> i'm an user of notmuch already for some years (in fact from the beginning). > great product! i want to replace my roundcube installation on web server by > notmuch-web, which - at least in testing on local computer - looks great and > does exactly the job. > > my concerns are in the domain of the internet security. apparently the haskell > stuff (sorry, not a haskell guy) cannot go over https, but only http, and for > this one has to do some proxying between http and https.... done on http server > level. I can't say much about notmuch-web but as a shameless plug rlb and I are working on noservice https://gitlab.com/noservice/noservice This is intended as pure https (ideally you use a firewall to block its http port), and by default uses client certificate verification so is probably reasonably secure. Note neither rlb nor I are security experts. A rough guide is that noservice is intended to look and feel like the emacs frontend. I use it every day and it meets most of my requirements. > is anyone using such modus operandi? could you share your thoughts about using > notmuch-web? If you do decide to use notmuch-web then possibly try nginx as the https frontend, and you can configure that to require client certificates. Best wishes Mark