There is only a handful of IMAP server implementations and there are going to be even fever JMAP servers. It is super bloated, the RFCs 8620 and 8621 are already 200 pages in total. Not an easy thing to integrate with.
To be fair, RFC3501 is 108 pages, and the bis (draft-ietf-extra-imap4rev2-12) is 157 pages. It's a complex problem space.
I'm looking forward to getting JMAP Calendars and JMAP Contacts done, at which point is becomes a much more compelling replacement for multiple protocols.
The next IETF meeting is in Vancouver in late March - we'll be discussing them there. Other than that, get involved on the mailing list, and help review the documents!
The problem JMAP is addressing is quite complex that’s why the JMAP spec is long. I do not however find it to be bloated. On the contrary I actually found it quite easy to read. (I've implemented jmap-mail on the client side.)
One could potentially write JMAP as a proxy to an existing IMAP server (just like your 'imap-api') therefore the current lack of JMAP servers doesn’t really matter.
It is easier on the client side as you’d only have to implement the parts you actually need. In server side if you want to expose JMAP then you’d have implement _everything_. You can’t decide for example that as no-one actually copies messages but moves, then you’d skip the copy endpoint.
I had a chat with Neil Jenkins and Bron about this (two of the authors & WG chairs). That skew is intentional - their rationale is that there's way more email clients out there than email server implementations. So it makes sense to load more of the complexity into the servers.
Of course, until other email servers add support for jmap, the protocol has a bit of a bootstrapping problem. Getting support from gmail + microsoft exchange would be a huge win for jmap, and in the long run email as a whole.
It was largely written in about a week, a few years ago. It's quite stale now unfortunately. It was updated to the current RFCs for mail, but it's still on a very old Calendars version.
The downside of the JMAP model for a proxy to IMAP is that you do need to have a bit of state in your proxy server. jmap-perl uses a sqlite3 database per user for storing that state.
Structurally, it's a non-blocking server in front of a forking server - the non-blocking handles connections and event streaming, and opens multiple backend forking servers per user, one for reads, one for writes, and one for background syncing/import.
Is clear enough in legal terms for what can or cannot be done ? I assume it means it's free to use to test it and see how it works, but not for anything else ? Does that cover the code too ?
WildDuck API exposes database structures from MongoDB, IMAP API is more like a proxy in front of any IMAP server.
WildDuck is pretty much coupled with MongoDB. IMAP is not very easily abstractable and keeping the result scalable at the same time. Largest WildDuck cluster in production manages 20TB (~20k accounts) of email by now with no special config or modifications - making it scalable was the main goal from the start and supporting arbitrary storage would not have helped.
The "insecurity" in IMAP mostly comes from password based authentication. The client application needs to know cleartext account password to use it and the same password, if leaked, can usually be used to manage the account. While browser based applications are pretty good already for blocking unintended usage, showing captchas to block bots etc, then it is way harder to do the same on the IMAP server side.
So in general it comes down to configuration. IMAP per se is not insecure. How you use it though, might be.
If you are concerned about someone reading your emails in transit, make sure you use TLS. IMAP is standard; as far as I know, almost everything uses it.
Any references for where you've heard this? Then we can check the claims and perhaps reassure you or suggest workarounds. What are you using instead?
IMAP is on its own insecure because it is a plain protocol, but it can be used in conjunction with TLS to add secure transport. Exactly the same can be said for many other mail protocols such as POP3.
