[Freedombox-discuss] Idea for cross freedombox email system not leaking metadata

Jonathan Wilkes jancsika at yahoo.com
Sun Oct 12 00:05:10 UTC 2014

Hi Petter,You should look at something like Cables in Linux Liberte.

But the only reason Cables theoretically* works is that everything is delivered over Tor, and it typically runs on a machine where Tor is being leveraged for everything.  That at least gives the user some protection if the email client happens to be doing something screwy that the author of Cables didn't know about.

With your proposal, you have to trust that both exim and whatever email client not only don't have bugs.  But more importantly, you must know that your rules for when to sending/receiving over Tor are perfect, _and_ that your documentation is effective enough to teach your users not to mix, forward, leak, or otherwise undermine all the work you are trying to do to hide their metadata.  Oh, and keep in mind that most clients do a fine job of hiding nearly all of the ugly metadata from the user, so they're often not even aware it's there in the first place.

In short, if you let your users send unencrypted messages in the same client/system as covert messages, your users won't be safe.  And if you force encryption for everything, you defeat the purpose of using email and should instead choose a protocol/system designed specifically to hide metadata.


* I've never used Cables, and it looks to be abandoned.  But its 
features and design are the most comprehensive I've seen for the kind of
 messaging you're interested in doing.

On Saturday, October 11, 2014 6:02 AM, Petter Reinholdtsen <pere at hungry.com> wrote:


I got this idea for how to set up a system to exchange emails between
freedobox boxes without having to develop much ourself.  Is this
already done by someone else?  Anyone here know enough about the
involved systems to make a proof of concept quickly?

The idea is based on the fact that a Tor hidden service is just a
process listening on some port somewhere, and the fact that exim can
be told to use any transport to send email.  If we set up exim to send
all addresses of a given format (say
<user>@<hidden-service-id>.freedomboxmail or similar) via a transport
delivering the mail via SMTP over Tor to the address given in
<hidden-service-id>, and set up SMTP on each freedombox to listen as a
Tor hidden service.  This would allow emails to be injected into the
freedombox using normal mail clients (to the local SMTP port), and
forwarded via Tor to any online freedombox without leaking metadata
about the mail exchange to anyone listening on the network segments
betwheen the freedombox machines.

For additional protection against spammers, one can add a check in
exim to require all email to be GPG encrypted, or perhaps only accept
GPG signed emails.  But that is mostly to reduce the amount of
unwanted email, and not to be able to send email without leaking
metadata to prying eyes.

What do the rest of you thing about this idea?  Possible to implemnt?
Something to put in the FreedomBox?

Happy hacking
Petter Reinholdtsen

Freedombox-discuss mailing list
Freedombox-discuss at lists.alioth.debian.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20141011/03ab73a1/attachment.html>

More information about the Freedombox-discuss mailing list