From 47430725a7e9e528c96e5be58e658aea7e93e720 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 3 May 2020 14:24:17 +0200
Subject: [PATCH 01/33] improve doc

---
 app/api/views/alias.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/app/api/views/alias.py b/app/api/views/alias.py
index 962a6138..dae0e1a0 100644
--- a/app/api/views/alias.py
+++ b/app/api/views/alias.py
@@ -252,8 +252,9 @@ def update_alias(alias_id):
     Update alias note
     Input:
         alias_id: in url
-        note: in body
-        name: in body
+        note (optional): in body
+        name (optional): in body
+        mailbox_id (optional): in body
     Output:
         200
     """

From 605825750936f5dc93931b2a5962cf112f437df5 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 3 May 2020 15:46:35 +0200
Subject: [PATCH 02/33] add bootstrap-select

---
 static/package-lock.json | 5 +++++
 static/package.json      | 1 +
 templates/base.html      | 7 +++++++
 3 files changed, 13 insertions(+)

diff --git a/static/package-lock.json b/static/package-lock.json
index 59d2b610..8f35e45a 100644
--- a/static/package-lock.json
+++ b/static/package-lock.json
@@ -76,6 +76,11 @@
       "resolved": "https://registry.npmjs.org/bootstrap/-/bootstrap-4.4.1.tgz",
       "integrity": "sha512-tbx5cHubwE6e2ZG7nqM3g/FZ5PQEDMWmMGNrCUBVRPHXTJaH7CBDdsLeu3eCh3B1tzAxTnAbtmrzvWEvT2NNEA=="
     },
+    "bootstrap-select": {
+      "version": "1.13.16",
+      "resolved": "https://registry.npmjs.org/bootstrap-select/-/bootstrap-select-1.13.16.tgz",
+      "integrity": "sha512-59hUIrW/ldENJDNmliRH3Mzbbrn+XHH5bK0yAy/743Thf8nXA9afNjgr+j1j6tg7NYexEqtE2N8NodHfwMQ0+Q=="
+    },
     "font-awesome": {
       "version": "4.7.0",
       "resolved": "https://registry.npmjs.org/font-awesome/-/font-awesome-4.7.0.tgz",
diff --git a/static/package.json b/static/package.json
index 4dedbbae..3122bf2d 100644
--- a/static/package.json
+++ b/static/package.json
@@ -18,6 +18,7 @@
   "dependencies": {
     "@sentry/browser": "^5.12.0",
     "bootbox": "^5.4.0",
+    "bootstrap-select": "^1.13.16",
     "font-awesome": "^4.7.0",
     "intro.js": "^2.9.3",
     "qrious": "^4.0.2",
diff --git a/templates/base.html b/templates/base.html
index c7539b7b..70adda75 100644
--- a/templates/base.html
+++ b/templates/base.html
@@ -60,6 +60,13 @@
 
   <script src="{{ url_for('static', filename='node_modules/bootbox/dist/bootbox.min.js') }}"></script>
 
+  <!-- Bootstrap-select library -->
+  <link rel="stylesheet"
+        href="{{ url_for('static', filename='node_modules/bootstrap-select/dist/css/bootstrap-select.min.css') }}">
+  <script
+      src="{{ url_for('static', filename='node_modules/bootstrap-select/dist/js/bootstrap-select.min.js') }}"></script>
+
+
   <link rel="stylesheet" type="text/css" href="/static/style.css?v={{ VERSION }}">
 
   <script>

From 684e8983efd73abd523beb8250d102baf7b39978 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 3 May 2020 15:54:19 +0200
Subject: [PATCH 03/33] Add AliasMailbox table

---
 app/models.py | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/app/models.py b/app/models.py
index 7ca84bc6..e18a0066 100644
--- a/app/models.py
+++ b/app/models.py
@@ -188,6 +188,8 @@ class User(db.Model, ModelMixin, UserMixin):
         db.Boolean, default=False, nullable=False, server_default="0"
     )
 
+    default_mailbox = db.relationship("Mailbox", foreign_keys=[default_mailbox_id])
+
     @classmethod
     def create(cls, email, name, password=None, **kwargs):
         user: User = super(User, cls).create(email=email, name=name, **kwargs)
@@ -634,6 +636,10 @@ class Alias(db.Model, ModelMixin):
         db.ForeignKey("mailbox.id", ondelete="cascade"), nullable=False
     )
 
+    # prefix _ to avoid this object being used accidentally.
+    # To have the list of all mailboxes, should use AliasInfo instead
+    _mailboxes = db.relationship("Mailbox", secondary="alias_mailbox")
+
     user = db.relationship(User)
     mailbox = db.relationship("Mailbox")
 
@@ -1271,3 +1277,16 @@ class SentAlert(db.Model, ModelMixin):
     user_id = db.Column(db.ForeignKey(User.id, ondelete="cascade"), nullable=False)
     to_email = db.Column(db.String(256), nullable=False)
     alert_type = db.Column(db.String(256), nullable=False)
+
+
+class AliasMailbox(db.Model, ModelMixin):
+    __table_args__ = (
+        db.UniqueConstraint("alias_id", "mailbox_id", name="uq_alias_mailbox"),
+    )
+
+    user_id = db.Column(db.ForeignKey(User.id, ondelete="cascade"), nullable=False)
+
+    alias_id = db.Column(db.ForeignKey(Alias.id, ondelete="cascade"), nullable=False)
+    mailbox_id = db.Column(
+        db.ForeignKey(Mailbox.id, ondelete="cascade"), nullable=False
+    )

From 165d986561b110cc529695c675fb2f7b239770d0 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 3 May 2020 15:56:45 +0200
Subject: [PATCH 04/33] add mailboxes to GET /api/v2/aliases

---
 README.md               | 40 ++++++++++++++--------------------------
 app/api/serializer.py   | 37 ++++++++++++++++++++++++++++++++++---
 app/api/views/alias.py  |  4 +++-
 tests/api/test_alias.py |  5 +++++
 4 files changed, 56 insertions(+), 30 deletions(-)

diff --git a/README.md b/README.md
index 1a362923..f2ec9b24 100644
--- a/README.md
+++ b/README.md
@@ -881,7 +881,10 @@ If success, 200 with the list of aliases. Each alias has the following fields:
 - nb_block
 - nb_forward
 - nb_reply
-- mailbox
+- mailbox: obsolete, should use `mailboxes` instead.
+    - id
+    - email
+- mailboxes: list of mailbox, contains at least 1 mailbox.
     - id
     - email
 - (optional) latest_activity:
@@ -908,6 +911,16 @@ Here's an example:
         "email": "a@b.c",
         "id": 1
       },
+      "mailboxes": [
+        {
+          "email": "m1@cd.ef",
+          "id": 2
+        },
+        {
+          "email": "john@wick.com",
+          "id": 1
+        }
+      ],
       "latest_activity": {
         "action": "forward",
         "contact": {
@@ -921,31 +934,6 @@ Here's an example:
       "nb_forward": 1,
       "nb_reply": 0,
       "note": null
-    },
-    {
-      "creation_date": "2020-04-06 17:57:14+00:00",
-      "creation_timestamp": 1586195834,
-      "email": "prefix0.hey@sl.local",
-      "name": null,
-      "enabled": true,
-      "id": 2,
-      "mailbox": {
-        "email": "a@b.c",
-        "id": 1
-      },
-      "latest_activity": {
-        "action": "forward",
-        "contact": {
-          "email": "c0@example.com",
-          "name": null,
-          "reverse_alias": "\"c0 at example.com\" <re0@SL>"
-        },
-        "timestamp": 1586195834
-      },
-      "nb_block": 0,
-      "nb_forward": 1,
-      "nb_reply": 0,
-      "note": null
     }
   ]
 }
diff --git a/app/api/serializer.py b/app/api/serializer.py
index 47ba265c..faa4c91e 100644
--- a/app/api/serializer.py
+++ b/app/api/serializer.py
@@ -13,6 +13,7 @@ from app.models import Alias, Contact, EmailLog, Mailbox
 class AliasInfo:
     alias: Alias
     mailbox: Mailbox
+    mailboxes: [Mailbox]
 
     nb_forward: int
     nb_blocked: int
@@ -21,6 +22,9 @@ class AliasInfo:
     latest_email_log: EmailLog = None
     latest_contact: Contact = None
 
+    def contain_mailbox(self, mailbox_id: int) -> bool:
+        return mailbox_id in [m.id for m in self.mailboxes]
+
 
 def serialize_alias_info(alias_info: AliasInfo) -> dict:
     return {
@@ -54,6 +58,10 @@ def serialize_alias_info_v2(alias_info: AliasInfo) -> dict:
         "nb_reply": alias_info.nb_reply,
         # mailbox
         "mailbox": {"id": alias_info.mailbox.id, "email": alias_info.mailbox.email},
+        "mailboxes": [
+            {"id": mailbox.id, "email": mailbox.email}
+            for mailbox in alias_info.mailboxes
+        ],
     }
     if alias_info.latest_email_log:
         email_log = alias_info.latest_email_log
@@ -158,7 +166,13 @@ def get_alias_infos_with_pagination_v2(
 
     q = q.group_by(Alias.id, Mailbox.id)
 
-    q = q.limit(PAGE_LIMIT).offset(page_id * PAGE_LIMIT)
+    q = list(q.limit(PAGE_LIMIT).offset(page_id * PAGE_LIMIT))
+
+    # preload alias.mailboxes to speed up
+    alias_ids = [alias.id for alias, _, _ in q]
+    Alias.query.options(joinedload(Alias._mailboxes)).filter(
+        Alias.id.in_(alias_ids)
+    ).all()
 
     for alias, mailbox, latest_activity in q:
         ret.append(get_alias_info_v2(alias, mailbox))
@@ -174,7 +188,12 @@ def get_alias_info(alias: Alias) -> AliasInfo:
     )
 
     alias_info = AliasInfo(
-        alias=alias, nb_blocked=0, nb_forward=0, nb_reply=0, mailbox=alias.mailbox
+        alias=alias,
+        nb_blocked=0,
+        nb_forward=0,
+        nb_reply=0,
+        mailbox=alias.mailbox,
+        mailboxes=[alias.mailbox],
     )
 
     for _, el in q:
@@ -200,9 +219,21 @@ def get_alias_info_v2(alias: Alias, mailbox) -> AliasInfo:
     latest_contact = None
 
     alias_info = AliasInfo(
-        alias=alias, nb_blocked=0, nb_forward=0, nb_reply=0, mailbox=mailbox
+        alias=alias,
+        nb_blocked=0,
+        nb_forward=0,
+        nb_reply=0,
+        mailbox=mailbox,
+        mailboxes=[mailbox],
     )
 
+    for m in alias._mailboxes:
+        alias_info.mailboxes.append(m)
+
+    # remove duplicates
+    # can happen that alias.mailbox_id also appears in AliasMailbox table
+    alias_info.mailboxes = list(set(alias_info.mailboxes))
+
     for contact, email_log in q:
         if email_log.is_reply:
             alias_info.nb_reply += 1
diff --git a/app/api/views/alias.py b/app/api/views/alias.py
index dae0e1a0..70e70655 100644
--- a/app/api/views/alias.py
+++ b/app/api/views/alias.py
@@ -20,7 +20,7 @@ from app.dashboard.views.alias_log import get_alias_log
 from app.email_utils import parseaddr_unicode
 from app.extensions import db
 from app.log import LOG
-from app.models import Alias, Contact, Mailbox
+from app.models import Alias, Contact, Mailbox, AliasMailbox
 from app.utils import random_string
 
 
@@ -85,6 +85,8 @@ def get_aliases_v2():
             - nb_block
             - nb_reply
             - note
+            - mailbox
+            - mailboxes
             - (optional) latest_activity:
                 - timestamp
                 - action: forward|reply|block|bounced
diff --git a/tests/api/test_alias.py b/tests/api/test_alias.py
index 0df13a5b..7ab13556 100644
--- a/tests/api/test_alias.py
+++ b/tests/api/test_alias.py
@@ -184,6 +184,11 @@ def test_get_aliases_v2(flask_client):
     assert "id" in r0["mailbox"]
     assert "email" in r0["mailbox"]
 
+    assert r0["mailboxes"]
+    for mailbox in r0["mailboxes"]:
+        assert "id" in mailbox
+        assert "email" in mailbox
+
 
 def test_delete_alias(flask_client):
     user = User.create(

From 90dae2e3c8e1d180f242c05e41ac4271467a72f0 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 3 May 2020 16:02:46 +0200
Subject: [PATCH 05/33] Support mailbox_ids in PUT /api/aliases/:alias_id

---
 README.md               |  1 +
 app/api/views/alias.py  | 31 +++++++++++++++++++++++++++++++
 tests/api/test_alias.py | 37 +++++++++++++++++++++++++++++++++++++
 3 files changed, 69 insertions(+)

diff --git a/README.md b/README.md
index f2ec9b24..7525cac3 100644
--- a/README.md
+++ b/README.md
@@ -1042,6 +1042,7 @@ Input:
 - (optional) `note` in request body
 - (optional) `mailbox_id` in request body
 - (optional) `name` in request body
+- (optional) `mailbox_ids` in request body: array of mailbox_id
 
 Output:
 If success, return 200
diff --git a/app/api/views/alias.py b/app/api/views/alias.py
index 70e70655..7c73646f 100644
--- a/app/api/views/alias.py
+++ b/app/api/views/alias.py
@@ -285,6 +285,37 @@ def update_alias(alias_id):
         alias.mailbox_id = mailbox_id
         changed = True
 
+    if "mailbox_ids" in data:
+        mailbox_ids = [int(m_id) for m_id in data.get("mailbox_ids")]
+        mailboxes: [Mailbox] = []
+
+        # check if all mailboxes belong to user
+        for mailbox_id in mailbox_ids:
+            mailbox = Mailbox.get(mailbox_id)
+            if not mailbox or mailbox.user_id != user.id or not mailbox.verified:
+                return jsonify(error="Forbidden"), 400
+            mailboxes.append(mailbox)
+
+        if not mailboxes:
+            return jsonify(error="Must choose at least one mailbox"), 400
+
+        # <<< update alias mailboxes >>>
+        # first remove all existing alias-mailboxes links
+        AliasMailbox.query.filter_by(alias_id=alias.id).delete()
+        db.session.flush()
+
+        # then add all new mailboxes
+        for i, mailbox in enumerate(mailboxes):
+            if i == 0:
+                alias.mailbox_id = mailboxes[0].id
+            else:
+                AliasMailbox.create(
+                    user_id=alias.user_id, alias_id=alias.id, mailbox_id=mailbox.id
+                )
+        # <<< END update alias mailboxes >>>
+
+        changed = True
+
     if "name" in data:
         new_name = data.get("name")
         alias.name = new_name
diff --git a/tests/api/test_alias.py b/tests/api/test_alias.py
index 7ab13556..9ee1217f 100644
--- a/tests/api/test_alias.py
+++ b/tests/api/test_alias.py
@@ -362,6 +362,43 @@ def test_update_alias_name(flask_client):
     assert alias.name == "Test Name"
 
 
+def test_update_alias_mailboxes(flask_client):
+    user = User.create(
+        email="a@b.c", password="password", name="Test User", activated=True
+    )
+    db.session.commit()
+
+    mb1 = Mailbox.create(user_id=user.id, email="ab1@cd.com", verified=True)
+    mb2 = Mailbox.create(user_id=user.id, email="ab2@cd.com", verified=True)
+
+    # create api_key
+    api_key = ApiKey.create(user.id, "for test")
+    db.session.commit()
+
+    alias = Alias.create_new_random(user)
+    db.session.commit()
+
+    r = flask_client.put(
+        url_for("api.update_alias", alias_id=alias.id),
+        headers={"Authentication": api_key.code},
+        json={"mailbox_ids": [mb1.id, mb2.id]},
+    )
+
+    assert r.status_code == 200
+    alias = Alias.get(alias.id)
+
+    assert alias.mailbox
+    assert len(alias._mailboxes) == 1
+
+    # fail when update with empty mailboxes
+    r = flask_client.put(
+        url_for("api.update_alias", alias_id=alias.id),
+        headers={"Authentication": api_key.code},
+        json={"mailbox_ids": []},
+    )
+    assert r.status_code == 400
+
+
 def test_alias_contacts(flask_client):
     user = User.create(
         email="a@b.c", password="password", name="Test User", activated=True

From dafa23c5bf29ed5f20f94205de7870714e612e1b Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 3 May 2020 16:03:29 +0200
Subject: [PATCH 06/33] Add fake aliases with multiple mailboxes

---
 server.py | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/server.py b/server.py
index f20799fc..18d6e916 100644
--- a/server.py
+++ b/server.py
@@ -52,6 +52,7 @@ from app.models import (
     Contact,
     EmailLog,
     Referral,
+    AliasMailbox,
 )
 from app.monitor.base import monitor_bp
 from app.oauth.base import oauth_bp
@@ -164,13 +165,23 @@ def fake_data():
     m1 = Mailbox.create(user_id=user.id, email="m1@cd.ef", verified=True)
     db.session.commit()
 
-    for i in range(30):
+    for i in range(31):
         if i % 2 == 0:
             a = Alias.create_new(user, f"e{i}@", mailbox_id=m1.id)
+
         else:
             a = Alias.create_new(user, f"e{i}@")
         db.session.commit()
 
+        if i % 5 == 0:
+            if i % 2 == 0:
+                AliasMailbox.create(
+                    user_id=user.id, alias_id=a.id, mailbox_id=user.default_mailbox_id
+                )
+            else:
+                AliasMailbox.create(user_id=user.id, alias_id=a.id, mailbox_id=m1.id)
+        db.session.commit()
+
         # some aliases don't have any activity
         if i % 3 != 0:
             contact = Contact.create(

From b375f87d2ce101f9b9f172774d85429d37b873e0 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 3 May 2020 16:04:11 +0200
Subject: [PATCH 07/33] User can update multiple mailboxes

---
 app/dashboard/templates/dashboard/index.html | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/app/dashboard/templates/dashboard/index.html b/app/dashboard/templates/dashboard/index.html
index 71471fc1..a2febd52 100644
--- a/app/dashboard/templates/dashboard/index.html
+++ b/app/dashboard/templates/dashboard/index.html
@@ -307,10 +307,10 @@
               <div class="small-text">Current mailbox</div>
               <div class="d-flex">
                 <div class="flex-grow-1 mr-2">
-                  <select id="mailbox-{{ alias.id }}"
-                          class="form-control form-control-sm" name="mailbox">
+                  <select required id="mailbox-{{ alias.id }}"
+                          class="form-control form-control-sm custom-select selectpicker" multiple name="mailbox">
                     {% for mailbox in mailboxes %}
-                      <option value="{{ mailbox.id }}" {% if mailbox.id == alias_info.mailbox.id %}
+                      <option value="{{ mailbox.id }}" {% if alias_info.contain_mailbox(mailbox.id) %}
                               selected {% endif %}>
                         {{ mailbox.email }}
                       </option>
@@ -593,7 +593,12 @@
 
     $(".save-mailbox").on("click", async function () {
       let aliasId = $(this).data("alias");
-      let mailbox_id = $(`#mailbox-${aliasId}`).val();
+      let mailbox_ids = $(`#mailbox-${aliasId}`).val();
+
+      if (mailbox_ids.length == 0) {
+        toastr.error("You must select at least a mailbox", "Error");
+        return;
+      }
 
       try {
         let res = await fetch(`/api/aliases/${aliasId}`, {
@@ -602,7 +607,7 @@
             "Content-Type": "application/json",
           },
           body: JSON.stringify({
-            mailbox_id: mailbox_id,
+            mailbox_ids: mailbox_ids,
           }),
         });
 

From e52f2ca6deab2f4d07c049b40cac0c9daab91a72 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 3 May 2020 16:50:39 +0200
Subject: [PATCH 08/33] Support multiple mailboxes in custom alias page

---
 .../templates/dashboard/custom_alias.html     | 28 ++++++++++---
 app/dashboard/views/custom_alias.py           | 34 +++++++++++----
 tests/dashboard/test_custom_alias.py          | 41 +++++++++++++++++--
 3 files changed, 86 insertions(+), 17 deletions(-)

diff --git a/app/dashboard/templates/dashboard/custom_alias.html b/app/dashboard/templates/dashboard/custom_alias.html
index edb7d9af..a4fed99a 100644
--- a/app/dashboard/templates/dashboard/custom_alias.html
+++ b/app/dashboard/templates/dashboard/custom_alias.html
@@ -56,15 +56,16 @@
 
       <div class="row mb-2">
         <div class="col p-1">
-          <select class="form-control" name="mailbox">
+          <select class="form-control custom-select selectpicker" id="mailboxes" multiple name="mailboxes">
             {% for mailbox in mailboxes %}
-              <option value="{{ mailbox }}">
-                {{ mailbox }}
+              <option value="{{ mailbox.id }}" {% if mailbox.id == current_user.default_mailbox_id %}
+                      selected {% endif %}>
+                {{ mailbox.email }}
               </option>
             {% endfor %}
           </select>
           <div class="small-text">
-            The mailbox that owns this alias.
+            The mailbox(es) that owns this alias.
           </div>
         </div>
       </div>
@@ -81,7 +82,7 @@
 
       <div class="row">
         <div class="col p-1">
-          <button class="btn btn-primary mt-1">Create</button>
+          <span id="submit" class="btn btn-primary mt-1">Create</span>
         </div>
       </div>
     </form>
@@ -89,3 +90,20 @@
 
 {% endblock %}
 
+{% block script %}
+  <script>
+    $("#submit").on("click", async function () {
+      let that = $(this);
+      let mailbox_ids = $(`#mailboxes`).val();
+
+      if (mailbox_ids.length == 0) {
+        toastr.error("You must select at least a mailbox", "Error");
+        return;
+      }
+
+      that.closest("form").submit();
+
+    })
+  </script>
+{% endblock %}
+
diff --git a/app/dashboard/views/custom_alias.py b/app/dashboard/views/custom_alias.py
index f9dc55a1..2828a23f 100644
--- a/app/dashboard/views/custom_alias.py
+++ b/app/dashboard/views/custom_alias.py
@@ -11,7 +11,7 @@ from app.dashboard.base import dashboard_bp
 from app.email_utils import email_belongs_to_alias_domains
 from app.extensions import db
 from app.log import LOG
-from app.models import Alias, CustomDomain, DeletedAlias, Mailbox, User
+from app.models import Alias, CustomDomain, DeletedAlias, Mailbox, User, AliasMailbox
 from app.utils import convert_to_id, random_word, word_exist
 
 signer = TimestampSigner(CUSTOM_ALIAS_SECRET)
@@ -54,20 +54,30 @@ def custom_alias():
     # List of (is_custom_domain, alias-suffix, time-signed alias-suffix)
     suffixes = available_suffixes(current_user)
 
-    mailboxes = [mb.email for mb in current_user.mailboxes()]
+    mailboxes = current_user.mailboxes()
 
     if request.method == "POST":
         alias_prefix = request.form.get("prefix")
         signed_suffix = request.form.get("suffix")
-        mailbox_email = request.form.get("mailbox")
+        mailbox_ids = request.form.getlist("mailboxes")
         alias_note = request.form.get("note")
 
         # check if mailbox is not tempered with
-        if mailbox_email != current_user.email:
-            mailbox = Mailbox.get_by(email=mailbox_email, user_id=current_user.id)
-            if not mailbox or mailbox.user_id != current_user.id:
+        mailboxes = []
+        for mailbox_id in mailbox_ids:
+            mailbox = Mailbox.get(mailbox_id)
+            if (
+                not mailbox
+                or mailbox.user_id != current_user.id
+                or not mailbox.verified
+            ):
                 flash("Something went wrong, please retry", "warning")
                 return redirect(url_for("dashboard.custom_alias"))
+            mailboxes.append(mailbox)
+
+        if not mailboxes:
+            flash("At least one mailbox must be selected", "error")
+            return redirect(url_for("dashboard.custom_alias"))
 
         # hypothesis: user will click on the button in the 600 secs
         try:
@@ -91,14 +101,20 @@ def custom_alias():
                     "warning",
                 )
             else:
-                mailbox = Mailbox.get_by(email=mailbox_email, user_id=current_user.id)
-
                 alias = Alias.create(
                     user_id=current_user.id,
                     email=full_alias,
                     note=alias_note,
-                    mailbox_id=mailbox.id,
+                    mailbox_id=mailboxes[0].id,
                 )
+                db.session.flush()
+
+                for i in range(1, len(mailboxes)):
+                    AliasMailbox.create(
+                        user_id=alias.user_id,
+                        alias_id=alias.id,
+                        mailbox_id=mailboxes[i].id,
+                    )
 
                 # get the custom_domain_id if alias is created with a custom domain
                 if alias_suffix.startswith("@"):
diff --git a/tests/dashboard/test_custom_alias.py b/tests/dashboard/test_custom_alias.py
index 3e189c3b..1708c9d7 100644
--- a/tests/dashboard/test_custom_alias.py
+++ b/tests/dashboard/test_custom_alias.py
@@ -7,7 +7,7 @@ from app.dashboard.views.custom_alias import (
     available_suffixes,
 )
 from app.extensions import db
-from app.models import Mailbox, CustomDomain
+from app.models import Mailbox, CustomDomain, Alias
 from app.utils import random_word
 from tests.utils import login
 
@@ -20,15 +20,50 @@ def test_add_alias_success(flask_client):
     suffix = f".{word}@{EMAIL_DOMAIN}"
     suffix = signer.sign(suffix).decode()
 
+    # create with a single mailbox
     r = flask_client.post(
         url_for("dashboard.custom_alias"),
-        data={"prefix": "prefix", "suffix": suffix, "mailbox": user.email,},
+        data={
+            "prefix": "prefix",
+            "suffix": suffix,
+            "mailboxes": [user.default_mailbox_id],
+        },
         follow_redirects=True,
     )
-
     assert r.status_code == 200
     assert f"Alias prefix.{word}@{EMAIL_DOMAIN} has been created" in str(r.data)
 
+    alias = Alias.query.order_by(Alias.created_at.desc()).first()
+    assert not alias._mailboxes
+
+
+def test_add_alias_multiple_mailboxes(flask_client):
+    user = login(flask_client)
+    db.session.commit()
+
+    word = random_word()
+    suffix = f".{word}@{EMAIL_DOMAIN}"
+    suffix = signer.sign(suffix).decode()
+
+    # create with a multiple mailboxes
+    mb1 = Mailbox.create(user_id=user.id, email="m1@example.com", verified=True)
+    db.session.commit()
+
+    r = flask_client.post(
+        url_for("dashboard.custom_alias"),
+        data={
+            "prefix": "prefix",
+            "suffix": suffix,
+            "mailboxes": [user.default_mailbox_id, mb1.id],
+        },
+        follow_redirects=True,
+    )
+    assert r.status_code == 200
+    assert f"Alias prefix.{word}@{EMAIL_DOMAIN} has been created" in str(r.data)
+
+    alias = Alias.query.order_by(Alias.created_at.desc()).first()
+    assert alias._mailboxes
+
 
 def test_not_show_unverified_mailbox(flask_client):
     """make sure user unverified mailbox is not shown to user"""

From e704497b0f9fd9738d8090b993cc261e10a2a738 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 10 May 2020 15:21:31 +0200
Subject: [PATCH 09/33] make sure prefix is not empty before submitting

---
 app/dashboard/templates/dashboard/custom_alias.html | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/app/dashboard/templates/dashboard/custom_alias.html b/app/dashboard/templates/dashboard/custom_alias.html
index a4fed99a..e29bbc88 100644
--- a/app/dashboard/templates/dashboard/custom_alias.html
+++ b/app/dashboard/templates/dashboard/custom_alias.html
@@ -28,6 +28,7 @@
       <div class="row mb-2">
         <div class="col-sm-6 mb-1 p-1" style="min-width: 4em">
           <input name="prefix" class="form-control"
+                 id="prefix"
                  type="text"
                  pattern="[0-9a-z-_]{1,}"
                  title="Only lowercase letter, number, dash (-), underscore (_) can be used in alias prefix."
@@ -95,12 +96,18 @@
     $("#submit").on("click", async function () {
       let that = $(this);
       let mailbox_ids = $(`#mailboxes`).val();
+      let prefix = $('#prefix').val();
 
       if (mailbox_ids.length == 0) {
         toastr.error("You must select at least a mailbox", "Error");
         return;
       }
 
+      if (!prefix) {
+        toastr.error("Alias cannot be empty", "Error");
+        return;
+      }
+
       that.closest("form").submit();
 
     })

From f59ccd40181162b8d54b4f5f223af2c827c4691b Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 10 May 2020 16:27:27 +0200
Subject: [PATCH 10/33] optimize import email_handler

---
 email_handler.py | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/email_handler.py b/email_handler.py
index 6c76b4db..603498a3 100644
--- a/email_handler.py
+++ b/email_handler.py
@@ -31,14 +31,8 @@ It should contain the following info:
 
 """
 import email
-import re
-
-import arrow
-import spf
 import time
 import uuid
-from aiosmtpd.controller import Controller
-from aiosmtpd.smtp import Envelope
 from email import encoders
 from email.message import Message
 from email.mime.application import MIMEApplication
@@ -47,6 +41,11 @@ from email.utils import parseaddr, formataddr
 from io import BytesIO
 from smtplib import SMTP
 
+import arrow
+import spf
+from aiosmtpd.controller import Controller
+from aiosmtpd.smtp import Envelope
+
 from app import pgp_utils, s3
 from app.alias_utils import try_auto_create
 from app.config import (

From b5e7f05bfcd10eee054845eaa5d4d2da8e1c1701 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 10 May 2020 16:28:56 +0200
Subject: [PATCH 11/33] allow user sends emails to his alias from his mailbox

---
 email_handler.py | 16 ----------------
 1 file changed, 16 deletions(-)

diff --git a/email_handler.py b/email_handler.py
index 603498a3..c8431b63 100644
--- a/email_handler.py
+++ b/email_handler.py
@@ -93,9 +93,6 @@ from app.utils import random_string
 from init_app import load_pgp_public_keys
 from server import create_app
 
-# used when an alias receives email from its own mailbox
-# can happen when user "Reply All" on some email clients
-_SELF_FORWARDING_STATUS = "550 SL self-forward"
 
 _IP_HEADER = "X-SimpleLogin-Client-IP"
 
@@ -331,13 +328,6 @@ def handle_forward(envelope, smtp: SMTP, msg: Message, rcpt_to: str) -> (bool, s
     mailbox_email = mailbox.email
     user = alias.user
 
-    # Sometimes when user clicks on "reply all"
-    # an email is sent to the same alias that the previous message is destined to
-    if envelope.mail_from == mailbox_email:
-        # nothing to do
-        LOG.d("Forward from %s to %s, nothing to do", envelope.mail_from, mailbox_email)
-        return False, _SELF_FORWARDING_STATUS
-
     contact = get_or_create_contact(msg["From"], alias)
     email_log = EmailLog.create(contact_id=contact.id, user_id=contact.user_id)
 
@@ -940,12 +930,6 @@ def handle(envelope: Envelope, smtp: SMTP) -> str:
             is_delivered, smtp_status = handle_forward(envelope, smtp, msg, rcpt_to)
             res.append((is_delivered, smtp_status))
 
-    # special handling for self-forwarding
-    # just consider success delivery in this case
-    if len(res) == 1 and res[0][1] == _SELF_FORWARDING_STATUS:
-        LOG.d("Self-forwarding, ignore")
-        return "250 SL OK"
-
     for (is_success, smtp_status) in res:
         # Consider all deliveries successful if 1 delivery is successful
         if is_success:

From 59036972f1e046e6f912d8f9e3c1c43f44563ae8 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 10 May 2020 16:31:36 +0200
Subject: [PATCH 12/33] refactor handle_forward: move the disabled alias case
 to the beginning

---
 email_handler.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/email_handler.py b/email_handler.py
index c8431b63..975aa905 100644
--- a/email_handler.py
+++ b/email_handler.py
@@ -324,10 +324,6 @@ def handle_forward(envelope, smtp: SMTP, msg: Message, rcpt_to: str) -> (bool, s
             LOG.d("alias %s cannot be created on-the-fly, return 550", address)
             return False, "550 SL E3"
 
-    mailbox = alias.mailbox
-    mailbox_email = mailbox.email
-    user = alias.user
-
     contact = get_or_create_contact(msg["From"], alias)
     email_log = EmailLog.create(contact_id=contact.id, user_id=contact.user_id)
 
@@ -336,8 +332,13 @@ def handle_forward(envelope, smtp: SMTP, msg: Message, rcpt_to: str) -> (bool, s
         email_log.blocked = True
 
         db.session.commit()
+        # do not return 5** to allow user to receive emails later when alias is enabled
         return True, "250 Message accepted for delivery"
 
+    mailbox = alias.mailbox
+    mailbox_email = mailbox.email
+    user = alias.user
+
     spam_check = True
 
     # create PGP email if needed

From 2755e67c31dfd4faeec2a7e42787ac3c5effb982 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 10 May 2020 16:32:54 +0200
Subject: [PATCH 13/33] simplify code: replace mailbox_email by mailbox.email

---
 email_handler.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/email_handler.py b/email_handler.py
index 975aa905..44157c67 100644
--- a/email_handler.py
+++ b/email_handler.py
@@ -336,7 +336,6 @@ def handle_forward(envelope, smtp: SMTP, msg: Message, rcpt_to: str) -> (bool, s
         return True, "250 Message accepted for delivery"
 
     mailbox = alias.mailbox
-    mailbox_email = mailbox.email
     user = alias.user
 
     spam_check = True
@@ -356,7 +355,7 @@ def handle_forward(envelope, smtp: SMTP, msg: Message, rcpt_to: str) -> (bool, s
             email_log.is_spam = True
             email_log.spam_status = spam_status
 
-            handle_spam(contact, alias, msg, user, mailbox_email, email_log)
+            handle_spam(contact, alias, msg, user, mailbox.email, email_log)
             return False, "550 SL E1"
 
     # add custom header
@@ -406,7 +405,7 @@ def handle_forward(envelope, smtp: SMTP, msg: Message, rcpt_to: str) -> (bool, s
     LOG.d(
         "Forward mail from %s to %s, mail_options %s, rcpt_options %s ",
         contact.website_email,
-        mailbox_email,
+        mailbox.email,
         envelope.mail_options,
         envelope.rcpt_options,
     )
@@ -415,7 +414,7 @@ def handle_forward(envelope, smtp: SMTP, msg: Message, rcpt_to: str) -> (bool, s
     # encode message raw directly instead
     smtp.sendmail(
         contact.reply_email,
-        mailbox_email,
+        mailbox.email,
         msg.as_bytes(),
         envelope.mail_options,
         envelope.rcpt_options,

From 7f6ba313fd94198629ccd2bb5a315eb6533b79c6 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 10 May 2020 16:33:54 +0200
Subject: [PATCH 14/33] add strip() to rcpt_to just in case

---
 email_handler.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/email_handler.py b/email_handler.py
index 44157c67..f3fee89d 100644
--- a/email_handler.py
+++ b/email_handler.py
@@ -314,7 +314,7 @@ def handle_forward(envelope, smtp: SMTP, msg: Message, rcpt_to: str) -> (bool, s
     """return whether an email has been delivered and
     the smtp status ("250 Message accepted", "550 Non-existent email address", etc)
     """
-    address = rcpt_to.lower()  # alias@SL
+    address = rcpt_to.lower().strip()  # alias@SL
 
     alias = Alias.get_by(email=address)
     if not alias:

From 4b479defa895e21d672e53bb4396273f63f9e0d9 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 10 May 2020 16:57:47 +0200
Subject: [PATCH 15/33] Support alias having multiple mailboxes in forward
 phase

---
 app/models.py    |  8 ++++++++
 email_handler.py | 38 ++++++++++++++++++++++++++++++++------
 2 files changed, 40 insertions(+), 6 deletions(-)

diff --git a/app/models.py b/app/models.py
index e18a0066..22e78a85 100644
--- a/app/models.py
+++ b/app/models.py
@@ -643,6 +643,14 @@ class Alias(db.Model, ModelMixin):
     user = db.relationship(User)
     mailbox = db.relationship("Mailbox")
 
+    @property
+    def mailboxes(self):
+        ret = [self.mailbox]
+        for m in self._mailboxes:
+            ret.append(m)
+
+        return ret
+
     @classmethod
     def create(cls, **kw):
         r = cls(**kw)
diff --git a/email_handler.py b/email_handler.py
index f3fee89d..ad1af564 100644
--- a/email_handler.py
+++ b/email_handler.py
@@ -40,6 +40,7 @@ from email.mime.multipart import MIMEMultipart
 from email.utils import parseaddr, formataddr
 from io import BytesIO
 from smtplib import SMTP
+from typing import List, Tuple
 
 import arrow
 import spf
@@ -310,7 +311,9 @@ def prepare_pgp_message(orig_msg: Message, pgp_fingerprint: str):
     return msg
 
 
-def handle_forward(envelope, smtp: SMTP, msg: Message, rcpt_to: str) -> (bool, str):
+def handle_forward(
+    envelope, smtp: SMTP, msg: Message, rcpt_to: str
+) -> List[Tuple[bool, str]]:
     """return whether an email has been delivered and
     the smtp status ("250 Message accepted", "550 Non-existent email address", etc)
     """
@@ -322,7 +325,7 @@ def handle_forward(envelope, smtp: SMTP, msg: Message, rcpt_to: str) -> (bool, s
         alias = try_auto_create(address)
         if not alias:
             LOG.d("alias %s cannot be created on-the-fly, return 550", address)
-            return False, "550 SL E3"
+            return [(False, "550 SL E3")]
 
     contact = get_or_create_contact(msg["From"], alias)
     email_log = EmailLog.create(contact_id=contact.id, user_id=contact.user_id)
@@ -333,11 +336,32 @@ def handle_forward(envelope, smtp: SMTP, msg: Message, rcpt_to: str) -> (bool, s
 
         db.session.commit()
         # do not return 5** to allow user to receive emails later when alias is enabled
-        return True, "250 Message accepted for delivery"
+        return [(True, "250 Message accepted for delivery")]
 
-    mailbox = alias.mailbox
     user = alias.user
 
+    ret = []
+    for mailbox in alias.mailboxes:
+        ret.append(
+            forward_email_to_mailbox(
+                alias, msg, email_log, contact, envelope, smtp, mailbox, user
+            )
+        )
+
+    return ret
+
+
+def forward_email_to_mailbox(
+    alias,
+    msg: Message,
+    email_log: EmailLog,
+    contact: Contact,
+    envelope,
+    smtp: SMTP,
+    mailbox,
+    user,
+) -> (bool, str):
+    LOG.d("Forward %s -> %s -> %s", contact, alias, mailbox)
     spam_check = True
 
     # create PGP email if needed
@@ -927,8 +951,10 @@ def handle(envelope: Envelope, smtp: SMTP) -> str:
             res.append((is_delivered, smtp_status))
         else:  # Forward case
             LOG.debug(">>> Forward phase %s -> %s", envelope.mail_from, rcpt_to)
-            is_delivered, smtp_status = handle_forward(envelope, smtp, msg, rcpt_to)
-            res.append((is_delivered, smtp_status))
+            for is_delivered, smtp_status in handle_forward(
+                envelope, smtp, msg, rcpt_to
+            ):
+                res.append((is_delivered, smtp_status))
 
     for (is_success, smtp_status) in res:
         # Consider all deliveries successful if 1 delivery is successful

From 97e1c334aff6945a771fc6548f3b99767fe41512 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 10 May 2020 16:58:18 +0200
Subject: [PATCH 16/33] call strip() on rcpt_to just to be sure

---
 email_handler.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/email_handler.py b/email_handler.py
index ad1af564..20921bba 100644
--- a/email_handler.py
+++ b/email_handler.py
@@ -453,7 +453,7 @@ def handle_reply(envelope, smtp: SMTP, msg: Message, rcpt_to: str) -> (bool, str
     return whether an email has been delivered and
     the smtp status ("250 Message accepted", "550 Non-existent email address", etc)
     """
-    reply_email = rcpt_to.lower()
+    reply_email = rcpt_to.lower().strip()
 
     # reply_email must end with EMAIL_DOMAIN
     if not reply_email.endswith(EMAIL_DOMAIN):

From 8d65175ac59e6c9eee7a41f9e8efe64b4af620c8 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 10 May 2020 17:52:07 +0200
Subject: [PATCH 17/33] set mailbox ID in X-SimpleLogin-Mailbox-ID header

---
 email_handler.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/email_handler.py b/email_handler.py
index 20921bba..a826948b 100644
--- a/email_handler.py
+++ b/email_handler.py
@@ -96,7 +96,7 @@ from server import create_app
 
 
 _IP_HEADER = "X-SimpleLogin-Client-IP"
-
+_MAILBOX_ID_HEADER = "X-SimpleLogin-Mailbox-ID"
 
 # fix the database connection leak issue
 # use this method instead of create_app
@@ -390,6 +390,7 @@ def forward_email_to_mailbox(
     delete_header(msg, "Sender")
 
     delete_header(msg, _IP_HEADER)
+    add_or_replace_header(msg, _MAILBOX_ID_HEADER, str(mailbox.id))
 
     # change the from header so the sender comes from @SL
     # so it can pass DMARC check

From 33d578c78e293941706be892dd1723abadd68e7f Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 10 May 2020 17:53:37 +0200
Subject: [PATCH 18/33] parse _MAILBOX_ID_HEADER to handle bounce message

---
 email_handler.py | 40 +++++++++++++++++++++++++++-------------
 1 file changed, 27 insertions(+), 13 deletions(-)

diff --git a/email_handler.py b/email_handler.py
index a826948b..469e5675 100644
--- a/email_handler.py
+++ b/email_handler.py
@@ -490,7 +490,7 @@ def handle_reply(envelope, smtp: SMTP, msg: Message, rcpt_to: str) -> (bool, str
             alias.user,
         )
 
-        handle_bounce(contact, alias, msg, user, mailbox_email)
+        handle_bounce(contact, alias, msg, user)
         return False, "550 SL E6"
 
     mailbox: Mailbox = Mailbox.get_by(email=mailbox_email)
@@ -688,9 +688,7 @@ def handle_unknown_mailbox(
     )
 
 
-def handle_bounce(
-    contact: Contact, alias: Alias, msg: Message, user: User, mailbox_email: str
-):
+def handle_bounce(contact: Contact, alias: Alias, msg: Message, user: User):
     address = alias.email
     email_log: EmailLog = EmailLog.create(
         contact_id=contact.id, bounced=True, user_id=contact.user_id
@@ -708,12 +706,28 @@ def handle_bounce(
     full_report_path = f"refused-emails/full-{random_name}.eml"
     s3.upload_email_from_bytesio(full_report_path, BytesIO(msg.as_bytes()), random_name)
 
-    file_path = None
-    if orig_msg:
-        file_path = f"refused-emails/{random_name}.eml"
-        s3.upload_email_from_bytesio(
-            file_path, BytesIO(orig_msg.as_bytes()), random_name
+    if not orig_msg:
+        LOG.error(
+            "Cannot parse original message from bounce message %s %s %s",
+            alias,
+            user,
+            contact,
         )
+        return
+
+    file_path = f"refused-emails/{random_name}.eml"
+    s3.upload_email_from_bytesio(file_path, BytesIO(orig_msg.as_bytes()), random_name)
+    mailbox_id = int(orig_msg[_MAILBOX_ID_HEADER])
+    mailbox = Mailbox.get(mailbox_id)
+    if not mailbox or mailbox.user_id != user.id:
+        LOG.error(
+            "Tampered message mailbox_id %s, %s, %s, %s",
+            mailbox_id,
+            user,
+            alias,
+            contact,
+        )
+        return
 
     refused_email = RefusedEmail.create(
         path=file_path, full_report_path=full_report_path, user_id=user.id
@@ -750,7 +764,7 @@ def handle_bounce(
                 website_email=contact.website_email,
                 disable_alias_link=disable_alias_link,
                 refused_email_url=refused_email_url,
-                mailbox_email=mailbox_email,
+                mailbox_email=mailbox.email,
             ),
             render(
                 "transactional/bounced-email.html",
@@ -759,7 +773,7 @@ def handle_bounce(
                 website_email=contact.website_email,
                 disable_alias_link=disable_alias_link,
                 refused_email_url=refused_email_url,
-                mailbox_email=mailbox_email,
+                mailbox_email=mailbox.email,
             ),
             # cannot include bounce email as it can contain spammy text
             # bounced_email=msg,
@@ -786,7 +800,7 @@ def handle_bounce(
                 alias=alias,
                 website_email=contact.website_email,
                 refused_email_url=refused_email_url,
-                mailbox_email=mailbox_email,
+                mailbox_email=mailbox.email,
             ),
             render(
                 "transactional/automatic-disable-alias.html",
@@ -794,7 +808,7 @@ def handle_bounce(
                 alias=alias,
                 website_email=contact.website_email,
                 refused_email_url=refused_email_url,
-                mailbox_email=mailbox_email,
+                mailbox_email=mailbox.email,
             ),
             # cannot include bounce email as it can contain spammy text
             # bounced_email=msg,

From 336bdb196d200ef794f86a16500109ed0f724f72 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 10 May 2020 18:19:29 +0200
Subject: [PATCH 19/33] Detect unknown mailbox using envelope mail_from

---
 email_handler.py                              | 39 ++++++++-----------
 .../reply-must-use-personal-email.html        | 25 ++++++++++--
 .../reply-must-use-personal-email.txt         | 11 +++++-
 3 files changed, 46 insertions(+), 29 deletions(-)

diff --git a/email_handler.py b/email_handler.py
index 469e5675..6673f0d8 100644
--- a/email_handler.py
+++ b/email_handler.py
@@ -476,24 +476,26 @@ def handle_reply(envelope, smtp: SMTP, msg: Message, rcpt_to: str) -> (bool, str
             return False, "550 SL E5"
 
     user = alias.user
-    mailbox_email = alias.mailbox_email()
+    mail_from = envelope.mail_from.lower().strip()
 
     # bounce email initiated by Postfix
     # can happen in case emails cannot be delivered to user-email
     # in this case Postfix will try to send a bounce report to original sender, which is
     # the "reply email"
-    if envelope.mail_from == "<>":
+    if mail_from == "<>":
         LOG.warning(
-            "Bounce when sending to alias %s from %s, user %s",
-            alias,
-            contact.website_email,
-            alias.user,
+            "Bounce when sending to alias %s from %s, user %s", alias, contact, user,
         )
 
         handle_bounce(contact, alias, msg, user)
         return False, "550 SL E6"
 
-    mailbox: Mailbox = Mailbox.get_by(email=mailbox_email)
+    mailbox = Mailbox.get_by(email=mail_from, user_id=user.id)
+    if not mailbox or mailbox not in alias.mailboxes:
+        # only mailbox can send email to the reply-email
+        handle_unknown_mailbox(envelope, msg, reply_email, user, alias)
+        return False, "550 SL E7"
+
     if ENFORCE_SPF and mailbox.force_spf:
         ip = msg[_IP_HEADER]
         if not spf_pass(ip, envelope, mailbox, user, alias, contact.website_email, msg):
@@ -501,13 +503,7 @@ def handle_reply(envelope, smtp: SMTP, msg: Message, rcpt_to: str) -> (bool, str
 
     delete_header(msg, _IP_HEADER)
 
-    # only mailbox can send email to the reply-email
-    if envelope.mail_from.lower() != mailbox_email.lower():
-        handle_unknown_mailbox(envelope, msg, mailbox, reply_email, user, alias)
-        return False, "550 SL E7"
-
     delete_header(msg, "DKIM-Signature")
-
     delete_header(msg, "Received")
 
     # make the email comes from alias
@@ -636,36 +632,33 @@ def spf_pass(
     return True
 
 
-def handle_unknown_mailbox(
-    envelope, msg, mailbox: Mailbox, reply_email: str, user: User, alias: Alias
-):
+def handle_unknown_mailbox(envelope, msg, reply_email: str, user: User, alias: Alias):
     LOG.warning(
         f"Reply email can only be used by mailbox. "
-        f"Actual mail_from: %s. msg from header: %s, Mailbox %s. reply_email %s",
+        f"Actual mail_from: %s. msg from header: %s, reverse-alias %s, %s %s",
         envelope.mail_from,
         msg["From"],
-        mailbox.email,
         reply_email,
+        alias,
+        user,
     )
 
     send_email_with_rate_control(
         user,
         ALERT_REVERSE_ALIAS_UNKNOWN_MAILBOX,
-        mailbox.email,
+        user.email,
         f"Reply from your alias {alias.email} only works from your mailbox",
         render(
             "transactional/reply-must-use-personal-email.txt",
             name=user.name,
-            alias=alias.email,
+            alias=alias,
             sender=envelope.mail_from,
-            mailbox_email=mailbox.email,
         ),
         render(
             "transactional/reply-must-use-personal-email.html",
             name=user.name,
-            alias=alias.email,
+            alias=alias,
             sender=envelope.mail_from,
-            mailbox_email=mailbox.email,
         ),
     )
 
diff --git a/templates/emails/transactional/reply-must-use-personal-email.html b/templates/emails/transactional/reply-must-use-personal-email.html
index 790782ad..356aa1aa 100644
--- a/templates/emails/transactional/reply-must-use-personal-email.html
+++ b/templates/emails/transactional/reply-must-use-personal-email.html
@@ -2,10 +2,27 @@
 
 {% block content %}
   {{ render_text("Hi " + name) }}
-  {{ render_text("We have recorded an attempt to send an email from your alias <b>"+ alias +"</b> using <b>" + sender + "</b>.") }}
-  {{ render_text("Please note that sending from this alias only works from <b>" + mailbox_email + "</b>.") }}
-  {{ render_text("Indeed, only you (or the mailbox that owns <b>" + alias + "</b>) can send emails on behalf of this alias.") }}
-  {{ render_text('Thanks, <br />SimpleLogin Team.') }}
+
+  {% call text() %}
+    We have recorded an attempt to send an email from your alias <b>{{ alias.email }}</b> using <b>{{ sender }}</b>>
+  {% endcall %}
+
+  {% call text() %}
+    Please note that sending from this alias only works from one of these mailboxes: <br>
+    {% for mailbox in alias.mailboxes %}
+      - {{ mailbox.email }} <br>
+    {% endfor %}
+  {% endcall %}
+
+  {% call text() %}
+    Indeed only you can send emails on behalf of your alias.
+  {% endcall %}
+
+  {% call text() %}
+    Thanks, <br/>
+    SimpleLogin Team.
+  {% endcall %}
+
 {% endblock %}
 
 
diff --git a/templates/emails/transactional/reply-must-use-personal-email.txt b/templates/emails/transactional/reply-must-use-personal-email.txt
index 1ee52f1f..21e4b7fe 100644
--- a/templates/emails/transactional/reply-must-use-personal-email.txt
+++ b/templates/emails/transactional/reply-must-use-personal-email.txt
@@ -1,8 +1,15 @@
 Hi {{name}}
 
-We have recorded an attempt to send an email from your alias {{ alias }} using {{ sender }}.
+We have recorded an attempt to send an email from your alias {{ alias.email }} using {{ sender }}.
 
-Please note that sending from this alias only works from {{mailbox_email}}: only you (i.e. no one else) can send emails on behalf of your alias.
+Please note that sending from this alias only works from one of these mailboxes:
+
+{% for mailbox in alias.mailboxes %}
+- {{mailbox.email}}
+{% endfor %}
+
+
+Indeed only you can send emails on behalf of your alias.
 
 Best,
 SimpleLogin team.

From 5b71b34f9e62c07eefc01ff450b6db7413bcb0e4 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 10 May 2020 18:23:43 +0200
Subject: [PATCH 20/33] handle alias unsubscribe

---
 email_handler.py | 37 ++++++++++++++++++++-----------------
 1 file changed, 20 insertions(+), 17 deletions(-)

diff --git a/email_handler.py b/email_handler.py
index 6673f0d8..50f4d36b 100644
--- a/email_handler.py
+++ b/email_handler.py
@@ -900,7 +900,9 @@ def handle_unsubscribe(envelope: Envelope):
         return "550 SL E9"
 
     # This sender cannot unsubscribe
-    if alias.mailbox_email() != envelope.mail_from:
+    mail_from = envelope.mail_from.lower().strip()
+    mailbox = Mailbox.get_by(user_id=alias.user_id, email=mail_from)
+    if not mailbox or mailbox not in alias.mailboxes:
         LOG.d("%s cannot disable alias %s", envelope.mail_from, alias)
         return "550 SL E10"
 
@@ -910,22 +912,23 @@ def handle_unsubscribe(envelope: Envelope):
     user = alias.user
 
     enable_alias_url = URL + f"/dashboard/?highlight_alias_id={alias.id}"
-    send_email(
-        envelope.mail_from,
-        f"Alias {alias.email} has been disabled successfully",
-        render(
-            "transactional/unsubscribe-disable-alias.txt",
-            user=user,
-            alias=alias.email,
-            enable_alias_url=enable_alias_url,
-        ),
-        render(
-            "transactional/unsubscribe-disable-alias.html",
-            user=user,
-            alias=alias.email,
-            enable_alias_url=enable_alias_url,
-        ),
-    )
+    for mailbox in alias.mailboxes:
+        send_email(
+            mailbox.email,
+            f"Alias {alias.email} has been disabled successfully",
+            render(
+                "transactional/unsubscribe-disable-alias.txt",
+                user=user,
+                alias=alias.email,
+                enable_alias_url=enable_alias_url,
+            ),
+            render(
+                "transactional/unsubscribe-disable-alias.html",
+                user=user,
+                alias=alias.email,
+                enable_alias_url=enable_alias_url,
+            ),
+        )
 
     return "250 Unsubscribe request accepted"
 

From 0f09ef681ca00b1060dd733188adeb76e5f0b455 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 10 May 2020 18:34:57 +0200
Subject: [PATCH 21/33] Add EmailLog.bounced_mailbox_id

---
 app/models.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/app/models.py b/app/models.py
index 22e78a85..44cc4618 100644
--- a/app/models.py
+++ b/app/models.py
@@ -923,6 +923,12 @@ class EmailLog(db.Model, ModelMixin):
         db.ForeignKey("refused_email.id", ondelete="SET NULL"), nullable=True
     )
 
+    # in case of bounce, record on what mailbox the email has been bounced
+    # useful when an alias has several mailboxes
+    bounced_mailbox_id = db.Column(
+        db.ForeignKey("mailbox.id", ondelete="cascade"), nullable=True
+    )
+
     refused_email = db.relationship("RefusedEmail")
     forward = db.relationship(Contact)
 

From 0d117126db4ea3dcedcf65cc078a8c42fd79438b Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 10 May 2020 18:35:13 +0200
Subject: [PATCH 22/33] save the mailbox that a bounce affects

---
 email_handler.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/email_handler.py b/email_handler.py
index 50f4d36b..ffa819f3 100644
--- a/email_handler.py
+++ b/email_handler.py
@@ -728,6 +728,7 @@ def handle_bounce(contact: Contact, alias: Alias, msg: Message, user: User):
     db.session.flush()
 
     email_log.refused_email_id = refused_email.id
+    email_log.bounced_mailbox_id = mailbox.id
     db.session.commit()
 
     LOG.d("Create refused email %s", refused_email)

From bc55b98e12d731df9780a0f0bc91a91979ac4d8f Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 10 May 2020 18:41:22 +0200
Subject: [PATCH 23/33] display mailbox that a bounce affects

---
 app/dashboard/templates/dashboard/alias_log.html | 2 +-
 app/dashboard/views/alias_log.py                 | 5 ++---
 app/models.py                                    | 6 ++++++
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/app/dashboard/templates/dashboard/alias_log.html b/app/dashboard/templates/dashboard/alias_log.html
index 66cc21d3..40a3b6bb 100644
--- a/app/dashboard/templates/dashboard/alias_log.html
+++ b/app/dashboard/templates/dashboard/alias_log.html
@@ -129,7 +129,7 @@
               <img src="{{ url_for('static', filename='arrows/forward-arrow.svg') }}" class="arrow">
               <span class="ml-2">{{ log.alias }}</span>
               <img src="{{ url_for('static', filename='arrows/blocked-arrow.svg') }}" class="arrow">
-              <span class="ml-2">{{ log.mailbox }}</span>
+              <span class="ml-2">{{ log.email_log.bounced_mailbox() }}</span>
             </div>
           {% else %}
             <div>
diff --git a/app/dashboard/views/alias_log.py b/app/dashboard/views/alias_log.py
index e86a602b..56be2cb4 100644
--- a/app/dashboard/views/alias_log.py
+++ b/app/dashboard/views/alias_log.py
@@ -16,7 +16,7 @@ class AliasLog:
     is_reply: bool
     blocked: bool
     bounced: bool
-    mailbox: str
+    email_log: EmailLog
 
     def __init__(self, **kwargs):
         for k, v in kwargs.items():
@@ -63,7 +63,6 @@ def alias_log(alias_id, page_id):
 
 def get_alias_log(alias: Alias, page_id=0) -> [AliasLog]:
     logs: [AliasLog] = []
-    mailbox = alias.mailbox_email()
 
     q = (
         db.session.query(Contact, EmailLog)
@@ -83,7 +82,7 @@ def get_alias_log(alias: Alias, page_id=0) -> [AliasLog]:
             is_reply=email_log.is_reply,
             blocked=email_log.blocked,
             bounced=email_log.bounced,
-            mailbox=mailbox,
+            email_log=email_log,
         )
         logs.append(al)
     logs = sorted(logs, key=lambda l: l.when, reverse=True)
diff --git a/app/models.py b/app/models.py
index 44cc4618..aa8f3434 100644
--- a/app/models.py
+++ b/app/models.py
@@ -934,6 +934,12 @@ class EmailLog(db.Model, ModelMixin):
 
     contact = db.relationship(Contact)
 
+    def bounced_mailbox(self) -> str:
+        if self.bounced_mailbox_id:
+            return Mailbox.get(self.bounced_mailbox_id).email
+        # retro-compatibility
+        return self.contact.alias.mailboxes[0].email
+
     def get_action(self) -> str:
         """return the action name: forward|reply|block|bounced"""
         if self.is_reply:

From 8f35290a21280c852d6f5efeb7b07bfabcfb02ef Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 10 May 2020 18:53:23 +0200
Subject: [PATCH 24/33] fix overflow error when there are several mailboxes

---
 app/dashboard/templates/dashboard/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/dashboard/templates/dashboard/index.html b/app/dashboard/templates/dashboard/index.html
index a2febd52..66fcf271 100644
--- a/app/dashboard/templates/dashboard/index.html
+++ b/app/dashboard/templates/dashboard/index.html
@@ -306,7 +306,7 @@
             {% if mailboxes|length > 1 %}
               <div class="small-text">Current mailbox</div>
               <div class="d-flex">
-                <div class="flex-grow-1 mr-2">
+                <div class="flex-grow-1 mr-2" style="overflow-y: auto">
                   <select required id="mailbox-{{ alias.id }}"
                           class="form-control form-control-sm custom-select selectpicker" multiple name="mailbox">
                     {% for mailbox in mailboxes %}

From cbfeee4e28bb3b42becbd5d67c2e27c5323e298e Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 10 May 2020 18:53:44 +0200
Subject: [PATCH 25/33] display list of mailboxes in alias contact manager

---
 .../templates/dashboard/alias_contact_manager.html     | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/app/dashboard/templates/dashboard/alias_contact_manager.html b/app/dashboard/templates/dashboard/alias_contact_manager.html
index b93e5794..b27071a3 100644
--- a/app/dashboard/templates/dashboard/alias_contact_manager.html
+++ b/app/dashboard/templates/dashboard/alias_contact_manager.html
@@ -26,7 +26,15 @@
         </p>
         <p>
           {% if alias.mailbox_id %}
-            Make sure you send the email from the mailbox <b>{{ alias.mailbox.email }}</b>.
+
+            {% if alias.mailboxes | length == 1 %}
+              Make sure you send the email from the mailbox <b>{{ alias.mailbox.email }}</b>.
+            {% else %}
+              Make sure you send the email from one of the following mailboxes: <br>
+              {% for mailbox in alias.mailboxes %}
+                - <b>{{ mailbox.email }}</b> <br>
+              {% endfor %}
+            {% endif %}
             This is because only the mailbox that owns the alias can send emails from it.
           {% else %}
             Make sure you send the email from your personal email address ({{ current_user.email }}).

From 0ad296fa692380591c8446656b4841cf8f55aeb0 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sun, 10 May 2020 18:55:16 +0200
Subject: [PATCH 26/33] add necessary migration

---
 .../versions/2020_051016_bf11ab2f0a7a_.py     | 41 +++++++++++++++++++
 .../versions/2020_051018_1759f73274ee_.py     | 31 ++++++++++++++
 2 files changed, 72 insertions(+)
 create mode 100644 migrations/versions/2020_051016_bf11ab2f0a7a_.py
 create mode 100644 migrations/versions/2020_051018_1759f73274ee_.py

diff --git a/migrations/versions/2020_051016_bf11ab2f0a7a_.py b/migrations/versions/2020_051016_bf11ab2f0a7a_.py
new file mode 100644
index 00000000..dacb8ed1
--- /dev/null
+++ b/migrations/versions/2020_051016_bf11ab2f0a7a_.py
@@ -0,0 +1,41 @@
+"""empty message
+
+Revision ID: bf11ab2f0a7a
+Revises: a5e3c6693dc6
+Create Date: 2020-05-10 16:41:48.038484
+
+"""
+import sqlalchemy_utils
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = 'bf11ab2f0a7a'
+down_revision = 'a5e3c6693dc6'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('alias_mailbox',
+    sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
+    sa.Column('created_at', sqlalchemy_utils.types.arrow.ArrowType(), nullable=False),
+    sa.Column('updated_at', sqlalchemy_utils.types.arrow.ArrowType(), nullable=True),
+    sa.Column('user_id', sa.Integer(), nullable=False),
+    sa.Column('alias_id', sa.Integer(), nullable=False),
+    sa.Column('mailbox_id', sa.Integer(), nullable=False),
+    sa.ForeignKeyConstraint(['alias_id'], ['alias.id'], ondelete='cascade'),
+    sa.ForeignKeyConstraint(['mailbox_id'], ['mailbox.id'], ondelete='cascade'),
+    sa.ForeignKeyConstraint(['user_id'], ['users.id'], ondelete='cascade'),
+    sa.PrimaryKeyConstraint('id'),
+    sa.UniqueConstraint('alias_id', 'mailbox_id', name='uq_alias_mailbox')
+    )
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_table('alias_mailbox')
+    # ### end Alembic commands ###
diff --git a/migrations/versions/2020_051018_1759f73274ee_.py b/migrations/versions/2020_051018_1759f73274ee_.py
new file mode 100644
index 00000000..77040e41
--- /dev/null
+++ b/migrations/versions/2020_051018_1759f73274ee_.py
@@ -0,0 +1,31 @@
+"""empty message
+
+Revision ID: 1759f73274ee
+Revises: bf11ab2f0a7a
+Create Date: 2020-05-10 18:33:55.376369
+
+"""
+import sqlalchemy_utils
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '1759f73274ee'
+down_revision = 'bf11ab2f0a7a'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('email_log', sa.Column('bounced_mailbox_id', sa.Integer(), nullable=True))
+    op.create_foreign_key(None, 'email_log', 'mailbox', ['bounced_mailbox_id'], ['id'], ondelete='cascade')
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_constraint(None, 'email_log', type_='foreignkey')
+    op.drop_column('email_log', 'bounced_mailbox_id')
+    # ### end Alembic commands ###

From 37271d10ed396d412fcabbc57492d9a9edba6207 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Wed, 13 May 2020 22:08:14 +0200
Subject: [PATCH 27/33] mobile-darkmode newsletter

---
 shell.py                                      |  22 ++++
 .../com/newsletter/mobile-darkmode.html       | 108 ++++++++++++++++++
 .../emails/com/newsletter/mobile-darkmode.txt |  71 ++++++++++++
 3 files changed, 201 insertions(+)
 create mode 100644 templates/emails/com/newsletter/mobile-darkmode.html
 create mode 100644 templates/emails/com/newsletter/mobile-darkmode.txt

diff --git a/shell.py b/shell.py
index 695d5a35..ff61e143 100644
--- a/shell.py
+++ b/shell.py
@@ -73,6 +73,28 @@ def send_pgp_newsletter():
                 LOG.warning("Cannot send to user %s", user)
 
 
+def send_mobile_newsletter():
+    count = 0
+    for user in User.query.order_by(User.id).all():
+        if user.notification and user.activated:
+            count += 1
+            try:
+                LOG.d("#%s: send to %s", count, user)
+                send_email(
+                    user.email,
+                    "Mobile and Dark Mode",
+                    render("com/newsletter/mobile-darkmode.txt", user=user),
+                    render("com/newsletter/mobile-darkmode.html", user=user),
+                )
+            except Exception:
+                LOG.warning("Cannot send to user %s", user)
+
+            if count % 5 == 0:
+                # sleep every 5 sends to avoid hitting email limits
+                LOG.d("Sleep 1s")
+                sleep(1)
+
+
 app = create_app()
 
 with app.app_context():
diff --git a/templates/emails/com/newsletter/mobile-darkmode.html b/templates/emails/com/newsletter/mobile-darkmode.html
new file mode 100644
index 00000000..b4db6efd
--- /dev/null
+++ b/templates/emails/com/newsletter/mobile-darkmode.html
@@ -0,0 +1,108 @@
+{% extends "base.html" %}
+
+{% block content %}
+  {{ render_text("Hi " + user.name) }}
+
+  {% call text() %}
+    Son from SimpleLogin here. I hope you are doing well and are staying at home in this difficult time. By the way I'm writing this newsletter from my couch with my cats proofreading the text :). <br>
+    Please find below some of our latest news. <br>
+
+  {% endcall %}
+
+  {% call text() %}
+    1) <b>Mobile apps</b> <br><br>
+
+    <img src="https://simplelogin.io/blog/devices.png" style="max-width: 100%"> <br><br>
+
+    Now you can quickly create aliases on-the-go with SimpleLogin Android and iOS app,
+    thanks to our mobile guy Thanh-Nhon! <br>
+
+    Download the Android app on
+    <a href="https://play.google.com/store/apps/details?id=io.simplelogin.android">Play Store</a> and the iOS app on
+    <a href="https://apps.apple.com/us/app/simplelogin-anti-spam/id1494359858">App Store</a>. <br>
+
+    With the release of the mobile apps, SimpleLogin now covers most major platforms: <br>
+
+    - Desktop with SimpleLogin web app or Chrome, Firefox and Safari extension <br>
+    - Mobile with Android and iOS app <br>
+
+    The code is of course open-source and available on our <a href="http://github.com/simple-login/">Github</a>
+
+  {% endcall %}
+
+  {% call text() %}
+    2) <b>Dark mode</b> <br><br>
+
+    <img src="https://simplelogin.io/blog/dark-mode.gif" style="width: 100%"> <br><br>
+
+    You have asked for it and now the dark mode is finally available, kudos to Dung - our full-stack guy. <br>
+    You can finally enjoy using SimpleLogin in the dark.
+  {% endcall %}
+
+  {% call text() %}
+    3) <b>Alias name, new UI, security page, new policy privacy</b> <br><br>
+
+    <img src="https://simplelogin.io/blog/new-ui.gif" style="width: 100%"> <br><br>
+
+    You might have noticed that the web UI is now more compact: the web app has undergone a remake
+    to make it more responsive for usual actions like enabling/disabling an alias, updating alias note, etc. <br>
+
+    You can set a name for your alias too: this name is used when you send emails or reply from your alias.<br>
+
+    We have also created a new <a href="https://simplelogin.io/security/">security page</a> that goes into the technical details of SimpleLogin.
+    Our <a href="https://simplelogin.io/privacy/">privacy page</a> is also rewritten from scratch: nothing changes about your data protection
+    but the page is more clear and detailed now.
+
+  {% endcall %}
+
+  {% call text() %}
+    4) <b>Facebook, Google, Github login deprecation</b> <br>
+    We have decided to deprecate those social login options because of several reasons: <br>
+
+    - Privacy: every time you sign in using one of these methods, the respective company knows and
+    we have no information on what they do with this data. <br>
+    - Not fully open-standard compatible: these platforms enjoy their monopolies and
+    don't play well with open standards like OAuth2/OpenID: in fact, implementations on mobile of these social login
+    require their SDK that we refuse to add because of privacy concern. <br>
+    - Uniform experiences for all users: to have these social login in our iOS app, we need to support "Sign in with
+    Apple" that isn't broadly available for Android users.
+    Again, another big tech enjoying its monopoly. <br>
+
+    If you happen to use one of these social login options, please create a password for your account on the
+    <a href="https://app.simplelogin.io/dashboard/setting">Setting page</a> <br>
+
+    You can still sign in using these social login until 2020-05-31. After this date, they will be removed.
+  {% endcall %}
+
+  {% call text() %}
+    5) <b>WebAuthn (Beta)</b> <br>
+
+    Thanks to Raymond, a user of SimpleLogin, the WebAuthn is now available in Beta.
+    Please reply to this email if you want to try this out.
+
+  {% endcall %}
+
+  {% call text() %}
+    We want to say thank you to all users who have helped to improve SimpleLogin code and even
+    contribute important features.
+    That means a lot to us as SimpleLogin is after all an open-source project.
+
+  {% endcall %}
+
+  {% call text() %}
+    We always welcome your feedback. Get in touch on our <a href="https://twitter.com/simple_login">Twitter</a>,
+    <a href="https://www.reddit.com/r/Simplelogin/">Reddit</a>, where you can also follow all our latest updates.
+    <br>
+  {% endcall %}
+
+  {% call text() %}
+    Best, <br>
+    Son.
+  {% endcall %}
+
+{% endblock %}
+
+{% block footer %}
+  This email is sent to {{ user.email }}. Unsubscribe on
+  <a href="https://app.simplelogin.io/dashboard/setting#notification">Settings</a>
+{% endblock %}
diff --git a/templates/emails/com/newsletter/mobile-darkmode.txt b/templates/emails/com/newsletter/mobile-darkmode.txt
new file mode 100644
index 00000000..694e1545
--- /dev/null
+++ b/templates/emails/com/newsletter/mobile-darkmode.txt
@@ -0,0 +1,71 @@
+This email is sent to {{ user.email }}.
+Unsubscribe from our emails on https://app.simplelogin.io/dashboard/setting#notification
+----------------
+
+Hi {{user.name}}
+
+Son from SimpleLogin here. I hope you are doing well and are staying at home in this difficult time.
+By the way I'm writing this newsletter from my couch with my cats proofreading the text :).
+
+Here are some of our latest news:
+
+1) Mobile apps
+
+Now you can quickly create aliases on-the-go with SimpleLogin Android and iOS app, thanks to our mobile guy Thanh-Nhon!
+Download:
+- the Android app on Play Store https://play.google.com/store/apps/details?id=io.simplelogin.android
+- the iOS app on App Store https://apps.apple.com/us/app/simplelogin-anti-spam/id1494359858
+
+With the release of the mobile apps, SimpleLogin now covers most major platforms:
+
+- Desktop with SimpleLogin web app or Chrome, Firefox and Safari extension
+- Mobile with Android and iOS app
+
+The apps code is of course open-source and available on our Github http://github.com/simple-login/
+
+2) Dark mode
+
+No worries, we are not going to the dark side :).
+You have asked for it and now the dark mode is finally available, thanks to Dung - our full-stack guy.
+You can finally enjoy using SimpleLogin in the dark.
+
+3) Alias name, new UI, security page, new policy privacy
+
+You might have noticed that the web UI is now more compact: the web app has undergone a remake
+to make it more responsive for usual actions like enabling/disabling an alias, updating alias note, etc.
+
+You can set a name for your alias: this name is used when you send emails or reply from your alias.
+
+We have also created a new security page that goes into the technical details of SimpleLogin.
+Our privacy page is also rewritten from scratch: nothing changes about your data protection
+but the page is now much more clear and detailed now.
+
+4) Facebook, Google, Github login deprecation
+
+We have decided to deprecate those social login options because of several reasons:
+
+- Privacy: every time you sign in using one of these methods, the respective company knows and
+    we have no information on what they do with this data.
+- Not fully open-standard compatible: these platforms enjoy their monopolies and
+    don't play well with open standards like OAuth2/OpenID: in fact, implementations on mobile of these social login
+    require their SDK that we refuse to add because of privacy concern.
+- Uniform experiences for all users: to have these social login in our iOS app, we need to support "Sign in with Apple"
+    that isn't broadly available for Android users. Again, another big tech enjoying its monopoly.
+
+If you happen to use one of these social login options, please create a password for your account on the Setting page
+https://app.simplelogin.io/dashboard/setting
+
+You can still sign in using these social login until 2020-05-31. After this date, they will be removed.
+
+5) WebAuthn (Beta)
+
+Thanks to one of SimpleLogin users, the WebAuthn is now available in Beta.
+Please reply to this email if you want to try this out.
+
+We want to say thank you to all users who have helped to improve SimpleLogin code and even contribute important features.
+That means a lot to us as SimpleLogin is after all an open-source project.
+
+We always welcome your feedback. Get in touch on social media, where you can also follow all our latest updates.
+
+Best regards,
+Son.
\ No newline at end of file

From 0b652cf3f812964dc13174e05faab453f6c353f8 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Fri, 15 May 2020 16:35:57 +0200
Subject: [PATCH 28/33] remove AliasMailbox.user_id column

---
 app/api/views/alias.py                        |  4 +--
 app/dashboard/views/custom_alias.py           |  4 +--
 app/models.py                                 |  2 --
 .../versions/2020_051516_552d735a2f1f_.py     | 31 +++++++++++++++++++
 server.py                                     |  6 ++--
 5 files changed, 35 insertions(+), 12 deletions(-)
 create mode 100644 migrations/versions/2020_051516_552d735a2f1f_.py

diff --git a/app/api/views/alias.py b/app/api/views/alias.py
index 7c73646f..db7cb9ac 100644
--- a/app/api/views/alias.py
+++ b/app/api/views/alias.py
@@ -309,9 +309,7 @@ def update_alias(alias_id):
             if i == 0:
                 alias.mailbox_id = mailboxes[0].id
             else:
-                AliasMailbox.create(
-                    user_id=alias.user_id, alias_id=alias.id, mailbox_id=mailbox.id
-                )
+                AliasMailbox.create(alias_id=alias.id, mailbox_id=mailbox.id)
         # <<< END update alias mailboxes >>>
 
         changed = True
diff --git a/app/dashboard/views/custom_alias.py b/app/dashboard/views/custom_alias.py
index 2828a23f..5ac2278d 100644
--- a/app/dashboard/views/custom_alias.py
+++ b/app/dashboard/views/custom_alias.py
@@ -111,9 +111,7 @@ def custom_alias():
 
                 for i in range(1, len(mailboxes)):
                     AliasMailbox.create(
-                        user_id=alias.user_id,
-                        alias_id=alias.id,
-                        mailbox_id=mailboxes[i].id,
+                        alias_id=alias.id, mailbox_id=mailboxes[i].id,
                     )
 
                 # get the custom_domain_id if alias is created with a custom domain
diff --git a/app/models.py b/app/models.py
index aa8f3434..9ad42692 100644
--- a/app/models.py
+++ b/app/models.py
@@ -1304,8 +1304,6 @@ class AliasMailbox(db.Model, ModelMixin):
         db.UniqueConstraint("alias_id", "mailbox_id", name="uq_alias_mailbox"),
     )
 
-    user_id = db.Column(db.ForeignKey(User.id, ondelete="cascade"), nullable=False)
-
     alias_id = db.Column(db.ForeignKey(Alias.id, ondelete="cascade"), nullable=False)
     mailbox_id = db.Column(
         db.ForeignKey(Mailbox.id, ondelete="cascade"), nullable=False
diff --git a/migrations/versions/2020_051516_552d735a2f1f_.py b/migrations/versions/2020_051516_552d735a2f1f_.py
new file mode 100644
index 00000000..a8f54ed7
--- /dev/null
+++ b/migrations/versions/2020_051516_552d735a2f1f_.py
@@ -0,0 +1,31 @@
+"""empty message
+
+Revision ID: 552d735a2f1f
+Revises: 1759f73274ee
+Create Date: 2020-05-15 16:33:23.558895
+
+"""
+import sqlalchemy_utils
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '552d735a2f1f'
+down_revision = '1759f73274ee'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_constraint('alias_mailbox_user_id_fkey', 'alias_mailbox', type_='foreignkey')
+    op.drop_column('alias_mailbox', 'user_id')
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column('alias_mailbox', sa.Column('user_id', sa.INTEGER(), autoincrement=False, nullable=False))
+    op.create_foreign_key('alias_mailbox_user_id_fkey', 'alias_mailbox', 'users', ['user_id'], ['id'], ondelete='CASCADE')
+    # ### end Alembic commands ###
diff --git a/server.py b/server.py
index 18d6e916..2d7b4da6 100644
--- a/server.py
+++ b/server.py
@@ -175,11 +175,9 @@ def fake_data():
 
         if i % 5 == 0:
             if i % 2 == 0:
-                AliasMailbox.create(
-                    user_id=user.id, alias_id=a.id, mailbox_id=user.default_mailbox_id
-                )
+                AliasMailbox.create(alias_id=a.id, mailbox_id=user.default_mailbox_id)
             else:
-                AliasMailbox.create(user_id=user.id, alias_id=a.id, mailbox_id=m1.id)
+                AliasMailbox.create(alias_id=a.id, mailbox_id=m1.id)
         db.session.commit()
 
         # some aliases don't have any activity

From ff1aa72b1d8780b22c4fd4f694ba3e1881391e68 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Fri, 15 May 2020 16:46:02 +0200
Subject: [PATCH 29/33] lazy load alias._mailboxes and alias.mailbox

---
 app/models.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/app/models.py b/app/models.py
index 9ad42692..2a6fc2f3 100644
--- a/app/models.py
+++ b/app/models.py
@@ -10,6 +10,7 @@ from flask import url_for
 from flask_login import UserMixin
 from sqlalchemy import text, desc, CheckConstraint
 from sqlalchemy.exc import IntegrityError
+from sqlalchemy.orm import joinedload
 from sqlalchemy_utils import ArrowType
 
 from app import s3
@@ -638,10 +639,10 @@ class Alias(db.Model, ModelMixin):
 
     # prefix _ to avoid this object being used accidentally.
     # To have the list of all mailboxes, should use AliasInfo instead
-    _mailboxes = db.relationship("Mailbox", secondary="alias_mailbox")
+    _mailboxes = db.relationship("Mailbox", secondary="alias_mailbox", lazy="joined")
 
     user = db.relationship(User)
-    mailbox = db.relationship("Mailbox")
+    mailbox = db.relationship("Mailbox", lazy="joined")
 
     @property
     def mailboxes(self):

From aba0a534c0f4d443f2f9ff7cf71a15ffd5b91d2e Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Fri, 15 May 2020 16:47:55 +0200
Subject: [PATCH 30/33] When a mailbox is deleted, only put alias that has this
 mailbox as single mailbox to global trash

---
 app/models.py        | 12 ++++++++++--
 tests/test_models.py | 29 ++++++++++++++++++++++++++++-
 2 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/app/models.py b/app/models.py
index 2a6fc2f3..ba353c74 100644
--- a/app/models.py
+++ b/app/models.py
@@ -1208,8 +1208,16 @@ class Mailbox(db.Model, ModelMixin):
         # Put all aliases belonging to this mailbox to global trash
         try:
             for alias in Alias.query.filter_by(mailbox_id=obj_id):
-                DeletedAlias.create(email=alias.email)
-            db.session.commit()
+                # special handling for alias that has several mailboxes and has mailbox_id=obj_id
+                if len(alias.mailboxes) > 1:
+                    # use the first mailbox found in alias._mailboxes
+                    first_mb = alias._mailboxes[0]
+                    alias.mailbox_id = first_mb.id
+                    alias._mailboxes.remove(first_mb)
+                else:
+                    # only put aliases that have mailbox as a single mailbox into trash
+                    DeletedAlias.create(email=alias.email)
+                db.session.commit()
         # this can happen when a previously deleted alias is re-created via catch-all or directory feature
         except IntegrityError:
             LOG.error("Some aliases have been added before to DeletedAlias")
diff --git a/tests/test_models.py b/tests/test_models.py
index 95c58de3..be796f75 100644
--- a/tests/test_models.py
+++ b/tests/test_models.py
@@ -5,7 +5,7 @@ import pytest
 from app.config import EMAIL_DOMAIN, MAX_NB_EMAIL_FREE_PLAN
 from app.email_utils import parseaddr_unicode
 from app.extensions import db
-from app.models import generate_email, User, Alias, Contact
+from app.models import generate_email, User, Alias, Contact, Mailbox, AliasMailbox
 
 
 def test_generate_email(flask_client):
@@ -133,3 +133,30 @@ def test_new_addr(flask_client):
         "Nhơn Nguyễn - abcd at example.com",
         "rep@sl",
     )
+
+
+def test_mailbox_delete(flask_client):
+    user = User.create(
+        email="a@b.c", password="password", name="Test User", activated=True
+    )
+    db.session.commit()
+
+    m1 = Mailbox.create(user_id=user.id, email="m1@example.com", verified=True)
+    m2 = Mailbox.create(user_id=user.id, email="m2@example.com", verified=True)
+    m3 = Mailbox.create(user_id=user.id, email="m3@example.com", verified=True)
+    db.session.commit()
+
+    # alias has 2 mailboxes
+    alias = Alias.create_new(user, "prefix", mailbox_id=m1.id)
+    db.session.commit()
+
+    alias._mailboxes.append(m2)
+    alias._mailboxes.append(m3)
+    db.session.commit()
+
+    assert len(alias.mailboxes) == 3
+
+    # delete m1, should not delete alias
+    Mailbox.delete(m1.id)
+    alias = Alias.get(alias.id)
+    assert len(alias.mailboxes) == 2

From f04caa3c358b68338e249ec581a6c097d85d9a1e Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Fri, 15 May 2020 16:48:42 +0200
Subject: [PATCH 31/33] move SQLALCHEMY_ECHO option to create_app(): useful
 when profiling

---
 server.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/server.py b/server.py
index 2d7b4da6..b15c3952 100644
--- a/server.py
+++ b/server.py
@@ -78,6 +78,9 @@ def create_app() -> Flask:
 
     app.config["SQLALCHEMY_DATABASE_URI"] = DB_URI
     app.config["SQLALCHEMY_TRACK_MODIFICATIONS"] = False
+    # enable to print all queries generated by sqlalchemy
+    # app.config["SQLALCHEMY_ECHO"] = True
+
     app.secret_key = FLASK_SECRET
 
     app.config["TEMPLATES_AUTO_RELOAD"] = True
@@ -168,7 +171,6 @@ def fake_data():
     for i in range(31):
         if i % 2 == 0:
             a = Alias.create_new(user, f"e{i}@", mailbox_id=m1.id)
-
         else:
             a = Alias.create_new(user, f"e{i}@")
         db.session.commit()
@@ -546,8 +548,7 @@ if __name__ == "__main__":
     #
     # toolbar = DebugToolbarExtension(app)
 
-    # enable to print all queries generated by sqlalchemy
-    # app.config["SQLALCHEMY_ECHO"] = True
+
 
     # warning: only used in local
     if RESET_DB:

From 6fb85c81fca91a570985a8ab31eb9e5ab51dfb23 Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Fri, 15 May 2020 16:50:14 +0200
Subject: [PATCH 32/33] fix format

---
 server.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/server.py b/server.py
index b15c3952..1508a42e 100644
--- a/server.py
+++ b/server.py
@@ -548,8 +548,6 @@ if __name__ == "__main__":
     #
     # toolbar = DebugToolbarExtension(app)
 
-
-
     # warning: only used in local
     if RESET_DB:
         LOG.warning("reset db, add fake data")

From a4d17e7afcb180bde1e30a233481579681937ccf Mon Sep 17 00:00:00 2001
From: Son NK <>
Date: Sat, 16 May 2020 12:17:26 +0200
Subject: [PATCH 33/33] use multiple-select instead of bootstrap-select

---
 app/dashboard/templates/dashboard/custom_alias.html |  5 ++++-
 app/dashboard/templates/dashboard/index.html        |  6 ++++--
 static/package-lock.json                            | 10 +++++-----
 static/package.json                                 |  2 +-
 templates/base.html                                 |  6 +++---
 5 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/app/dashboard/templates/dashboard/custom_alias.html b/app/dashboard/templates/dashboard/custom_alias.html
index f30a7a26..790fc61f 100644
--- a/app/dashboard/templates/dashboard/custom_alias.html
+++ b/app/dashboard/templates/dashboard/custom_alias.html
@@ -58,7 +58,8 @@
 
         <div class="row mb-2">
           <div class="col p-1">
-            <select class="form-control custom-select selectpicker" id="mailboxes" multiple name="mailboxes">
+            <select data-width="100%"
+                    class="mailbox-select" id="mailboxes" multiple name="mailboxes">
               {% for mailbox in mailboxes %}
                 <option value="{{ mailbox.id }}" {% if mailbox.id == current_user.default_mailbox_id %}
                         selected {% endif %}>
@@ -94,6 +95,8 @@
 
 {% block script %}
   <script>
+    $('.mailbox-select').multipleSelect();
+
     $("#submit").on("click", async function () {
       let that = $(this);
       let mailbox_ids = $(`#mailboxes`).val();
diff --git a/app/dashboard/templates/dashboard/index.html b/app/dashboard/templates/dashboard/index.html
index 7e286c52..c90ba35c 100644
--- a/app/dashboard/templates/dashboard/index.html
+++ b/app/dashboard/templates/dashboard/index.html
@@ -306,9 +306,10 @@
             {% if mailboxes|length > 1 %}
               <div class="small-text">Current mailbox</div>
               <div class="d-flex">
-                <div class="flex-grow-1 mr-2" style="overflow-y: auto">
+                <div class="flex-grow-1 mr-2">
                   <select required id="mailbox-{{ alias.id }}"
-                          class="form-control form-control-sm custom-select selectpicker" multiple name="mailbox">
+                          data-width="100%"
+                          class="mailbox-select" multiple name="mailbox">
                     {% for mailbox in mailboxes %}
                       <option value="{{ mailbox.id }}" {% if alias_info.contain_mailbox(mailbox.id) %}
                               selected {% endif %}>
@@ -488,6 +489,7 @@
 
 {% block script %}
   <script>
+    $('.mailbox-select').multipleSelect();
 
     {% if show_intro %}
       // only show intro when screen is big enough to show "developer" tab
diff --git a/static/package-lock.json b/static/package-lock.json
index 8f35e45a..98f3d1d8 100644
--- a/static/package-lock.json
+++ b/static/package-lock.json
@@ -76,11 +76,6 @@
       "resolved": "https://registry.npmjs.org/bootstrap/-/bootstrap-4.4.1.tgz",
       "integrity": "sha512-tbx5cHubwE6e2ZG7nqM3g/FZ5PQEDMWmMGNrCUBVRPHXTJaH7CBDdsLeu3eCh3B1tzAxTnAbtmrzvWEvT2NNEA=="
     },
-    "bootstrap-select": {
-      "version": "1.13.16",
-      "resolved": "https://registry.npmjs.org/bootstrap-select/-/bootstrap-select-1.13.16.tgz",
-      "integrity": "sha512-59hUIrW/ldENJDNmliRH3Mzbbrn+XHH5bK0yAy/743Thf8nXA9afNjgr+j1j6tg7NYexEqtE2N8NodHfwMQ0+Q=="
-    },
     "font-awesome": {
       "version": "4.7.0",
       "resolved": "https://registry.npmjs.org/font-awesome/-/font-awesome-4.7.0.tgz",
@@ -96,6 +91,11 @@
       "resolved": "https://registry.npmjs.org/jquery/-/jquery-3.4.1.tgz",
       "integrity": "sha512-36+AdBzCL+y6qjw5Tx7HgzeGCzC81MDDgaUP8ld2zhx58HdqXGoBd+tHdrBMiyjGQs0Hxs/MLZTu/eHNJJuWPw=="
     },
+    "multiple-select": {
+      "version": "1.5.2",
+      "resolved": "https://registry.npmjs.org/multiple-select/-/multiple-select-1.5.2.tgz",
+      "integrity": "sha512-sTNNRrjnTtB1b1+HTKcjQ/mjWY7Gvigo9F3C/3oTQCTFEpYzwaRYFPRAOu2SogfA1hEfyJTXjyS1VAbanJMsmA=="
+    },
     "popper.js": {
       "version": "1.16.1",
       "resolved": "https://registry.npmjs.org/popper.js/-/popper.js-1.16.1.tgz",
diff --git a/static/package.json b/static/package.json
index 3122bf2d..e3bd4842 100644
--- a/static/package.json
+++ b/static/package.json
@@ -18,9 +18,9 @@
   "dependencies": {
     "@sentry/browser": "^5.12.0",
     "bootbox": "^5.4.0",
-    "bootstrap-select": "^1.13.16",
     "font-awesome": "^4.7.0",
     "intro.js": "^2.9.3",
+    "multiple-select": "^1.5.2",
     "qrious": "^4.0.2",
     "toastr": "^2.1.4",
     "vue": "^2.6.11"
diff --git a/templates/base.html b/templates/base.html
index 18dbb0f9..68ebb811 100644
--- a/templates/base.html
+++ b/templates/base.html
@@ -60,11 +60,11 @@
 
   <script src="{{ url_for('static', filename='node_modules/bootbox/dist/bootbox.min.js') }}"></script>
 
-  <!-- Bootstrap-select library -->
+  <!-- Multiple-select library -->
   <link rel="stylesheet"
-        href="{{ url_for('static', filename='node_modules/bootstrap-select/dist/css/bootstrap-select.min.css') }}">
+        href="{{ url_for('static', filename='node_modules/multiple-select/dist/multiple-select.min.css') }}">
   <script
-      src="{{ url_for('static', filename='node_modules/bootstrap-select/dist/js/bootstrap-select.min.js') }}"></script>
+      src="{{ url_for('static', filename='node_modules/multiple-select/dist/multiple-select.min.js') }}"></script>
 
 
   <link rel="stylesheet" type="text/css" href="/static/style.css?v={{ VERSION }}">