EVE Technology Lab

I've always wanted access like this to my EVE Mail, being able to pull it up on any device I have that can access a POP3 mail server... I'm currently still in beta testing, but I've got enough of the server fleshed out that Thunderbird loves it, so I'm opening the doors to everyone else now. To set up your access, please proceed with the following steps (it's easy).

First, you need a Custom Access Key (CAK) in order to use this system, so go generate yourself one, here's the settings:

Click here to see Diagram #1of key information.
Diagram #1 key:
GREEN:
-Key ID# = Your EVE Mail Username
-Verification Code = Your EVE Mail Password
RED:
-Key type MUST BE CHARACTER
-Key Access Mask MUST BE 3584, or MailBodies, MailMessages, and MailingLists checked, ONLY.

==These must be set exactly or you will be denied access, I don't need anything but those accesses, and character mode access only, this is a personal consumption system, not handling corp mail (maybe in the future). You may generate as many keys as you need to enable you to fetch mail for every character, but each key must still match the parameters shown exactly.==

Here's the email settings:
POP3 Server: evemail.cynagen.com:110
Username: Your CAK ID
Password: Your CAK vCode
Email: CAKID@evemail.cynagen.com
Username/Password (unencrypted) only authentication, no SSL provided.
Suggested interval for checking for new mail: 15 minutes

I ask that anyone who uses this please donate either ISK or email me to get my paypal to donate directly, though ISK would be preferred, hopefully I'll get enough overall that I can keep my account alive with a PLEX and keep development going. So far my Thunderbird 8.0 on Win7 Ultimate x64 likes my server. In the meantime, the server may be down from time to time as I continue to program and adapt, but I plan on leaving the server up as long as possible today, so after this post goes out, I will hold off making any major changes for 24 hours that might require me to take the server down for an extended period.

As always, comments and suggestions are welcome, bug reports are way more helpful.

I think I need to address a couple security concerns that may arise, no, I do not store the key, it's used to authenticate against the EVE API servers, once that comes back as a Character CAK with mask 3584, then we allow access, and information is only stored in memory, once you disconnect, headers (read/unread,etc) are cached in a local database locked to your CAK ID, only unlockable with your ID/vCode combination. Messages marked as deleted are completely flushed minus a single flag, these messages are no longer accessable even if you re-create the account in your email client. If you no longer wish to use the system, I will be providing a page to flush all data with successful auth with random access mask selected to provide verification.

If anyone has any questions they'd like answered before they start using it, please don't hesitate to eve-mail me or reply here on the thread.

EDIT: Thanks to Aphoxema G btw, now we're GMail compatible!

Only asking for API keys, and they have to be specifically limited to mail information. No more questionable than EVEBoard.



The server takes responses from the EVE API and translates them into POP3 traffic. This is on demand, any information is only kept in memory and discarded after the end-user gets their data. This enables anyone to use any POP3 client to receive (but not send) EVEMails.



It's actually a bit more secure than another site that requires API access. The POP3 translator uses your vKey on demand instead of storing it, so if the server was hacked it wouldn't be possible to rip off every users API keys at once. Killboards, EVEBoard and Battleclinic must all store your API information to function. The difference here is the sensitivity of the information and the notoriety of the programmer.

It would be possible to make a local client that operates in the same way, I just like the way Cyna did it because I don't have to worry about updating or installing\reinstalling it on several computers.

To answer with a bit more detail:

A fast acting POP3 emulation service (well not so much emulation, I followed RFC specifications so it should pass as a 100% valid POP3 service. Not something that sits there and repeatedly downloads your mail, only when you connect does it even check.


It's actually a ton more secure than your average website, because those websites STORE your key for permanent reuse... with my system you HAVE TO PROVIDE IT your key in order to even access it, because the key is used to do a couple things... I can elaborate a bit.

On login: ID/vCode are probed in the API (APIKeyInfo), if it returns valid results, "Character" type, and "Access Mask" 3584, then it "logs in" successfully.
We then pull fresh set of headers (MailMessages), sort through them, compare against your marked message database [read vs unread], and pull message bodies (MailBodies) for unread messages, quickly cache all this and wait for first command from client.
Once your client marks a message for deletion and you disconnect, all information regarding that message is flushed minus a single flag (read). The message security is up to you, leave some cache on my server, or set your client to delete on fetch and make sure nothing is left behind.

Now here's the best part, only headers are stored, to/from/subject/date/read, and the POP3 transaction is so fast even I can't snapshot your key... The instant you disconnect, headers are cached, and all other data is completely flushed, ID, vCode, bodies. Most POP3 transactions are completed in less than 2 seconds, that means your key is in the system for less time than it takes for somebody type the necessary commands to flush the memory to disk or to screen. Somebody would literally have to Man-in-the-middle your transaction, or completely break into my secured linux box (where the server is being run), and then find out exactly WHICH instance of the server to sit down and probe. I have 5 instances of the server running for high traffic capacity, helps make you that much more invisible, 4 honeypots, one actual server where YOUR information sits, so they better choose wisely, because your information is gone in a flash from a random selection of one of the 5 servers.

I would say my EVE POP3 mail service is more secure than most websites, and a potential leak would reveal pretty much nothing. Again, I will be providing a link, a way to flush all your data at once, no questions asked, like you were never here, but I feel it's pretty safe and secure as is. I've been using the servers since this morning with no issue, Aphoxema G set up a couple hours after I got the servers running, and no issue there after an initial bug that I had to squish. Aphox is fetching to GMail right now, which makes it even MORE difficult for somebody to man-in-the-middle and protects the vCode that much more closely because of the multiple layers of authentication.

To put it simply: You trust any website with your API? Then you can trust my POP3 mail server as well, cause it doesn't store the ID AND the vCode like those websites do, the vCode is only used to unlock the access to your mail, nothing more, just proves you are who you are.

Also the ID/vCode combination is specifically geared that IF something were to happen, the WORST they could get at is mail, nothing more.