onion-mail v.0.2

magnet:?xt=urn:btih:eb0506f42860ee5605f62fa0adb83f10230a1bd5

## 02.03.2014 (Sunday)
## Version 0.2
## updated: 05.03.2014 (Wednesday)
## for questions / additions goto: http://zw3crggtadila2sg.onion security
## board: subject @onion email (clear abuse but maybe it will go down in history as the
## birthplace of individual omail and the demise of gmail, hotmail, ymail, etc.)
## mailto: dopey1@ff6d7yz7hdw5xoav.onion

[start]howto: make a @onion "e"mail -aka- omail!

This is a howto for Linux.openSUSE (12.3) to make a "e"mail address with a onion domain name.
It will allow to send to other @onion "e"mail address and receive "e"mails at a @onion
domain DIRECTLY! To any computer on th planet connected to the internet and running tor!
No registration, monies, paper work required. Plug-in and start omailing!

Requirements are two computers (or two virtualmachines).
One computer will run "postfix" and the other will run "tor".
Both computers need a network card/access *duh*.
I'm sure it can be "mined" for relevant information for other distros : )

Lines with a ">" are considered command-line.
Everything here should be executed as root (or lots of "sudo").
Don't forget to logout after you're finished.
Maybe read it once before?

DISCLAIMER? none. well one: make this howto better/easier not worse, else: copy away!

===
tor.system
===
Use "yast > network > network devices" to configure the system:
ip:192.168.0.2/24
hostname: torserver
site:site
default gateway: 192.168.0.1 (real default gateway / ip of router!)
dns server: 127.0.0.1

Also check and edit file "/etc/resolv.conf" to:
nameserver 127.0.0.1

===
tor.system: tor.configuration
===
link: https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
Use "yast > software > software management" to search/install "tor".

Make a directory for "tor":
>mkdir /tor

And another one for the hidden "postfix" service:
>mkdir /tor/hidden_service_postfix

Change owner to "tor":
>chown -R tor:users /tor
And:
>chmod -R 0700 /tor

Edit file "/etc/tor/torrc" to:
NickName Somenickname
ContactInfo surprise@inter.net *Can be changed later to the created @onion "e"mail*
ORport 192.168.0.2:8080
BandwidthRate 30 KB

SOCKSport 192.168.0.2:11111
SOCKSpolicy accept 192.168.0.0/24
SOCKSpolicy accept 127.0.0.1
SOCKSpolicy reject *

DNSport 192.168.0.2:5300
DNSport 127.0.0.1:53

ExitPolicy reject *:*

ServerDNSresolvConffile /etc/tor/resolv.conf.tor

TRANSport 192.168.0.2:8081
VirtualAddrNetwork 10.192.0.0/10
AutoMapHostOnResolve 1

HiddenServiceDir /tor/hidden_service_postfix
HiddenServicePort 25 192.168.0.25:25

Next edit file "/etc/tor/resolv.conf.tor" to some
DNS servers you thrust (example link: http://www.opennicproject.org/):
nameserver 106.186.17.181
nameserver 118.88.20.195

Next edit file "/etc/sysconfig/SuSEfirewall2". Look for a line that starts
with "FW_REDIRECT=" and change it to:
FW_REDIRECT="192.168.0.0/24,192.168.0.2/24,udp,53,5300 192.168.0.25/24,10.192.0.0/10,tcp,25,8081"

Open firewall ports for "tcp:8080, tcp:8081, tcp:11111 udp:5300" in:
"yast > security and users > firewall" in "Allowed services". Click on "Advanced".
to recap:
tcp:8080 is "ORport" (OnionRoutingPort) of tor
tcp:8081 is "TRANSport" of tor (used for programs that don't know SOCKS)
tcp:11111 is "SOCKSport" of tor (used by SOCKS enabled programs)
udp:5300 is "DNSport" of tor-resolver

Don't forget to portforward the ORport (tcp:8080) from the internet facing
device / router to 192.168.0.2.

Next start "tor": "YAST > SYSTEM > System Services (Runlevel)". Select the "tor" service
and enable it (Remember this step: It can be used to start all further required servers in this how-to).

Execute "torctl log" in a terminal to see what's going on:
>torctl log

If tor has logged in successfully to the tor-network then check the
directory "/tor/hidden_service_postfix" for a file called "hostname".
Open it to find your @onion name.

Example: 1234567890abcdef.onion (16 characters before ".onion"). This will be used as a
placeholder in the further how-to. If you see it, rplace it with what you really (randomly) got : )

===
postfix.system (with dovecot, lighttpd + php5 + squirrelmail).
===
ip:192.168.0.25/24
default gateway: 192.168.0.2 (the ip of the "tor" running computer).

***note: maybe a "route add -net 10.192.0.0 netmask 255.255.255.0 gw 192.168.0.2 dev eth0" will
work instead? Might leak away if "route add" used wrong?***

hostname = 1234567890abcdef (see file mentioned above on the tor.system:"/tor/hidden_service_postfix/hostname")
site/domain = onion
dns server = 192.168.0.2 (tor-server ip)

Also check and edit (if required) file "/etc/resolv.conf" to:
nameserver 192.168.0.2

===
postfix.system: postfix.configuration
===
link: http://www.postfix.org/

Use "yast > software > software management" to search/install "postfix".

Use "yast > security and users > users and group management" to create a (omail) user.
The name you create here will be the name before the "@"sign.
Example: creating a user "bob" will then give a omail address of "bob@1234567890abcdef.onion"

Next we edit *sigh* file "/etc/postfix/main.cf" to include:
inet_protocols = ipv4
inet_interfaces = 127.0.0.1 192.168.0.25

***note: above sayz where postfix will bind to and listen for incoming mail.***

mynetworkstyle = host

***note: above allows only local users on the postfix system itself to send mail.***

smtp_host_lookup = native (IMPORTANT!)

***note: above disables the #$%& dns-resolver included in postfix and enables to use "/etc/
resolv.conf" and "/etc/hosts".***

ignore_mx_lookup_error = yes (tor-resolve only returns A records .. or something)
myhostname = 1234567890abcdef.onion (see file mentioned above: "/tor/hidden_service_postfix/hostname")
mydomain = onion

Now check that there are not TWO directives with the same name, like this example:
mynetworkstyle = host
mynetworkstyle = subnet

One might override the other : (

Open firewall ports for "tcp:25" in "yast > security and users > firewall" in "Allowed services".
Click on "Advanced".

Next start "postfix": "YAST > SYSTEM > System Services (Runlevel)". Select the "postfix" service
and enable it.

===
postfix.system: LIGHTTPD and PHP5
====
"YAST > Software > Software Manager" and search/install:
+lighttpd
+FastCGI
+PHP5 / PHP5-fastcgi / PHP5-gettext / php5-iconv / PHP5-mbstring / PHP5-xml-reader / PHP5-xml-writer
optional:
+wget
+mc
+telnet

To enable PHP5 with lighttpd:

Edit file "/etc/lighttpd/modules.conf" and un-comment line:
include "conf.d/fastcgi.conf"

Edit file "/etc/lighttpd/conf.d/fastcgi.conf":
server.modules += ( "mod_fastcgi" )
fastcgi.server => ( ".php" => ((
"bin-path" => "/srv/www/cgi-bin/php",
"socket" => "/srv/www/socket/sqmail.socket"
)))

"/srv/www/socket/sqmail.socket" is a directory and owned by user "lighttpd".
Create the "socket" directory and give ownership to user lighttpd and group lighttpd:
>mkdir /srv/www/socket
>mkdir /srv/www/socket/sqmail.socket
>chown -R lighttpd:lighttpd /srv/www/socket

Some other directory for "php" and "squirrelmail to work":
Create directory "/srv/www/php.cookies":
>mkdir /srv/www/php.cookies
>chown -R lighttpd:lighttpd /srv/www/php.cookies

Also adjust the listening port and ip.address in "/etc/lighttpd/lighttpd.conf" that
"lighttpd" should use. In this example it is port:80 and ip.address: 192.168.0.25.
Edit/add following lines:
server.port = 80
server.bind = "192.16.0.25"

Edit file "/etc/php5/fastcgi/php.ini", find / un-comment / change these three lines to read:
cgi.fix_pathinfo = 1
session.save_path = "/srv/www/php.cookies"
sendmail_path = /usr/sbin/sendmail

==========
postfix.system: SQUIRRELMAIL (SQmail)
==========
link: http://squirrelmail.org/
squirrelmail PHP5 requirements: http://squirrelmail.org/docs/admin/admin-1.html#ss1.1

Fetch "Squirrelmail": http://squirrelmail.org/download.php (don't do this at home kids!):
>wget http://prdownloads/sourceforge.net/squirrelmail/squirrelmail-webmail-1.4.22.tar.gz

use "mc" (MidnightCommander) or command-line to extract all to:
/srv/www/htdocs

note: The location of the file "index.php" that comes from the unpacked
"squirrelmail...tar.gz" should be here:
/srv/www/htdocs/index.php

Do not make a sub-directory structure like this:
/srv/www/htdocs/squirrelmail

Assuming "mc" was used to unpack the downloaded file "squirrelmail..tar.gz" to
directory"/root/squirrelamil-webmail1.42" then you can do this:
>cp -R /root/squirrelmail-webmail-1.42/* /srv/www/htdocs

Give ownership to user/group "lighttpd":
>chown -R lighttpd:lighttpd /srv/www/htdocs

create a "data" directory and a "attach" directory for squirrelmail:
>mkdir /srv/www/sqmail
>mkdir /srv/www/sqmail/data
>mkdir /srv/www/sqmail/attach

Give ownership to lighttpd, because it runs the php scripts of squirrelmail and wants
to write to those directories:
>chown -R lighttpd:lighttpd /srv/www/sqmail

To configure squirrelmail there are two options:
1) Run "conf.pl" in directory "/srv/www/htdocs/config":
>/srv/www/htdocs/config/conf.pl

2) Run "configure" in directory "/srv/www/htdocs":
>/srv/www/htdocs/configure

Select "d" and chose/type:
dovecot
Go back (r-keyboard) to main squirrelmail configuration menu and select "4" for
"General options" and enter the directories created above.
For "data" directory:
/srv/www/sqmail/data
For "attach" directory:
/srv/www/sqmail/attach

*IMPORTANT* To set the "sender domain", that is the stuff after the "@"sign, select "2" for
"Server Settings" from the main menu and then enter the domain:
1234567890abcdef.onion (see file mentioned above: "/tor/hidden_service_postfix/hostname")
This will report to the receiver where the omail came from so that the "reply"
button works for them : )

We can start lighttpd now:
Open firewall ports for "tcp:80" in "yast > security and users > firewall" in "Allowed services".
Click on "Advanced".

Next start "lighttpd": "YAST > SYSTEM > System Services (Runlevel)". Select the "lighttpd"
service and enable it.

To see what "Squirrelmail" thinks about the setup, (after starting "lighttpd") goto
"http://192.168.0.25/src/configtest.php" with a browser.


=======
postfix.system: DOVECOT
=======
link: http://www.dovecot.org/
"YAST > Software > Software Management" search/install
+dovecot21
+dovecot21-backend-sqlite
+SQLite
+mailx

Edit file "/etc/dovecot/conf.d/10-mail.conf" and uncomment/add:
mail_location = mbox:~/mail:INBOX=/var/mail/%u

Edit file "/etc/dovecot/users" and add users. The format is:
username:password:user.id:group.id::/homedirectory
link: http://wiki2.dovecot.org/BasicConfiguration

Example: There is a user "bob" with a dovecot-password "1234bob". His user.id
is "1000" and group.id is "100". The "homedirectory" is "/home/bob".
This would yield the following line in file "/etc/dovecot/users":
bob:1234bob:1000:100::/home/bob

Note: "dovecot-password" indicates the password that bob wants to use to login
to the dovecot-server. This is not(!) the system login password! Don't make it same : )

Note: The user.id and group.id can be checked with
"YAST > Security and Users > User and Group Management" for each user.

Edit file "/etc/dovecot/conf.d/10-auth.conf". Then un-comment:
disable_plaintext_auth = no
auth_mechanisms = plain
!include auth-passwdfile.conf.ext

And then edit file "/etc/dovecot/conf.d/auth_passwdfile.conf.ext" to something like this:
passwd {
driver = passwd_file
args = scheme=plain username_format=%u /etc/dovecot/users
}
userdb {
driver = passwd_file
args = username_format=%u /etc/dovecot/users
}

Next edit file "/etc/dovecot/conf.d/10-master.conf" and enable the IMAP service
by uncommenting:
default_internal_user = dovecot
service imap_login {
inet_listener imap {
port = 143
}
inet_listener imaps {
port = 993
ssl = yes
}

Note: Check that opening and closing brackets match up in numbers!
The important part is to un-comment and thus enabling the directives.

At last edit "/etc/dovecot/dovecot.conf", uncomment lines:
protocols = imap
listen = 127.0.0.1
base_dir = /var/run/dovecot/
instance_name = dovecot
login_greeting = Dovecot ready

The last thing to do now is start the "dovecot" service:
"YAST > SYSTEM > System Services (Runlevel)". Select the "dovecot" service
and enable it.

Note: A firewall port needs not be opened because "dovecot" is only listening
on 127.0.0.1 -aka localhost.

The interface to send and receive omails is no available on the ip and port configured
for lighttpd. In this howto it would be: http://192.168.0.25

[end]


Q&A

How does it works?
Squirrelmail is the "user interface". It is easy to use and works
in a browsers. Just type "192.168.0.25" as a address into a browser (on the local LAN).
The sending part goes via squirrelmail > php5.sendmail > postfix > (tor-resolve) > tor
The receiving part goes via tor-hidden-service > postfix > dovecot > squirrelmail

How does postfix work with tor?
postfix sees as receiver address (example) "cindy@123.onion". It contacts the configured DNS
server. This is tor-resolver listening on port 5300.
The tor-resolver sees that a *onion is requested and *cheats* by answering with a ip.address
from the 10.192.0.0/10 range, example 10.192.0.1.
postfix now contacts the server 10.192.0.1 via the default gateway it has configured, that
is 192.168.0.2, which also happens to be the ip address of the tor running computer.
Because the tor-running computer has a firewall/nat rule that says that all request coming
to itself for 10.192.0.0/10 get redirected to 192.168.0.2:8081 it can now *intercept* the
*onion request and transparently route the data ... simple : )
If however postfix is receiving omails they will come from 192.168.0.2, that is through tor
and tor is running on 192.168.0.2.

Can people using the tor network access my squirrelmail login page?
Not with this how-to. Squirrelmail can only be accessed by computers that are on the 192.168.0.0/24
network (local-lan). Even if tor is also on the local-lan there is no hidden-service defined
for port 80, which is what lighttpd+squirrelmail is listening on.
A hidden-service might be added to torrc configuration file for port 80 however.
The only thing standing between you and people wanting to read your omail is then just
the login password because they would see the squirrelmail login page.
There is the possibility to have the squirrelmail login page avaialbe via a onion address that
is different from the @onion omail address domain however: )
A safer solution would be to setup a local VPN server. One would then tunnel/connect to this local
VPN server into the local-lan and then access the only locally accessible squirrelmail instead.

Can people abuse my postfix as a spamming relay?
Not with this how-to...i think.
This setup only allows local users (with a real account) on the postfix.system to use postfix
to SEND omail. The relevant entry in "main.cf" is "mynetworkstyle = host".

Why is DOVECOT using plain-text passwords?
I'm a n00b : )
DOVECOT is only listening on 127.0.0.1. If you don't share your computer with
other users this shouldn't be a problem. Please feel free to make it "more" secure.
"Quick-quick-make-it-easy-to-setup" is the motto here.

Can I make my postfix system even more secure?
One could disable ARP on the postfix.system and statically map the MAC address and
ip address of the tor running server in "/etc/ethers" (needs a entry on the tor running server also).
this way the postfix computer only knows about one other computer on the local-lan: the tor running server.
of course lighttpd+squirrelmail would only be accessible from a browser running on the postfix.system (unless
also statically mapped via "/etc/ethers")
It would need root to re-enable ARP broadcasts.
A word of warning: If configuring a system via ssh DO NOT mess with ARP. you might lock yourself out!

...
sorry for typos : ) happy omailing! and thx to all the nice people who bring you
free open-source GNU/Linux!

dopey1