Skip to content

Mail(pile) TORified

Jump to bottom Edit New page
Jagveer Loky edited this page Oct 18, 2018 · 2 revisions

Installing Packages

Install the current versions of the packages DNSMASQ, IPTables-Persistent and TOR on your Linux distribution.

Configuring

TOR

/etc/tor/torrc

# Configure TOR Hidden-Service for mail
# See https://www.torproject.org/docs/tor-hidden-service.html.en
HiddenServiceDir /var/lib/tor/mail/

# SMTPD
HiddenServicePort 25 127.0.0.1:25
HiddenServicePort 25 [:::1]:25

# Webmail
HiddenServicePort 80 127.0.0.1:80
HiddenServicePort 80 [:::1]:80

# Configure transparent proxying
# See https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
VirtualAddrNetworkIPv4 10.192.0.0/10
VirtualAddrNetworkIPv6 [FC00::0]/7
TransPort 127.0.0.1:9040
TransPort [::1]:9040
DNSPort 127.0.0.1:54
DNSPort [::1]:54
AutomapHostsSuffixes .
AutomapHostsOnResolve 1

IPTables transparent proxying via TOR

# See https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
iptables -t filter -A INPUT -p tcp --dport 9040 -j ACCEPT
ip6tables -t filter -A INPUT -p tcp --dport 9040 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -d 10.192.0.0/10 -j REDIRECT --to-port 9040
ip6tables -t nat -A PREROUTING -p tcp -d fc00::/7 -j REDIRECT --to-port 9040
iptables -t nat -A OUTPUT -p tcp -d 10.192.0.0/10 -j REDIRECT --to-port 9040
ip6tables -t nat -A OUTPUT -p tcp - d fc00::/7 -j REDIRECT --to-port 9040
iptables-save > /etc/iptables/rules.v4
ip6tables-save > /etc/iptables/rules.v6

DNSMASQ

# See http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html

/etc/dnsmasq.d/tor

# Map TOR specific Top-Level-Domains to TOR DNS resolver
server=/exit/127.0.0.1#54
server=/onion/127.0.0.1#54

/etc/dnsmasq.d/dnssec

# Enable DNSSEC validation
dnssec
trust-anchor=.,20326,8,2,E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D
dnssec-check-unsigned

Mail-Transport-Agent

Mailpile

Configure Mailpile to listen on 127.0.0.1:25 and [:::1]:25 with the hostname from /var/lib/tor/mail/hostname. Disable TLS (Transport-Layer-Security) on that ports. Mailpile MUST use DNSMASQ for DNS-queries. Mailpile MUST ignore all non-.onion-TLDs in the data field of the MX-records to ensure transport via TOR.

Primary DNS-Server of mail-domain

Configure the Hidden-Service hostname from /var/lib/tor/mail/hostname as Primary MX-record of the mail-domain.

@ 3600 IN MX 10 <hidden-service>.onion.
@ 3600 IN MX 20 <hidden-service>
<hidden-service> 3600 IN AAAA <IPv6-address of clearnet2TOR gateway>
<hidden-service> 3600 IN A <IPv4-address of clearnet2TOR gateway>

Safety

  • Protect the mail-domain zone with DNSSEC to prevent manipulation of DNS-records.
  • Backup the TOR Hidden-Service private key from /var/lib/tor/mail/private_key.
  • If it is lost the Hidden-Service hostname is lost!
  • If it is compromised someone can set up a TOR Hidden-Service with your hostname!
  • DNSMASQ leaks DNS-queries!

Copyright © 2019 Mailpe Inc. All rights reserved.

Add a custom sidebar
Clone this wiki locally