How to protect your email using tor (by EmailTor)

Protecting email using tor for a shell/unix oriented user

Protecting email using tor for a shell/unix oriented user Considerations MUA - mutt MTA - msmtp MFA - fetchmail Proxy Tor GPG Other adjustations

Considerations
We are going to explain a working solution to use "normal programs" to protect the email comunications with tor. Our solution is based on a linux distribuition (Debian - unstable) but we think it is possibile to adact on other linux distribuitions and also on different unix flavour. When it will be possible we will try to use packages from normal distribuition but some programs (the first will be 3proxy) that are not yet packaged. We will use for our example a "normal" provider gmail ("the definitive provider"?) but also, the same will be usable for other provider. Also, we will assume to have a local tor client configured. Local user will be called userlocal.

MUA - mutt
We choose mutt email client because we think this is the client more customizable: we are going to use Mutt 1.5.18-4. The most important things to configure properly mutt are about the Message-ID and User-Agent headers: other header and fields are important but the first are the most important. For these settings we use in . u t c mtr:
#dntadtehsnm t teFo hae o' d h otae o h rm edr ustuedmi ne s_oan #dntgnrt aFo hae o' eeae rm edr ustuefo ne s_rm #MsaeI esg-D sthsnm=mi.o e otaegalcm stuedmi=o e s_oann #Ue-gn sraet stue_gn=o e sraetn

Don't forget also to set correct From and Real name settings.
stfo=ue@mi.o" e rm"srgalcm stranm=GalUe" e elae"mi sr m_d Fo:GalUe <srgalcm yhr rm mi sr ue@mi.o>

At least configure the use of the msmtp mta with

stsnmi=/s/i/st" e edal"urbnmmp

MTA - msmtp
We need a MTA to send the mail messages so we choose msmtp because permits some interesting configuration: for example msmtp use localhost for the name of the host in helo/ehlo messages. In this configuration we will use 2525 port to contact "local smtp server" (provided via 3proxy or Socat) to avoid conflicts with eventual other smtp server. If you have not a local smtp server you could change that port in 25 also in msmtprc (or msmtprc without check) and in 3proxyrc (or in Socat command line). In this configuration we will check the ssl certificate coming from gmail with the procedure explained in checking smtp certificate. For this to work we will need to modify the / t / o t file so we will need to have a root access to computer in use (or to ask for this to administrator). echss This will be the . s t r file: mmpc
dfut eals kebco epc n sso o ylg n acutgal con mi hs galst.o ot mi.mpcm pr 22 ot 55 fo ue@mi.o rm srgalcm ue ue@mi.o sr srgalcm at o uh n pswr pswr asod asod tso l n tssatl o l_trts n tscrceko l_ethc n tstutfl .C/hwePeimSre_Apm l_rs_ie /ATat_rmu_evrC.e

tsfresl3=of l_oc_sv f

If you cannot modify any system file or your administrator does not want to modify you cannot check the certificates, so the m m p cwill be like this: str
dfut eals kebco epc n sso o ylg n acutgal con mi hs lclot ot oahs pr 22 ot 55 fo ue@mi.o rm srgalcm ue ue@mi.o sr srgalcm at o uh n pswr pswr asod asod tso l n tssatl o l_trts n tscrcekof l_ethc f tsfresl3=of l_oc_sv f

MFA - fetchmail
We need fetchmail to fetch the mail. To pass through the tor proxy we will use Socat and the "plugin" option in fetchmail. This is . e c m i r : fthalc
stn sabuc e o pmone stn bucmi e o oneal pl ia.mi.o ol mpgalcm pui "oa SDOSCSA17001%:pscsot95" lgn sct TI OK4:2...:h%,okpr=00 pooo ia rtcl mp ue ue wt pswr pswr,sl sr sr ih asod asod s ma"urbnpomi - uelcl d /s/i/rcal d sroa"

Proxy
We have two different ways to concatenate msmtp to tor: 3proxy and again Socat. Important: the use of Socat and 3proxy for smtp are mutual exclusive. You cannot use together! 3proxy 3proxy is the proxy program to concatenate to tor. There is not yet a debian package for this program so we need to compile from the sources. We have to run the program before sending email with the command:
3rx ..poyc poy /3rxr

This is . p o y c 3rxr:
deo amn lgomt" +Ld% %:M% sv%:per% sc%:cdt%:rot% i=" ofra - _%.m H%:S r=N% r=E r=C% s=R% u=O n% lg/m/poylgM o tp3rx.o tmot 3 3 6 6 1010 6 10 ieus 0 0 0 0 8 80 0 2 at iol uh pny fkrsle aeeov alw* lo prn 10 scs+1700195 aet 00 ok4 2... 00 tpm-1700122 st.mi.o 57 cp i2... 55 mpgalcm 8

Socat for smtp Another way to concatenate msmtp to tor is using Socat: this is also a debian package so it is not necessary to compile as 3proxy. Socat does not use any configuration file so any option must be given via command line before you have to send your email messages like this example:
sct- - - -uTP-ITN22,okSCSAlclotst.mi.o:8,okpr=00 oa d d d l C4LSE:55fr OK4:oahs:mpgalcm57scsot95

(the - options for having more log to the console). d

Tor
On debian tor runs as a daemon using the system user debian-tor and the configuration are owned by the super user: to modify you must be the super user or to ask him.

GPG
GnuPG to protect (and eventually sign) the body of the messages. What we need is not to mix "normal" gpg configuration with the one dedicated to anonymous address so we will put all this configuration on a different directory using the homedir gpg option. We assume we will use ~ . n p - l /as the directory. /gugat In the .muttrc we will write:

#GuGcniuain nP ofgrto stppdcd_omn=gg-hmdr~.np-l/-sau-d2%p-psprs-d0 -n-ebs -qit-bth-otu -%" e g_eoecmad"p -oei /gugat -ttsf= ??-ashaef ? -ovroe -ue -ac -upt f stppvrf_omn=gg-hmdr~.np-l/-sau-d2-n-ebs -qit-bth-otu --vrf % %" e g_eiycmad"p -oei /gugat -ttsf= -ovroe -ue -ac -upt -eiy s f stppdcytcmad"p -hmdr~.np-l/-sau-d2%p-psprs-d0 -n-ebs -qit-bth-otu -%" e g_erp_omn=gg -oei /gugat -ttsf= ??-ashaef ? -ovroe -ue -ac -upt f stppsg_omn=gg-hmdr~.np-l/-n-ebs -bth-qit-otu -%p-psprs-d0 -amr-dtc-in e g_incmad"p -oei /gugat -ovroe -ac -ue -upt ??-ashaef ? -ro -eahsg stppcerincmad"p -hmdr~.np-l/-n-ebs -bth-qit-otu -%p-psprs-d0 -amr-txm e g_lasg_omn=gg -oei /gugat -ovroe -ac -ue -upt ??-ashaef ? -ro -eto stppecytol_omn=/s/i/utppwa gg-hmdr~.np-l/-bth-qit-n-ebs -otu --ecyt-t e g_nrp_nycmad"urlbmt/gerp p -oei /gugat -ac -ue -ovroe -upt -nrp -

stppecytsg_omn=/s/i/utppwa gg-hmdr~.np-l/??-ashaef 0 -bth-qit-n-ebs e g_nrp_incmad"urlbmt/gerp p -oei /gugat%p-psprs-d ? -ac -ue -ovroe stppipr_omn=gg-hmdr~.np-l/-n-ebs -ipr %" e g_motcmad"p -oei /gugat -ovroe -mot f stppepr_omn=gg-hmdr~.np-l/-n-ebs -epr -amr%" e g_xotcmad"p -oei /gugat -ovroe -xot -ro r stppvrf_e_omn=gg-hmdr~.np-l/-vroe-bth-fnepit-ceksg %" e g_eiykycmad"p -oei /gugat -ebs -ac -igrrn -hc-is r stppls_urn_omn=gg-hmdr~.np-l/-n-ebs -bth-qit-wt-oos-ls-es%" e g_itpbigcmad"p -oei /gugat -ovroe -ac -ue -ihcln -itky r stppls_ern_omn=gg-hmdr~.np-l/-n-ebs -bth-qit-wt-oos-ls-ertky %" e g_itscigcmad"p -oei /gugat -ovroe -ac -ue -ihcln -itsce-es r stppgo_in"\[NP:\ GOSG e g_odsg=^\GUG\] ODI"

And also if we want to sign always:

stppatsg=e e g_uoinys

In the same . n p - l /directory we use a configuration file g g c n with these options: gugat p.of
kyevrxhp/yd3rywms.no esre -k:/o7z36n2woin kyevrotoshnrht-rx boe-tppoy esre-pin oo-tppoy rknht-rx

where x-hkp://yod73zr3y6wnm2sw.onion is the address of a keyserver reachble with a "hidden service" of tor. Before every operation with gpg we need also to setup the environment variable http_proxy point to our tor server and privoxy:
epr ht_rx=tp/1700181/ xot tppoyht:/2...:18

Other adjustations
Log Our machine is a personal computer used only like a client so we did not need to record log for many days. Also we need to leave as less traces of our actions so we will use a ram disk as storage for logs in this way. We modified / t / s a adding a line like this: ecftb
tps mf /a/o vrlg tps mf naie otm 0 0

Tmp directory The same adjustation we use for tmp directory with this line in / t / s a and linking / a / m to / m ecftb vrtp tp
tps mf /a/m vrtp tps mf naie otm 0 0

Certificates checking With these steps we will check the ssl certificates comin from our email provider to be sure to connect to right services avoiding the "middle man" attack. We need to install the ssl-cert and openssl packages.
Check of smtp certificate

To check the smtp certificate issued from gmail we must give this command:
$oeslscin -trtsst -hwet -onc st.mi.o:8 pns _let satl mp socrs cnet mpgalcm57

Digit Quit to stop the smtp session. Looking in the certificate sent to the output we can see the CA that signed is Thawte; this is a well known certification authority and we have the correspondent certificate in repository coming from ssl-cert / t / s / e t / h w e P e i m S r e _ A p m ecslcrsTat_rmu_evrC.e. To check if this is true:
$c ~ d $mdr-00 C & c C ki m70 A & d A $c /t/s/et/hwePeimSre_Apm. p ecslcrsTat_rmu_evrC.e $cmd00 Tat_rmu_evrC.e ho 40 hwePeimSre_Apm $crhs .& c . _eah & d .

Download the smtp certificate:

$oeslscin -onc st.mi.o:8 -trtsst -hwet \ pns _let cnet mpgalcm57 satl mp socrs |sd-e'-EI CRIIAE//EDCRIIAE/'>gol_mppm e n /BGN ETFCT-,-N ETFCT-p ogest.e

Digit Quit to stop the smtp session. Check of the certificate:

$oeslvrf -Aah.C gol_mppm pns eiy Cpt /A ogest.e gol_mtpm O ogesp.e: K

With this result we can be sure to be using the right certificate. For this to work you need to modify the file / t / o t adding this line: echss
17001st.mi.o 2... mpgalcm

UTC variable To not reveal your time zone you can set your variable TZ to UTC, for example in your . a h c bsr:
epr T=T xot ZUC

Last edited <10/25/2008>