How to protect your email using Tor

From The Uncensored Hidden Wiki
Jump to: navigation, search

Considerations

We are going to explain a working solution to use "normal programs" to protect the email comunications with tor. This process is also known as "Torification".

Our solution is based on a linux distribuition (Debian - unstable) but we think it is possibile to adact on other linux distribuitions and also on different unix flavour. When it will be possible we will try to use packages from normal distribuition but some programs (the first will be 3proxy) that are not yet packaged.

We will use for our example a "normal" provider gmail ("the definitive provider"?) but also, the same will be usable for other provider.

Also, we will assume to have a local tor client configured.

Local user will be called userlocal.

MUA - mutt

We choose mutt email client because we think this is the client more customizable: we are going to use Mutt 1.5.18-4.

The most important things to configure properly mutt are about the Message-ID and User-Agent headers: other header and fields are important but the first are the most important.

For these settings we use in .muttrc:

 # don't add the hostname to the From header
 unset use_domain
 # don't generate a From header
 unset use_from
 
 # Message-ID
 set hostname=gmail.com
 set use_domain=no
 
 # User-agent
 set user_agent=no

Don't forget also to set correct From and Real name settings.

 set from="user@gmail.com"
 set realname="Gmail User"
 my_hdr From: Gmail User <user@gmail.com>

At least configure the use of the msmtp mta with

 set sendmail="/usr/bin/msmtp"

MTA - msmtp

We need a MTA to send the mail messages so we choose msmtp because permits some interesting configuration: for example msmtp use localhost for the name of the host in helo/ehlo messages.

In this configuration we will use 2525 port to contact "local smtp server" (provided via 3proxy or Socat) to avoid conflicts with eventual other smtp server. If you have not a local smtp server you could change that port in 25 also in msmtprc (or msmtprc without check) and in 3proxyrc (or in Socat command line).

In this configuration we will check the ssl certificate coming from gmail with the procedure explained in checking smtp certificate. For this to work we will need to modify the /etc/hosts file so we will need to have a root access to computer in use (or to ask for this to administrator).

This will be the .msmtprc file:

 defaults
 keepbcc on
 syslog on
 
 account gmail
 	host gmail.smtp.com
 	port 2525
 	from user@gmail.com
 	user user@gmail.com
 	auth on
 	password password
 	tls on
       tls_starttls on
 	tls_certcheck on
       tls_trust_file ./CA/Thawte_Premium_Server_CA.pem
       tls_force_sslv3 = off

If you cannot modify any system file or your administrator does not want to modify you cannot check the certificates, so the msmtprc will be like this:

 defaults
 keepbcc on
 syslog on
 
 account gmail
 	host localhost
 	port 2525
 	from user@gmail.com
 	user user@gmail.com
 	auth on
 	password password
 	tls on
       tls_starttls on
 	tls_certcheck off
       tls_force_sslv3 = off

MFA - fetchmail

We need fetchmail to fetch the mail. To pass through the tor proxy we will use Socat and the "plugin" option in fetchmail. This is .fetchmailrc:

 set no spambounce
 set no bouncemail
 poll imap.gmail.com
     plugin "socat STDIO SOCKS4A:127.0.0.1:%h:%p,socksport=9050"
     protocol imap
     user user with password password, ssl
     mda "/usr/bin/procmail -d userlocal"

Proxy

We have two different ways to concatenate msmtp to tor: 3proxy and again Socat.

Important: the use of Socat and 3proxy for smtp are mutual exclusive. You cannot use together!

3proxy

3proxy is the proxy program to concatenate to tor. There is not yet a debian package for this program so we need to compile from the sources.

We have to run the program before sending email with the command:

 3proxy ./.3proxyrc

This is .3proxyrc:

 daemon
 logformat "- +_L%d.%m %H:%M:%S srv=%N:%p err=%E src=%C:%c dst=%R:%r out=%O in=%"
 log /tmp/3proxy.log M
 timeouts 30 30 60 60 180 1800 60 120
 auth iponly
 fakeresolve
 allow *
 parent 1000 socks4+ 127.0.0.1 9050
 tcppm -i127.0.0.1 2525 smtp.gmail.com 587

Socat for smtp

Another way to concatenate msmtp to tor is using Socat: this is also a debian package so it is not necessary to compile as 3proxy.

Socat does not use any configuration file so any option must be given via command line before you have to send your email messages like this example:

 socat -d -d -d -lu TCP4-LISTEN:2525,fork SOCKS4A:localhost:smtp.gmail.com:587,socksport=9050

(the -d options for having more log to the console).

Tor

On debian tor runs as a daemon using the system user debian-tor and the configuration are owned by the super user: to modify you must be the super user or to ask him.

GPG

GnuPG to protect (and eventually sign) the body of the messages.

What we need is not to mix "normal" gpg configuration with the one dedicated to anonymous address so we will put all this configuration on a different directory using the —homedir gpg option.

We assume we will use ~/.gnupg-alt/ as the directory.

In the .muttrc we will write:

 # GnuPG configuration
 set pgp_decode_command="gpg --homedir ~/.gnupg-alt/ --status-fd=2 %?p?--passphrase-fd 0? --no-verbose --quiet --batch --output - %f"
 set pgp_verify_command="gpg --homedir ~/.gnupg-alt/ --status-fd=2 --no-verbose --quiet --batch --output - --verify %s %f"
 set pgp_decrypt_command="gpg --homedir ~/.gnupg-alt/ --status-fd=2 %?p?--passphrase-fd 0? --no-verbose --quiet --batch --output - %f"
 set pgp_sign_command="gpg --homedir ~/.gnupg-alt/ --no-verbose --batch --quiet --output - %?p?--passphrase-fd 0? --armor --detach-sign --textmode %?a?-u %a? %f"
 set pgp_clearsign_command="gpg --homedir ~/.gnupg-alt/ --no-verbose --batch --quiet --output - %?p?--passphrase-fd 0? --armor --textmode --clearsign %?a?-u %a? %f"
 set pgp_encrypt_only_command="/usr/lib/mutt/pgpewrap gpg --homedir ~/.gnupg-alt/ --batch --quiet --no-verbose --output - --encrypt --textmode --armor --always-trust %r %?a?--encrypt-to %a -- -r -- %f"
 set pgp_encrypt_sign_command="/usr/lib/mutt/pgpewrap gpg --homedir ~/.gnupg-alt/%?p?--passphrase-fd 0? --batch --quiet --no-verbose --textmode --output - --encrypt --sign %?a?-u %a? --armor %r %?a?--hidden-encrypt-to %a --always-trust -- -r -- %f"
 set pgp_import_command="gpg --homedir ~/.gnupg-alt/ --no-verbose --import %f"
 set pgp_export_command="gpg --homedir ~/.gnupg-alt/ --no-verbose --export --armor %r"
 set pgp_verify_key_command="gpg --homedir ~/.gnupg-alt/ --verbose --batch --fingerprint --check-sigs %r"
 set pgp_list_pubring_command="gpg --homedir ~/.gnupg-alt/ --no-verbose --batch --quiet --with-colons --list-keys %r"
 set pgp_list_secring_command="gpg --homedir ~/.gnupg-alt/ --no-verbose --batch --quiet --with-colons --list-  secret-keys %r"
 set pgp_good_sign="^\\[GNUPG:\\] GOODSIG"

And also if we want to sign always:

 set pgp_autosign=yes

In the same .gnupg-alt/ directory we use a configuration file gpg.conf with these options:

 keyserver x-hkp://yod73zr3y6wnm2sw.onion.market
 keyserver-options honor-http-proxy broken-http-proxy

where x-hkp://yod73zr3y6wnm2sw.onion.market is the address of a keyserver reachble with a "hidden service" of tor. Before every operation with gpg we need also to setup the environment variable http_proxy point to our tor server and privoxy:

 export http_proxy=http://127.0.0.1:8118/

Other adjustations

Log

Our machine is a personal computer used only like a client so we did not need to record log for many days. Also we need to leave as less traces of our actions so we will use a ram disk as storage for logs in this way.

We modified /etc/fstab adding a line like this:

 tmpfs		/var/log	tmpfs	noatime		0	0

Tmp directory

The same adjustation we use for tmp directory with this line in /etc/fstab and linking /var/tmp to /tmp

 tmpfs		/var/tmp	tmpfs	noatime		0	0

Certificates checking

With these steps we will check the ssl certificates comin from our email provider to be sure to connect to right services avoiding the "middle man" attack.

We need to install the ssl-cert and openssl packages.

Check of smtp certificate

To check the smtp certificate issued from gmail we must give this command:

 $ openssl s_client -starttls smtp -showcerts -connect smtp.gmail.com:587

Digit Quit to stop the smtp session.

Looking in the certificate sent to the output we can see the CA that signed is Thawte; this is a well known certification authority and we have the correspondent certificate in repository coming from ssl-cert /etc/ssl/certs/Thawte_Premium_Server_CA.pem.

To check if this is true:

 $ cd ~
 $ mkdir -m0700 CA && cd CA
 $ cp /etc/ssl/certs/Thawte_Premium_Server_CA.pem .
 $ chmod 0400 Thawte_Premium_Server_CA.pem
 $ c_rehash . && cd ..

Download the smtp certificate:

 $ openssl s_client -connect smtp.gmail.com:587 -starttls smtp -showcerts \
     | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > google_smtp.pem

Digit Quit to stop the smtp session.

Check of the certificate:

$ openssl verify -CApath ./CA google_smtp.pem
  google_smpt.pem: OK

With this result we can be sure to be using the right certificate.

For this to work you need to modify the file /etc/hosts adding this line:

 127.0.0.1 smtp.gmail.com

UTC variable

To not reveal your time zone you can set your variable TZ to UTC, for example in your .bashrc:

 export TZ=UTC

Last edited <10/25/2008>


Alternative Torification paths

Thunderbird and Torbirdy

Seems well tested.

SimpleMail JS firefox add-on

This method has not yet been tested (afaik) and found to be 100% anonymous.[CAUTION]

The motivation for this is that SM is indeed very simple to handle and keeps all mail in a subdir of the browser as to not break portability of the tbb.

A completely different path to torify e-mail is to use the SimpleMail[ Clearnet link! ] firefox add-on in Torbrowser-bundle. Download the .xpi file and just unzip the JS sourcecode contents.

SM uses the ffox proxy settings, thereby using onion routing. My first guess[CAUTION] is that this method should be safe.

Since JS is inherently a risk to anonymity, one has to be cautious of course.

Using this method in Tails should be pretty safe though.

See Also