wiki:doc/TorifyHOWTO/EMail

Read first!!!

New Advice (October 2012)

Read TorifyHOWTO/EMail/Thunderbird.

Old Advice (March 2012)

Do not use any e-mail clients if you are not absolutely sure what you are doing. Many points listed under Web-browser are also valid here. It's unknown which mail clients are for use with Tor. In meanwhile stick to webmail through web browser. Deactivate html and pictures in your webmail settings. Pure text mails are safer and stop Web bug's. Prefer to encrypt your connection to your web mail server (either using SSL or hidden service). It's also recommend to encrypt your mails end-to-end using GPG.

Torifying e-mail clients is definitely harder than "just use socks4a". First possible leak could be the flash plugin. Many things mentioned in The Design and Implementation of the Tor Browser [DRAFT] also apply. Until there is an officially supported Tor mail client, you unfortunately should stick with webmail. There is some progress on Torbutton for Thunderbird (torbutton-birdy), see Thunderbird.

Old Advice (outdated)

Warning!

Better use the new advice above!

getmail

getmail is an alternative to fdm or fetchmail that is written in python. One can use proxychains to use getmail over tor. It works perfectly, no DNS leaks

Configure proxychains with this /etc/proxychains.conf:

strict_chain
proxy_dns
tcp_read_time_out 15000
tcp_connect_time_out 8000
[ProxyList]
socks5 127.0.0.1 9050

Run getmail as follows:

proxychains getmail

fdm

fdm fetches and deliver mail like fetchmail does but comparing to fetchmail it has built-in socks/http proxy support.

Example configuration file using privoxy as http proxy:

set proxy "http://127.0.0.1:8123/"

account "foo" imaps server "imap-ssl.mail.yahoo.com"
        user "foo@yahoo.com" pass "bar"

action "foo"  maildir "%h/Mail/inbox"

match string "%a" to "foo" action "foo"

Fetchmail

This isn't the most elegant solution, but it works. Rename your /etc/init.d/fetchmail file to fetchmail-orig, for example, then save the script below as /etc/init.d/fetchmail, and restart fetchmail with /etc/init.d/fetchmail restart. Your mail will now be fetched through the Tor network.

#!/bin/sh
#
# Fetchmail+Tor init script
#
set -e
# Defaults
DAEMON=/usr/bin/tsocks
FMINIT=/etc/init.d/fetchmail-orig
PATH=/sbin:/bin:/usr/sbin:/usr/bin
test -f $DAEMON || exit 0
case "$1" in
        start)
                $DAEMON $FMINIT start
                ;;
        stop)
                $DAEMON $FMINIT stop
                ;;
        force-reload|restart)
                $DAEMON $FMINIT restart
                ;;
        try-restart)
                $DAEMON $FMINIT try-restart
                ;;
        awaken)
                $DAEMON $FMINIT awaken
                ;;
        debug-run)
                $DAEMON $FMINIT debug-run
                ;;
        *)
                echo "Usage: /etc/init.d/fetchmail {start|stop|restart|force-reload|awaken|debug-run}"
                echo "  start - starts system-wide fetchmail service"
                echo "  stop  - stops system-wide fetchmail service"
                echo "  restart, force-reload - starts a new system-wide fetchmail service"
                echo "  awaken - tell system-wide fetchmail to start a poll cycle immediately"
                echo "  debug-run [strace [strace options...]] - start a debug run of the"
                echo "    system-wide fetchmail service, optionally running it under strace"
                exit 1
                ;;
esac
exit 0

An alternative configuration for fetchmail for those that prefer to start it on a per-user basis. Add the following to the user's .bashrc:

CONF_FILE="$HOME/.fetchmailrc"
PID_FILE="$HOME/.fetchmail.pid"
FETCHMAIL="/usr/bin/fetchmail"
TSOCKS="/usr/bin/tsocks"
  function FetchMailAlive () {
    if test -f $CONF_FILE && test -f $FETCHMAIL; then
      if test -f $PID_FILE; then
        if ! kill -0 `cut -d \  -f1 $PID_FILE` 2>/dev/null; then
          eval $($TSOCKS $FETCHMAIL)
          echo New FetchMail started. >&2
        fi
      else
        eval $($TSOCKS $FETCHMAIL)
        echo New FetchMail started. >&2
      fi
    else
      echo Fetchmail not installed or configured properly. >&2
    fi
  }
# Call it
FetchMailAlive

Then it checks for a running fetchmail daemon every time a new shell is opened and starts one if needed.

You may want to look up your mail server's IP with tor-resolve and use the IP in place of a hostname; see the note on tsocks and DNS above.

If you are lazy you can also just call torify fetchmail or torify fetchmail -d 900.

Fetchmail using the plugin option

Look out because in this way there is before a DNS call (made by fetchmail without socat?) starting the program and only after is called socat to download messages.

Fetchmail can pull up its own internal plug gateway on a per-host basis in fetchmailrc to connect through socks:

plugin "socat STDIO SOCKS4A:127.0.0.1:%h:%p,socksport=9050"

Fetchmail will substitute the %h and %p tokens with the actual host and port to be polled.

In the full context:

set no spambounce
set no bouncemail
poll pop.example.com
    plugin "socat STDIO SOCKS4A:127.0.0.1:%h:%p,socksport=9050"
    protocol pop3
    user foo
    password bar
    mda "/usr/bin/procmail -d localuser"

It is recommended to use direct delivery here (the mda option) in order to prevent information leakage by uncontrolled bounces that might occur after injection of the message into a local MTA.

If the remote host offers SSL, it is strongly advisable to not only use SSL, but also to verify the authenticity of the SSL certificate.

We'll assume that the certificate is stored in /etc/ssl/certs (any other path will do) and that c_rehash /etc/ssl/certs has been executed. In Order to actually use SSL and to verify the server certificate, we'll extend fetchmailrc as follows:

set no spambounce
set no bouncemail
poll pop.example.com
    plugin "socat STDIO SOCKS4A:127.0.0.1:%h:%p,socksport=9050"
    protocol pop3
    user foo
    password bar
    ssl
    sslcertck
    sslcertpath /etc/ssl/certs
    mda "/usr/bin/procmail -d localuser"

This way, the connection will not only be resilient to password sniffing but also to man-in-the-middle attacks using spoofed SSL certificates.

Mozilla Thunderbird

Moved to TorifyHOWTO/EMail/Thunderbird.

3proxy as a POP3 proxy

Download and install (may need compiling) the 3proxy proxy server.

Let's say you have a POP3 account with settings below:

. E-mail: testaccount@… POP3 server: pop.gmail.com Account name: testaccount@… Pasword:

First, you need to configure and start 3proxy as a pop3 proxy with redirection to tor. Create a configuration file (plain text) like this:

# put 3proxy in background mode. For Windows replace with "service"
daemon
# set archiver to compress log files. Remove or replace for Windows.
archiver gz /bin/gzip %F
# we'll have 2 log files
rotate 2
# format of log record
logformat "- +_L%d.%m %H:%M:%S srv=%N:%p err=%E src=%C:%c dst=%R:%r out=%O in=%I %T"
# path to log file (CHANGE IT BECAUSE IT'S NOT SECURE!), rotate it monthly
log /tmp/3proxy.log M
# set timeouts above defaults, because tor may be a bit slow
timeouts 30 30 60 60 180 1800 60 120
# this is required to use ACLs and redirections
auth iponly
# preventing DNS requests leak
fakeresolve
# redirect all traffic
allow *
# redirect traffic to Tor
parent 1000 socks4+ 127.0.0.1 9050
# now, start pop3 proxy on port 127.0.0.1:110
# you can run it on alternative port, if port 110 is in use or not accessible
pop3p -i127.0.0.1 -p110

(you should edit at least the log path) and start 3proxy, giving the configuration file name on the command line. For Linux, this may look something like ./3proxy ./3proxyrc.

Now, you must configure your e-mail agent (any with POP3 support: Eudora, Outlook Express, Outlook, Apple Mail). Specify 3proxy server (localhost in example) as a POP3 server and add address of real POP3 server to account login name after '@' characcter. That is, e-mail agent settings are now:

. E-mail: testaccount@… POP3 server: 127.0.0.1 Account name: testaccount@… @pop.gmail.com Pasword:

If the POP3 proxy on a different port than 110, you should also change POP3 port settings in your mail agent.

SMTP with "Submission" protocol and 3proxy portmapping

As a measure against spammers, Tor doesn't allow outgoing SMTP connection to TCP/25 port, but some mail servers still may be reached by alternative ports. The most commonly used one is TCP/587 (submission). "Submission" is actually SMTP protocol with moderate authentication. smtp.gmail.com, smtp.aol.com, smtp.yandex.ru and many others are known to support submission protocol. You can use e.g. portmapping (see General TCP below) to map some port on local host to port 587 of your preferred mail server.

Gmail example: for any 3proxy configuration above, like POP3, add a line

tcppm -i127.0.0.1 2525 smtp.gmail.com 587

This maps local 2525 port to Submission port of smtp.gmail.com.

Now set up SMTP host 127.0.0.1 and SMTP port 2525 for your mail agent and configure SMTP authentication. Currently there is no SMTP proxy server support. If you need a second submission server, add a second portmapping with different local port (e.g. 2526) to configuration.

Note: some mail agents, including Microsoft Outlook and Outlook Express are known to leak sensitive information, including local IP address, through mail headers.

Sending mail using SMTP (the normal way) over SSH

If you have an SSH account which allows connection forwarding, you can send e-mail messages through a tunnel created with Tor and SSH. Add similar lines to your ssh configuration file (like ~/.ssh/config):

Host your_ssh_server
 User = your_username # may be ommitted
 LocalForward   7025    your_first_email_server:25
 LocalForward   7026    your_second_email_server:25
 LocalForward   7027    your_third_email_server:25

Then, execute ssh -f -N -q your_ssh_server . Use netstat -aptun to see, if ssh is really listening on the specified ports. If everything seems to be working fine, change your e-mail program settings to use "127.0.0.1" and port 7025 instead of "your_first_email_server" port 25. Same goes for the rest.

Popular Online Email Services

Few popular online email service providers are: Hotmail, Yahoo Mail, Google Mail (GMail). Along with email service, many of these also provide Instant Text, Voice, Video Messaging, etc services as well.

Warning: using any online email service provider based email services are not secured & not safe, because, these servers (or data-centers) are sending & receiving emails in PLAIN (or open MIME standard) non-encrypted format (over SMTP protocol on TCP port 25). Even when an user views (or receives or sends) emails via HTTPS (SSL/TLS, TCP port 443) secured & encrypted connection (by using Web-browser software), or even when an user exchanges emails over Secured IMAP (IMAPS, TCP port 993) or Secured POP3 (POP3S, TCP port 995) or Secured SMTP (SMTPS, TCP port 465, or 587), (by using Thunderbird or other Email-Client software), with their own email server, but when email from one server goes to another different destination email server, it still remains non-encrypted. Employees of such email service provider and other (affiliated, diagnosing & servicing, etc) groups & entities who have access in email-servers, are easily able to view and monitor any emails, they can show Advertisements, Offers, etc based on email's content, they can keep side database of email-address and words obtained from your email's content, etc. So you must use end-to-end GPG based (or other) encryption techniques. And delete emails from such email-server (including emptying the Trash folder), right after downloading them on your personal email-client software. Some email-server software can be configured further to exchange emails securely and with encryption and also with a correct destination (not a possible MITM), when these combinations are used : DNS-records obtained via DNSSEC are used to obtain accurate destination information, and when destination is verified with DNSSEC & FCrDNS methods, etc techniques, and when certs & keys (obtained via DNSSEC resolving process) are also used for secured & encrypted connections. More info here.

  • Hotmail / LiveMail
    Warning : Do not connect directly to these, unless you have completed Anonymization (or Torification) process for your email-client software).
    Email receiving settings:
      Server Type:  POP Mail Server.
      Server Name:  pop3.live.com
      Port:  995
      User Name:  user-name@hotmail.com or user-name@live.com
      Connection Security:  SSL/TLS
      Authentication Method:  Normal Password
    Email sending settings:
      Server Type:  SMTP Server.
      Server Name:  smtp.live.com
      Port:  587
      Connection Security:  STARTTLS
      Authentication Method:  Normal Password
      User Name:  user-name@hotmail.com or user-name@live.com
    
  • Yahoo Mail
    Warning : Do not connect directly to these, unless you have completed Anonymization (or Torification) process for your email-client software).
    Email receiving settings:
      Server Type:  IMAP Mail Server.
      Server Name:  imap.mail.yahoo.com
      Port:  993
      User Name:  user-name  (just user-name without the @yahoo.com portion)
      Connection Security:  SSL/TLS
      Authentication Method:  Normal Password
    Email sending settings:
      Server Type:  SMTP Server.
      Server Name:  smtp.mail.yahoo.com
      Port:  465
      Connection Security:  SSL/TLS
      Authentication Method:  Normal Password
      User Name:  user-name  (just user-name without the @yahoo.com portion)
    
  • Google Mail / GMail
    Warning : Do not connect directly to these, unless you have completed Anonymization (or Torification) process for your email-client software).
    Email receiving settings:
      Server Type:  IMAP Mail Server.
      Server Name:  imap.googlemail.com
      Port:  993
      User Name:  user-name  (just user-name without the @gmail.com portion)
      Connection Security:  SSL/TLS
      Authentication Method:  Normal Password
    Email sending settings:
      Server Type:  SMTP Server.
      Server Name:  smtp.googlemail.com
      Port:  587
      Connection Security:  STARTTLS
      Authentication Method:  Normal Password
      User Name:  user-name@gmail.com
    

*Experimental* Suggestions for possibly making thunderbird and/or claws stop leaking info *Experimental*

For Thunderbird, see also TorifyHOWTO/EMail/Thunderbird.

There are 3 goals. 1) Mail clients tend to leak your local hostname so that should be stopped. 2) They tend to like sending their client and system name and the best option AFAICT is setting it to something innocuous. 3) Disabling the reading/writing of HTML since it can cause a lot of problems.

Thunderbird:

For reference, see this MozillaZine Knowledge Base article.

1. To stop hostname leaks in the HELO/EHLO headers, set mail.smtpserver.default.hello_argument to "localhost".
2. To stop DNS leaks, set network.proxy.socks_remote_dns to True. 
3. Set general.useragent.override to a value you are comfortable having in the headers.
4. To disable HTML when showing message bodies, set:
   a. mailnews.display.disallow_mime_handlers to 1
   b. mailnews.display.html_as to 1
   c. mailnews.display.prefer_plaintext to True
5. To disable HTML email composing, set:
   a. mail.html_compose to False
   b. mail.identity.default.compose_html to False
   c. mail.default_html_action to 1

Warning:
Each time you (automatically, in background) update your plugins (on Windows yes, on Linux untested) such as Flash, it will also be activated again in Thunderbird. You somehow have to get rid of this, as plugins can also leak your real IP.

Claws:

1) In ~/.claws_mail, for each account change 2 prefs.  set_domain=1 and domain=localhost.  This should stop claws from leaking your hostname

2) For each account, go to current account prefs->send.  Choose 'Add Custom Header'. Add any 3 of the following headers depending on what type of account it is: X-Mailer, X-UserAgent, X-Newsreader and set to be whatever you feel comfortable setting.

3) *Don't* install the HTML plugin.
Last modified 19 months ago Last modified on Oct 5, 2012 2:27:51 PM