and forth between two programs running
on your computer, and it is not accessible to the outside world. If you want to install
PyMailCGI on a remote web server machine, though, this can be an issue. Because this
data is sensitive, we’d ideally like some way to hide it in transit and prevent it from
being viewed in server logs. The policies used to address this have varied across this
book’s lifespan, as options have come and gone:
- The second edition of this book developed a custom encryption module using the
standard library’s rotor encryption module. This module was used to encrypt data
inserted into the server’s reply stream, and then to later decrypt it when it was
returned as a parameter from the client. Unfortunately, in Python 2.4 and later,
the rotor module is no longer available in the standard library; it was withdrawn
due to security concerns. This seems a somewhat extreme measure (rotor was
adequate for simpler applications), but rotor is no longer a usable solution in recent
releases. - The third edition of this book extended the model of the second, by adding support
for encrypting passwords with the third-party and open source PyCrypto system.
Regrettably, this system is available for Python 2.X but still not for 3.X as I write
these words for the fourth edition in mid-2010 (though some progress on a 3.X
1278 | Chapter 16: The PyMailCGI Server