TorCitadel - Network of homemade MAIL- and JABBER-servers with TOR transport encryption

If you use email, your SMTP client or your browser sends the email to an email server. Depending on your mail provider this can be encrypted - or not and be free to sniff for intelligence agencies and hackers. Your mail provider has full access to your mails on his server - intelligence agencies, too. When your mail provider sends your mail to the recipients mail provider the connection is often unencrypted - and can be sniffed again. The remote mail provider - and intelligence agencies - have access to your mail on the remote mail server - again. When the recipient pulls your mail from his provider's mail server the connection often isn't encrypted - again.

Email and privacy are mutual exclusive. Or is there a solution?

What if you move the mail server to your home or office (no physical access for third parties) and use TOR as end-to-end encryption of content and to anonymize the transport meta data?

This is what TorCitadel does. It's YOUR personal well-fortified mail server at YOUR home or YOUR office. Other TorCitadel users can send you mail to your "<user>@<hidden-service ID>.onion" mail address.




  1. Unzip
  2. Write the extracted image 201X-XX-XX-wheezy-raspbian.img to the SD-card
  3. Connect the RaspberryPi to your private network, your USB keyboard and plug in the SD-card
  4. Boot the RaspberryPi by connecting the power-supply
  5. RaspberryPI Configuration Tool (raspi-config)
    1. Expand file system to use maximum space on SD-card
    2. Change password of user "pi"
    3. Internationalisation Options
      1. Adjust "Locale" to your needs
      2. Adjust "Timezone" to your needs
      3. Adjust "Keyboard layout" to your needs
    4. Advanced options
      1. Change hostname to "mail"
      2. SSH -> <Enable>
    5. Select <Finish> and answer the reboot question with <Yes> to reboot

Generic Debian/Ubuntu

  1. Become root
    sudo -s
  2. Activate IPv6 (necessary for Citadel to work!)
    echo "ipv6" >> /etc/modules && modprobe ipv6 && echo SUCCESS || echo ERROR
  3. Upgrade all packages to the most current version
    apt-get update && apt-get upgrade && apt-get dist-upgrade
  4. Install TOR and IPtables
    apt-get install tor iptables-persistent
  5. Create the TOR transparent proxying and the hidden service
    echo "
    ### Tor transparent proxying
    AutomapHostsSuffixes .onion,.exit
    AutomapHostsOnResolve 1
    TransPort 9040
    DNSPort 53
    ### Citadel hidden service
    # These ports are publicly accessible via TOR!!!
    # Comment out ports you do not need!!!
    HiddenServiceDir /var/lib/tor/mail
     HiddenServicePort   25    # Mail  SMTP + optional StartTLS
     HiddenServicePort   25     [::1]:25    # Mail  SMTP + optional StartTLS
    #HiddenServicePort   80    # Webif HTTP unencrypted + plain-text auth
    #HiddenServicePort   80     [::1]:80    # Webif HTTP unencrypted + plain-text auth
    #HiddenServicePort  110   # Mail  POP3 unencrypted + plain-text auth
    #HiddenServicePort  110     [::1]:110   # Mail  POP3 unencrypted + plain-text auth
    #HiddenServicePort  143   # Mail  IMAP + opportunistic StartTLS
    #HiddenServicePort  143     [::1]:143   # Mail  IMAP + opportunistic StartTLS
    #HiddenServicePort  443   # Webif HTTPS SSL
    #HiddenServicePort  443     [::1]:443   # Webif HTTPS SSL
    #HiddenServicePort  465   # Mail  SMTPS SSL
    #HiddenServicePort  465     [::1]:465   # Mail  SMTPS SSL
    #HiddenServicePort  504   # Decentralized Citadel nodes synchronisation
    #HiddenServicePort  504     [::1]:504   # Decentralized Citadel nodes synchronisation
    #HiddenServicePort  587   # Mail  MSA + forced StartTLS
    #HiddenServicePort  587     [::1]:587   # Mail  MSA + forced StartTLS
    #HiddenServicePort  993   # Mail  IMAPS SSL
    #HiddenServicePort  993     [::1]:993   # Mail  IMAPS SSL
    #HiddenServicePort  995   # Mail  POP3S SSL
    #HiddenServicePort  995     [::1]:995   # Mail  POP3S SSL
     HiddenServicePort 5222  # Jabber
     HiddenServicePort 5222     [::1]:5222  # Jabber
    " >> /etc/tor/torrc && service tor restart
  6. Backup the directory "/var/lib/tor/mail/"!
    1. "hostname" contains the fully-qualified hostname/email domain of your TOR hidden service
    2. "private_key" contains the private key of your TOR hidden service. If you loose the it, you loose your .onion-domain. If anyone gets the private key he can manipulate your .onion-domain and connections to it!
  7. IPTables rules for transparent proxying
    iptables -t nat    -A OUTPUT -p tcp -d -j REDIRECT --to-ports 9040  -m comment --comment "TOR transparent proxying for .onion"
    iptables -t filter -A OUTPUT        -d -j REJECT                    -m comment --comment "Reject non-TCP traffic to TOR"
    service iptables-persistent save
  8. Use Tor as nameserver (necessary for .onion domains of hidden services)
    echo 'prepend domain-name-servers;' >> /etc/dhcp/dhclient.conf
  9. Follow Ducky Ponds installation and configuration guide for Citadel
  10. At "Now we're going to go to Domain names and Internet mail configuration. Here you'll need to add the domains you want to receive mail for under the Local host aliases." enter your TOR hidden service hostame from "/var/lib/tor/mail/hostname"
  11. Reboot the RaspberryPi
  12. Read the Citadel documentation at
Last modified 12 months ago Last modified on Sep 27, 2016, 3:45:09 PM