TorCitadel - Network of homemade MAIL- and JABBER-servers with TOR transport encryption

If you use email, your SMTP client or your browser sends the email to an email server. Depending on your mail provider this can be encrypted - or not and be free to sniff for intelligence agencies and hackers. Your mail provider has full access to your mails on his server - intelligence agencies, too. When your mail provider sends your mail to the recipients mail provider the connection is often unencrypted - and can be sniffed again. The remote mail provider - and intelligence agencies - have access to your mail on the remote mail server - again. When the recipient pulls your mail from his provider's mail server the connection often isn't encrypted - again.

Email and privacy are mutual exclusive. Or is there a solution?

What if you move the mail server to your home or office (no physical access for third parties) and use TOR as end-to-end encryption of content and to anonymize the transport meta data?

This is what TorCitadel does. It's YOUR personal well-fortified mail server at YOUR home or YOUR office. Other TorCitadel users can send you mail to your "@.onion" mail address.

Prerequisites

• RaspberryPi ~30,- €
• Power-supply ~5,- €
• SD-Card (e.g. Transcend TS8GSDHC10U1) ~10,- €
• Network cable or USB Wi-Fi Adapters
• USB Keyboard for initial setup
• Current Raspbian OS (Debian Wheezy) 0,00 €

Installation

RaspberryPi

1. Unzip 201X-XX-XX-wheezy-raspbian.zip
2. Write the extracted image 201X-XX-XX-wheezy-raspbian.img to the SD-card
3. Connect the RaspberryPi to your private network, your USB keyboard and plug in the SD-card
4. Boot the RaspberryPi by connecting the power-supply
5. RaspberryPI Configuration Tool (raspi-config)
6. Expand file system to use maximum space on SD-card
7. Change password of user "pi"
8. Internationalisation Options 1. Adjust "Locale" to your needs 1. Adjust "Timezone" to your needs 1. Adjust "Keyboard layout" to your needs
9. Advanced options 1. Change hostname to "mail" 1. SSH ->
10. Select and answer the reboot question with to reboot

Generic Debian/Ubuntu

1. Become root

sudo -s

1. Activate IPv6 (necessary for Citadel to work!)

echo "ipv6" >> /etc/modules && modprobe ipv6 && echo SUCCESS || echo ERROR

1. Upgrade all packages to the most current version

apt-get update && apt-get upgrade && apt-get dist-upgrade

1. Install TOR and IPtables

apt-get install tor iptables-persistent

1. Create the TOR transparent proxying and the hidden service

echo "

### Tor transparent proxying
VirtualAddrNetwork 10.0.0.0/8
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 127.0.0.1
DNSPort 53
DNSListenAddress 127.0.0.1

### Citadel hidden service
# These ports are publicly accessible via TOR!!!
# Comment out ports you do not need!!!
HiddenServiceDir /var/lib/tor/mail
 HiddenServicePort   25 127.0.0.1:25    # Mail  SMTP + optional StartTLS
 HiddenServicePort   25     [::1]:25    # Mail  SMTP + optional StartTLS
#HiddenServicePort   80 127.0.0.1:80    # Webif HTTP unencrypted + plain-text auth
#HiddenServicePort   80     [::1]:80    # Webif HTTP unencrypted + plain-text auth
#HiddenServicePort  110 127.0.0.1:110   # Mail  POP3 unencrypted + plain-text auth
#HiddenServicePort  110     [::1]:110   # Mail  POP3 unencrypted + plain-text auth
#HiddenServicePort  143 127.0.0.1:143   # Mail  IMAP + opportunistic StartTLS
#HiddenServicePort  143     [::1]:143   # Mail  IMAP + opportunistic StartTLS
#HiddenServicePort  443 127.0.0.1:443   # Webif HTTPS SSL
#HiddenServicePort  443     [::1]:443   # Webif HTTPS SSL
#HiddenServicePort  465 127.0.0.1:465   # Mail  SMTPS SSL
#HiddenServicePort  465     [::1]:465   # Mail  SMTPS SSL
#HiddenServicePort  504 127.0.0.1:504   # Decentralized Citadel nodes synchronisation
#HiddenServicePort  504     [::1]:504   # Decentralized Citadel nodes synchronisation
#HiddenServicePort  587 127.0.0.1:587   # Mail  MSA + forced StartTLS
#HiddenServicePort  587     [::1]:587   # Mail  MSA + forced StartTLS
#HiddenServicePort  993 127.0.0.1:993   # Mail  IMAPS SSL
#HiddenServicePort  993     [::1]:993   # Mail  IMAPS SSL
#HiddenServicePort  995 127.0.0.1:995   # Mail  POP3S SSL
#HiddenServicePort  995     [::1]:995   # Mail  POP3S SSL
 HiddenServicePort 5222 127.0.0.1:5222  # Jabber
 HiddenServicePort 5222     [::1]:5222  # Jabber
" >> /etc/tor/torrc && service tor restart

1. **Backup the directory "/var/lib/tor/mail/"! **
2. "hostname" contains the fully-qualified hostname/email domain of your TOR hidden service
3. "private_key" contains the private key of your TOR hidden service. If you loose the it, you loose your .onion-domain. If anyone gets the private key he can manipulate your .onion-domain and connections to it!
4. IPTables rules for transparent proxying

iptables -t nat    -A OUTPUT -p tcp -d 10.0.0.0/8 -j REDIRECT --to-ports 9040  -m comment --comment "TOR transparent proxying for .onion"
iptables -t filter -A OUTPUT        -d 10.0.0.0/8 -j REJECT                    -m comment --comment "Reject non-TCP traffic to TOR"
service iptables-persistent save

1. Use Tor as nameserver (necessary for .onion domains of hidden services)

echo 'prepend domain-name-servers 127.0.0.1;' >> /etc/dhcp/dhclient.conf

1. Follow Ducky Ponds installation and configuration guide for Citadel
2. At "Now we're going to go to Domain names and Internet mail configuration. Here you'll need to add the domains you want to receive mail for under the Local host aliases." enter your TOR hidden service hostame from "/var/lib/tor/mail/hostname"
3. Reboot the RaspberryPi
4. Read the Citadel documentation at !http://citadel.org/