Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- magnet:?xt=urn:btih:eb0506f42860ee5605f62fa0adb83f10230a1bd5
- ## 02.03.2014 (Sunday)
- ## Version 0.2
- ## updated: 05.03.2014 (Wednesday)
- ## for questions / additions goto: http://zw3crggtadila2sg.onion security
- ## board: subject @onion email (clear abuse but maybe it will go down in history as the
- ## birthplace of individual omail and the demise of gmail, hotmail, ymail, etc.)
- ## mailto: dopey1@ff6d7yz7hdw5xoav.onion
- [start]howto: make a @onion "e"mail -aka- omail!
- This is a howto for Linux.openSUSE (12.3) to make a "e"mail address with a onion domain name.
- It will allow to send to other @onion "e"mail address and receive "e"mails at a @onion
- domain DIRECTLY! To any computer on th planet connected to the internet and running tor!
- No registration, monies, paper work required. Plug-in and start omailing!
- Requirements are two computers (or two virtualmachines).
- One computer will run "postfix" and the other will run "tor".
- Both computers need a network card/access *duh*.
- I'm sure it can be "mined" for relevant information for other distros : )
- Lines with a ">" are considered command-line.
- Everything here should be executed as root (or lots of "sudo").
- Don't forget to logout after you're finished.
- Maybe read it once before?
- DISCLAIMER? none. well one: make this howto better/easier not worse, else: copy away!
- ===
- tor.system
- ===
- Use "yast > network > network devices" to configure the system:
- ip:192.168.0.2/24
- hostname: torserver
- site:site
- default gateway: 192.168.0.1 (real default gateway / ip of router!)
- dns server: 127.0.0.1
- Also check and edit file "/etc/resolv.conf" to:
- nameserver 127.0.0.1
- ===
- tor.system: tor.configuration
- ===
- link: https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
- Use "yast > software > software management" to search/install "tor".
- Make a directory for "tor":
- >mkdir /tor
- And another one for the hidden "postfix" service:
- >mkdir /tor/hidden_service_postfix
- Change owner to "tor":
- >chown -R tor:users /tor
- And:
- >chmod -R 0700 /tor
- Edit file "/etc/tor/torrc" to:
- NickName Somenickname
- ContactInfo surprise@inter.net *Can be changed later to the created @onion "e"mail*
- ORport 192.168.0.2:8080
- BandwidthRate 30 KB
- SOCKSport 192.168.0.2:11111
- SOCKSpolicy accept 192.168.0.0/24
- SOCKSpolicy accept 127.0.0.1
- SOCKSpolicy reject *
- DNSport 192.168.0.2:5300
- DNSport 127.0.0.1:53
- ExitPolicy reject *:*
- ServerDNSresolvConffile /etc/tor/resolv.conf.tor
- TRANSport 192.168.0.2:8081
- VirtualAddrNetwork 10.192.0.0/10
- AutoMapHostOnResolve 1
- HiddenServiceDir /tor/hidden_service_postfix
- HiddenServicePort 25 192.168.0.25:25
- Next edit file "/etc/tor/resolv.conf.tor" to some
- DNS servers you thrust (example link: http://www.opennicproject.org/):
- nameserver 106.186.17.181
- nameserver 118.88.20.195
- Next edit file "/etc/sysconfig/SuSEfirewall2". Look for a line that starts
- with "FW_REDIRECT=" and change it to:
- FW_REDIRECT="192.168.0.0/24,192.168.0.2/24,udp,53,5300 192.168.0.25/24,10.192.0.0/10,tcp,25,8081"
- Open firewall ports for "tcp:8080, tcp:8081, tcp:11111 udp:5300" in:
- "yast > security and users > firewall" in "Allowed services". Click on "Advanced".
- to recap:
- tcp:8080 is "ORport" (OnionRoutingPort) of tor
- tcp:8081 is "TRANSport" of tor (used for programs that don't know SOCKS)
- tcp:11111 is "SOCKSport" of tor (used by SOCKS enabled programs)
- udp:5300 is "DNSport" of tor-resolver
- Don't forget to portforward the ORport (tcp:8080) from the internet facing
- device / router to 192.168.0.2.
- Next start "tor": "YAST > SYSTEM > System Services (Runlevel)". Select the "tor" service
- and enable it (Remember this step: It can be used to start all further required servers in this how-to).
- Execute "torctl log" in a terminal to see what's going on:
- >torctl log
- If tor has logged in successfully to the tor-network then check the
- directory "/tor/hidden_service_postfix" for a file called "hostname".
- Open it to find your @onion name.
- Example: 1234567890abcdef.onion (16 characters before ".onion"). This will be used as a
- placeholder in the further how-to. If you see it, rplace it with what you really (randomly) got : )
- ===
- postfix.system (with dovecot, lighttpd + php5 + squirrelmail).
- ===
- ip:192.168.0.25/24
- default gateway: 192.168.0.2 (the ip of the "tor" running computer).
- ***note: maybe a "route add -net 10.192.0.0 netmask 255.255.255.0 gw 192.168.0.2 dev eth0" will
- work instead? Might leak away if "route add" used wrong?***
- hostname = 1234567890abcdef (see file mentioned above on the tor.system:"/tor/hidden_service_postfix/hostname")
- site/domain = onion
- dns server = 192.168.0.2 (tor-server ip)
- Also check and edit (if required) file "/etc/resolv.conf" to:
- nameserver 192.168.0.2
- ===
- postfix.system: postfix.configuration
- ===
- link: http://www.postfix.org/
- Use "yast > software > software management" to search/install "postfix".
- Use "yast > security and users > users and group management" to create a (omail) user.
- The name you create here will be the name before the "@"sign.
- Example: creating a user "bob" will then give a omail address of "bob@1234567890abcdef.onion"
- Next we edit *sigh* file "/etc/postfix/main.cf" to include:
- inet_protocols = ipv4
- inet_interfaces = 127.0.0.1 192.168.0.25
- ***note: above sayz where postfix will bind to and listen for incoming mail.***
- mynetworkstyle = host
- ***note: above allows only local users on the postfix system itself to send mail.***
- smtp_host_lookup = native (IMPORTANT!)
- ***note: above disables the #$%& dns-resolver included in postfix and enables to use "/etc/
- resolv.conf" and "/etc/hosts".***
- ignore_mx_lookup_error = yes (tor-resolve only returns A records .. or something)
- myhostname = 1234567890abcdef.onion (see file mentioned above: "/tor/hidden_service_postfix/hostname")
- mydomain = onion
- Now check that there are not TWO directives with the same name, like this example:
- mynetworkstyle = host
- mynetworkstyle = subnet
- One might override the other : (
- Open firewall ports for "tcp:25" in "yast > security and users > firewall" in "Allowed services".
- Click on "Advanced".
- Next start "postfix": "YAST > SYSTEM > System Services (Runlevel)". Select the "postfix" service
- and enable it.
- ===
- postfix.system: LIGHTTPD and PHP5
- ====
- "YAST > Software > Software Manager" and search/install:
- +lighttpd
- +FastCGI
- +PHP5 / PHP5-fastcgi / PHP5-gettext / php5-iconv / PHP5-mbstring / PHP5-xml-reader / PHP5-xml-writer
- optional:
- +wget
- +mc
- +telnet
- To enable PHP5 with lighttpd:
- Edit file "/etc/lighttpd/modules.conf" and un-comment line:
- include "conf.d/fastcgi.conf"
- Edit file "/etc/lighttpd/conf.d/fastcgi.conf":
- server.modules += ( "mod_fastcgi" )
- fastcgi.server => ( ".php" => ((
- "bin-path" => "/srv/www/cgi-bin/php",
- "socket" => "/srv/www/socket/sqmail.socket"
- )))
- "/srv/www/socket/sqmail.socket" is a directory and owned by user "lighttpd".
- Create the "socket" directory and give ownership to user lighttpd and group lighttpd:
- >mkdir /srv/www/socket
- >mkdir /srv/www/socket/sqmail.socket
- >chown -R lighttpd:lighttpd /srv/www/socket
- Some other directory for "php" and "squirrelmail to work":
- Create directory "/srv/www/php.cookies":
- >mkdir /srv/www/php.cookies
- >chown -R lighttpd:lighttpd /srv/www/php.cookies
- Also adjust the listening port and ip.address in "/etc/lighttpd/lighttpd.conf" that
- "lighttpd" should use. In this example it is port:80 and ip.address: 192.168.0.25.
- Edit/add following lines:
- server.port = 80
- server.bind = "192.16.0.25"
- Edit file "/etc/php5/fastcgi/php.ini", find / un-comment / change these three lines to read:
- cgi.fix_pathinfo = 1
- session.save_path = "/srv/www/php.cookies"
- sendmail_path = /usr/sbin/sendmail
- ==========
- postfix.system: SQUIRRELMAIL (SQmail)
- ==========
- link: http://squirrelmail.org/
- squirrelmail PHP5 requirements: http://squirrelmail.org/docs/admin/admin-1.html#ss1.1
- Fetch "Squirrelmail": http://squirrelmail.org/download.php (don't do this at home kids!):
- >wget http://prdownloads/sourceforge.net/squirrelmail/squirrelmail-webmail-1.4.22.tar.gz
- use "mc" (MidnightCommander) or command-line to extract all to:
- /srv/www/htdocs
- note: The location of the file "index.php" that comes from the unpacked
- "squirrelmail...tar.gz" should be here:
- /srv/www/htdocs/index.php
- Do not make a sub-directory structure like this:
- /srv/www/htdocs/squirrelmail
- Assuming "mc" was used to unpack the downloaded file "squirrelmail..tar.gz" to
- directory"/root/squirrelamil-webmail1.42" then you can do this:
- >cp -R /root/squirrelmail-webmail-1.42/* /srv/www/htdocs
- Give ownership to user/group "lighttpd":
- >chown -R lighttpd:lighttpd /srv/www/htdocs
- create a "data" directory and a "attach" directory for squirrelmail:
- >mkdir /srv/www/sqmail
- >mkdir /srv/www/sqmail/data
- >mkdir /srv/www/sqmail/attach
- Give ownership to lighttpd, because it runs the php scripts of squirrelmail and wants
- to write to those directories:
- >chown -R lighttpd:lighttpd /srv/www/sqmail
- To configure squirrelmail there are two options:
- 1) Run "conf.pl" in directory "/srv/www/htdocs/config":
- >/srv/www/htdocs/config/conf.pl
- 2) Run "configure" in directory "/srv/www/htdocs":
- >/srv/www/htdocs/configure
- Select "d" and chose/type:
- dovecot
- Go back (r-keyboard) to main squirrelmail configuration menu and select "4" for
- "General options" and enter the directories created above.
- For "data" directory:
- /srv/www/sqmail/data
- For "attach" directory:
- /srv/www/sqmail/attach
- *IMPORTANT* To set the "sender domain", that is the stuff after the "@"sign, select "2" for
- "Server Settings" from the main menu and then enter the domain:
- 1234567890abcdef.onion (see file mentioned above: "/tor/hidden_service_postfix/hostname")
- This will report to the receiver where the omail came from so that the "reply"
- button works for them : )
- We can start lighttpd now:
- Open firewall ports for "tcp:80" in "yast > security and users > firewall" in "Allowed services".
- Click on "Advanced".
- Next start "lighttpd": "YAST > SYSTEM > System Services (Runlevel)". Select the "lighttpd"
- service and enable it.
- To see what "Squirrelmail" thinks about the setup, (after starting "lighttpd") goto
- "http://192.168.0.25/src/configtest.php" with a browser.
- =======
- postfix.system: DOVECOT
- =======
- link: http://www.dovecot.org/
- "YAST > Software > Software Management" search/install
- +dovecot21
- +dovecot21-backend-sqlite
- +SQLite
- +mailx
- Edit file "/etc/dovecot/conf.d/10-mail.conf" and uncomment/add:
- mail_location = mbox:~/mail:INBOX=/var/mail/%u
- Edit file "/etc/dovecot/users" and add users. The format is:
- username:password:user.id:group.id::/homedirectory
- link: http://wiki2.dovecot.org/BasicConfiguration
- Example: There is a user "bob" with a dovecot-password "1234bob". His user.id
- is "1000" and group.id is "100". The "homedirectory" is "/home/bob".
- This would yield the following line in file "/etc/dovecot/users":
- bob:1234bob:1000:100::/home/bob
- Note: "dovecot-password" indicates the password that bob wants to use to login
- to the dovecot-server. This is not(!) the system login password! Don't make it same : )
- Note: The user.id and group.id can be checked with
- "YAST > Security and Users > User and Group Management" for each user.
- Edit file "/etc/dovecot/conf.d/10-auth.conf". Then un-comment:
- disable_plaintext_auth = no
- auth_mechanisms = plain
- !include auth-passwdfile.conf.ext
- And then edit file "/etc/dovecot/conf.d/auth_passwdfile.conf.ext" to something like this:
- passwd {
- driver = passwd_file
- args = scheme=plain username_format=%u /etc/dovecot/users
- }
- userdb {
- driver = passwd_file
- args = username_format=%u /etc/dovecot/users
- }
- Next edit file "/etc/dovecot/conf.d/10-master.conf" and enable the IMAP service
- by uncommenting:
- default_internal_user = dovecot
- service imap_login {
- inet_listener imap {
- port = 143
- }
- inet_listener imaps {
- port = 993
- ssl = yes
- }
- Note: Check that opening and closing brackets match up in numbers!
- The important part is to un-comment and thus enabling the directives.
- At last edit "/etc/dovecot/dovecot.conf", uncomment lines:
- protocols = imap
- listen = 127.0.0.1
- base_dir = /var/run/dovecot/
- instance_name = dovecot
- login_greeting = Dovecot ready
- The last thing to do now is start the "dovecot" service:
- "YAST > SYSTEM > System Services (Runlevel)". Select the "dovecot" service
- and enable it.
- Note: A firewall port needs not be opened because "dovecot" is only listening
- on 127.0.0.1 -aka localhost.
- The interface to send and receive omails is no available on the ip and port configured
- for lighttpd. In this howto it would be: http://192.168.0.25
- [end]
- Q&A
- How does it works?
- Squirrelmail is the "user interface". It is easy to use and works
- in a browsers. Just type "192.168.0.25" as a address into a browser (on the local LAN).
- The sending part goes via squirrelmail > php5.sendmail > postfix > (tor-resolve) > tor
- The receiving part goes via tor-hidden-service > postfix > dovecot > squirrelmail
- How does postfix work with tor?
- postfix sees as receiver address (example) "cindy@123.onion". It contacts the configured DNS
- server. This is tor-resolver listening on port 5300.
- The tor-resolver sees that a *onion is requested and *cheats* by answering with a ip.address
- from the 10.192.0.0/10 range, example 10.192.0.1.
- postfix now contacts the server 10.192.0.1 via the default gateway it has configured, that
- is 192.168.0.2, which also happens to be the ip address of the tor running computer.
- Because the tor-running computer has a firewall/nat rule that says that all request coming
- to itself for 10.192.0.0/10 get redirected to 192.168.0.2:8081 it can now *intercept* the
- *onion request and transparently route the data ... simple : )
- If however postfix is receiving omails they will come from 192.168.0.2, that is through tor
- and tor is running on 192.168.0.2.
- Can people using the tor network access my squirrelmail login page?
- Not with this how-to. Squirrelmail can only be accessed by computers that are on the 192.168.0.0/24
- network (local-lan). Even if tor is also on the local-lan there is no hidden-service defined
- for port 80, which is what lighttpd+squirrelmail is listening on.
- A hidden-service might be added to torrc configuration file for port 80 however.
- The only thing standing between you and people wanting to read your omail is then just
- the login password because they would see the squirrelmail login page.
- There is the possibility to have the squirrelmail login page avaialbe via a onion address that
- is different from the @onion omail address domain however: )
- A safer solution would be to setup a local VPN server. One would then tunnel/connect to this local
- VPN server into the local-lan and then access the only locally accessible squirrelmail instead.
- Can people abuse my postfix as a spamming relay?
- Not with this how-to...i think.
- This setup only allows local users (with a real account) on the postfix.system to use postfix
- to SEND omail. The relevant entry in "main.cf" is "mynetworkstyle = host".
- Why is DOVECOT using plain-text passwords?
- I'm a n00b : )
- DOVECOT is only listening on 127.0.0.1. If you don't share your computer with
- other users this shouldn't be a problem. Please feel free to make it "more" secure.
- "Quick-quick-make-it-easy-to-setup" is the motto here.
- Can I make my postfix system even more secure?
- One could disable ARP on the postfix.system and statically map the MAC address and
- ip address of the tor running server in "/etc/ethers" (needs a entry on the tor running server also).
- this way the postfix computer only knows about one other computer on the local-lan: the tor running server.
- of course lighttpd+squirrelmail would only be accessible from a browser running on the postfix.system (unless
- also statically mapped via "/etc/ethers")
- It would need root to re-enable ARP broadcasts.
- A word of warning: If configuring a system via ssh DO NOT mess with ARP. you might lock yourself out!
- ...
- sorry for typos : ) happy omailing! and thx to all the nice people who bring you
- free open-source GNU/Linux!
- dopey1
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement