I like the Gmail app. I like its design, simplicity, its features (or lack thereof). I am a fan of KISS philosophy, so it’s all in line with my thinking. I like the iOS Mail app even more for this. But the EAS implementation in Gmail app on Android is full of bad surprises.

While I reported some issues to SOGo in the past and they resolved them (seemingly via workarounds, but that’s what you get for reverse-engineering a weird protocol by Microsoft), something new always popped up randomly. Its IMAP implementation is less buggy but it has no IMAP idle push support. So I tolerated the subpar EAS implementation because it worked well enough. Until I switched to K9 Mail full-time recently. I always had K9 to access the whole 10 years of my archive which I didn’t ever want to sync or access over EAS, but I had it suspended on my phone with all synchronization options turned off to not eat battery for the 2 times a year I ever needed to open the app.

One of the many reasons why I was using the Gmail app was its EAS capability. And the reason for using EAS was its push support and the fact that I can access my emails from (overly) firewalled locations which only allow https (or more precisely only tcp port 443) traffic through. But I found a better way to handle it. Also I’ve been following the recent K9 Mail developments after Mozilla’s acquisition - I wouldn’t mind if its name changed to Thunderbird either, but out of respect towards the project’s legacy it should stay the same. The app seems improved in many ways, they reintroduced IMAP idle support after a brief removal and it doesn’t have the outdated design that I remember from the past.

I got this idea when exploring XMPP, deploying ejabberd, specifically figuring out how to run it on port 443 alongside HTTPS traffic. Thanks to haproxy, one can do wonders. Here’s the snippet of my port 443 frontend in haproxy:

frontend ft_https
        bind :443
        bind :::443
        mode tcp
        tcp-request inspect-delay 1s
        tcp-request content accept if { req.ssl_hello_type 1 }
        use_backend bk_ssh if { payload(0,7) -m str "SSH-2.0" }
        use_backend bk_jabber_client if { payload(0,5) -m str "<?xml" }
        use_backend bk_jabber_client_ssl if { req.ssl_alpn xmpp-client }
        use_backend bk_turn if { req.ssl_alpn sturn.turn }
        use_backend bk_turn if { req.ssl_alpn sturn.nat-discovery }
        use_backend bk_imaps if { req.ssl_sni -i imap.plantroon.com }
        use_backend bk_smtps if { req.ssl_sni -i smtp.plantroon.com }
        use_backend bk_local if { req.ssl_sni -i cdn.plantroon.com }
        use_backend bk_jabber_admin if { req.ssl_sni -i xmpp.plantroon.com }
        default_backend bk_https

You can run everything over port 443 with haproxy. My main use case for EAS was to circumvent the weird firewall rules in some places that I visit regularly - I am one of those people who have zero restraint in using any free wifi available. Since having IMAP and SMTP traffic restricted is a somewhat stupid restriction, especially in public/semi-public places which these were, it is safe to assume that the firewall also wouldn’t be advanced enough to be analyzing if the traffic is HTTPS (EAS) or IMAP. So it was simply down to using the allowd port for everything.

Thanks to this setup, I now run IMAP, SMTP and even SSH on port 443 so that I do not upset the modern IMAP haters who had only ever seen email on mobile devices via whatever special vendor apps.

This article is part of the series personal mail server