Motivation

Emails with HTML content often contain references to external resources like images which are usually loaded from the client (e.g. browser) itself when being displayed. This means that certain details of the requesting client get exposed when the remote resource is accessed, e.g. the client IP address or user agent.

Often, emails are equipped with such references deliberately for tracking purposes (so-called "spy pixels"), e.g. to determine if a newsletter has been opened by the receiver. Beyond these privacy issues, loading remote content from the user agent directly may also be abused in a way that authentication is requested when accessing the resource, leading to a password prompt dialog being displayed, misleading the users to enter their webmail credentials.

Disable Remote Content by Default

As primary measure against these problems, it is possible to configure that remote content is not loaded by default when HTML mails are displayed - see the property documentation at com.openexchange.mail.remoteContentPerDefault for further details, as well as the flag load-remote-mail-content-by-default during provisioning operations.

Proxy External Image URLs

Additionally, instead of letting the client load external content on its own, it is possible that images from HTML mails will always be loaded by the App Suite middleware prior delivering it to the UI in the browser. This effectively hides potentially sensitive details of the user agent, as well as prevents attacks where the resources require authentication. Using a proxy does instead expose some information about the App Suite deployment and it should be considered which flavour is preferable. Also mind that content providers might block high-traffic sources, which will have impact on end-user experience.

For security reasons, this option is enabled by default, but can still be disabled with configuration property com.openexchange.mail.proxyExternalImagerUrls.

When enabled, all image URLs in an email's HTML content pointing to external resources are processed and replaced by a placeholder URI, via which the content can be served to the client through App Suite middleware. Therefore, a special proxy servlet is exposed by the middleware at /servlet/proxy, where these exchanged image URIs point to. Now, when the client follows these links to load the image contents, the actual data is loaded from the original image URI by the middleware and returned to the client - making App Suite middleware act as an proxy for remote image data. For accessing the original remote content, the HTTP client with id proxy is used, which can be customized using the common properties with infix proxy - see corresponding documentation article for further details.