September 19, 2020

OpenBSD: riseup + mutt + tor

I have changed my research position for the last two decades of my life quite a few times. One thing that has annoyed me is the change of e-mail address. This combined with the fact that (1) I want to use mutt and (2) I want my e-mails to be read by me and only be me, the same way that I like paper letters addressed to me to be only read by me, has kept me looking for options. The usual answer I get from friends is “use gmail” and, when I mention privacy, they reply they do not have anything to hide. Well… what *if* you needed it? Such a tool would have been a game changer during certain (nasty) periods of time in the history of mankind. In any case, the most radical thing you would find in an e-mail of mine would be a mathematical equation (and that one would stand chances of being wrong!).

An alternative is protonmail, but then, you cannot download your e-mails to your laptop unless you pay for it, and using tor seemingly requires a verification via SMS “to avoid spam” (?).

In any case, while there are a few options in the deepweb, I do not feel at ease with them because my guess is that they’re receiving their funding via dubious sponsors. There is however a very interesting alternative, which is riseup. That combined with tor should allow you to have a permanent e-mail address which you can trust to be private… At least within reason, see the “canary issue”. As it is explained in the wikipedia, “the canary has since been updated, but no longer states the absence of gag orders”. This was, as explained by riseup, “due to two sealed warrants from the FBI concerning a public contact of an International distributed denial-of-service attack extortion ring and an account using ransomware to extort people financially” (from the wikipedia entry). This has been critised. But, on the other hand, it’s their policy, and ransom is extortion.

A conclusion is that, unless you want to extort people (and I do not), riseup with tor and OpenBSD as your OS with encrypted /home might at least convey the impression that things are more than ok-ish; in any case over gmail they have.

Install required packages

As usual, # stands for the root prompt and $ for the user one.

# pkg_add tor dsocks obfs4proxy py-dpkt

Configure muttrc for internet connection

General
set realname = "Your Name"
set from = "xxx@riseup.net"
set use_from = yes

IMAP
set imap_user = xxx@riseup.net
set imap_pass = 'yyy'
set folder = imaps://xxx@mail.riseup.net/
set imap_check_subscribed
et imap_keepalive = 300 # poll intermittently to keep alive (in seconds)
set spoolfile = +INBOX

SMTP
set smtp_url = smtps://$imap_user@mail.riseup.net/
set smtp_pass = $imap_pass

Connection
set ssl_starttls = yes
set ssl_force_tls = yes

This configuration will allow to read and send e-mails with mutt via your riseup account.

Configure muttrc for onion connection

General
set realname = "Your Name"
set from = "xxx@riseup.net"
set use_from = yes

IMAP
set imap_user = xxx@riseup.net
set imap_pass = 'yyy'
set folder = imap://xxx@5gdvpfoh6kb2iqbizb37lzk2ddzrwa47m6rpdueg2m656fovmbhoptqd.onion/
set imap_check_subscribed
et imap_keepalive = 300 # poll intermittently to keep alive (in seconds)
set spoolfile = +INBOX

SMTP
set smtp_url = smtp://$imap_user@5gdvpfoh6kb2iqbizb37lzk2ddzrwa47m6rpdueg2m656fovmbhoptqd.onion:587/
set smtp_pass = $imap_pass

Connection
set ssl_starttls = yes
set ssl_force_tls = yes
set ssl_verify_host = no

Note that the first two lines should have been set to “no”, however. Why?

If you try to make a TLS encrypted connection over an onion connection, part of verifying that the certificate is the correct one is that the cert name is checked against the host you are connecting to. Since you are connecting to “something”.onion, and the certificate is only for *.riseup.net, there is a mismatch, and verification fails. When you connect over an onion address, the connection is already TLS encrypted and verified. This means that in order to resolve this verification problem, you should connect to the unencrypted port, instead of the TLS encrypted one. For mail, that depends if you are using IMAP or POP. For IMAP, as we are in this setup, you would use port 143; for POP 110. The bottom line is that although the port is unencrypted, you don’t need to be concerned, because the onion transport is encrypted.

But there’s a problem:

riseup does not have a way to authenticate with the non-TLS encrypted SMTP connection. Hence you have to authenticate to send mail, but we don’t have authentication allowed on the unencrypted connection. This means that then connecting via IMAP will not complain, because of what I explained before… but you will not be able to send e-mail via SMTP.

The fix, which is ugly, as all fixes are, is to ask mutt to not check for host verification. This way we will avoid the IMAP mismatch problem and we will be able to send e-mails via SMTP.

Note that this does not pose a security risk, since we’re connecting via onion, which is anyway encrypted.

This means that this work-around should be ok. As long as you are using the tor hidden service, then not checking the certificate is ok. If you use tor without the hidden service, then you definitely need to check the certificate, and not use this, but as long as you have the onion address configured there, you should be good.

Start and enable tor

# rcctl enable tor
# rcctl start tor

Launch mutt for deepweb with dsocks

dsocks-torify.sh mutt -F muttrc 2>/dev/null

Use two different muttrc files for the internet and onion connections

It is important that you keep the two configurations in different files, so that you make no mistake when launching mutt.

Launching mutt + onion from cwm

Since I am using cwm, I have mapped win+o to launch mutt reading the onion muttrc configuration file. This is the cwmrc line

# Launch mutt with riseup account via tor and onion, win-o
bind-key 4-o $HOME/bin/Xtm_MuttRiseupOnion.sh

and this is the shell script,


#!/bin/sh

# ******************** Define mutt ******************* #

MyMutt='/usr/local/bin/mutt'

# ******************** Define muttrc ******************* #

MuttRC=$HOME/path/to/riseuponion.muttrc

# ******************** Needed for utf-8 encoding ******************* #

export LC_CTYPE=ca_ES.UTF-8

# ******************** Launch it ******************* #

xterm -fa "Ubuntu Mono" +sb -fs 16 \
-cc 46:48,47:48,63:48,37:48,38:48,35:48,58:48,45:48,126:48,43:48,61:48,64:48,36:48\
-bg "#2f3238" -fg white -class "mutt riseup onion" \
-e "doas rcctl stop tor && doas rcctl start tor && dsocks-torify.sh $MyMutt -F $MuttRC 2>/dev/null"
# Note that the latest requires
# the following line in "/etc/doas.conf" :
# permit nopass :pau cmd rcctl

Launching mutt + internet from cwm

This is the cwmrc line

# Launch mutt with riseup account via internet, win-r
bind-key 4-r $HOME/bin/Xtm_MuttRiseup.sh

and this is the shell script,

and this is the shell script,


#!/bin/sh

# ******************** Define mutt ******************* #

MyMutt='/usr/local/bin/mutt'

# ******************** Define muttrc ******************* #

MuttRC=$HOME/path/to/riseup.muttrc

# ******************** Needed for utf-8 encoding ******************* #

export LC_CTYPE=ca_ES.UTF-8

# ******************** Launch it ******************* #

xterm -fa "Ubuntu Mono" +sb -fs 16 \
      -cc 46:48,47:48,63:48,37:48,38:48,35:48,58:48,45:48,126:48,43:48,61:48,64:48,36:48\
      -bg "#2f3238" -fg white -class "mutt riseup onion" \
      -e "$MyMutt -F $MuttRC"

Last note: China

Unfortunately riseup seems to be blocked in China in some way. This means that they will get your e-mail, but their reply to you will not make its way through the Chinese firewall. This is unfortunate, because I have a lot of good friends and collaborators there. There is a fix for this.

In your muttrc add these lines:

send-hook . 'my_hdr Reply-To: Pau Amaro Seoane <usual@mail.com>'
send-hook "~t @*\.cn" 'my_hdr Reply-To: Pau Amaro Seoane <alternative-china@kkk.xyz>'

When doing so, you will modify the reply-to address to another e-mail address of yours which does not have problems with the firewall. The nice thing is that the Reply-To: Pau Amaro Seoane <alternative-china@kkk.xyz> will only appear if the e-mail address has a *.ch domain. Of course, this second address is set in such a way that it forwards all of the emails to the riseup account.