Email service (📧) is another excellent example that can be accessed safely
over Tor Onion services. This is in particular useful in places where people in
power do not like their citizens accessing privacy-focused email providers. I
know, you must be thinking about your own country, but no worries, we all are
in the same place :)
In this post, I will explain how one can access their emails via IMAP, and send
using SMTP over onion services. I am taking Riseup as an
example because they provide this option to the users, and also because I
personally use their service. This document assumes that you already have tor
service running on your system.
Riseup Tor Onion services address
Riseup has a page listing
all the Onion service addresses they provide. You can also verify the signed
address from the signed file in the same page. For the rest of this post, we
will use 5gdvpfoh6kb2iqbizb37lzk2ddzrwa47m6rpdueg2m656fovmbhoptqd.onion as
the address for both IMAP and SMTP services. In the normal Internet, those
are imap.riseup.net and smtp.riseup.net.
Getting the SSL certificate for the service for verification
Riseup uses Let's Encrypt for the SSL certificates. We have to pin them for the above-mentioned onion address so that we can use them in our system.
mkdir -p ~/.cert
torify openssl s_client -connect 5gdvpfoh6kb2iqbizb37lzk2ddzrwa47m6rpdueg2m656fovmbhoptqd.onion:993 -showcerts 2>&1 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | sed -ne '1,/-END CERTIFICATE-/p' > ~/.cert/riseuponion.pem
openssl x509 -in .cert/riseuponion.pem -noout -sha256 -fingerprint
SHA256 Fingerprint=C6:BB:7B:04:97:54:05:65:76:81:4D:56:22:CE:50:6C:91:53:D3:3E:27:95:CC:C9:B8:B7:19:A5:E9:31:7D:15
The first command fetches the SSL certification from the given onion addresses,
and stores it in the ~/.cert/riseuponion.pem file. The second command gives
us the fingerprint for the same. You can verify these values by running the
command against imap.riseup.net:993 and comparing the values.
By the way, remember that these values will change every 3 months (like any
other Let's Encrypt certificate).
Setting up mbsync for IMAP access of the emails
I prefer to use the mbsync command from the imap package. The following the
configuration for the same.
IMAPAccount riseup
# Address to connect to
Host 5gdvpfoh6kb2iqbizb37lzk2ddzrwa47m6rpdueg2m656fovmbhoptqd.onion
Port 993
User <my full email address without angle brakets>
PassCmd "/usr/bin/pass riseup"
# Use SSL
AuthMechs PLAIN
SSLType IMAPS
SSLVersions TLSv1 TLSv1.1 TLSv1.2
CertificateFile /home/kdas/.cert/riseuponion.pem
IMAPStore riseup-remote
Account riseup
MaildirStore riseup-local
# The trailing "/" is important
Path ~/.imap-mail/riseup/
Inbox ~/.imap-mail/riseup/Inbox
Channel riseup
Master :riseup-remote:
Slave :riseup-local:
# Exclude certain things
# Or include everything
Patterns *
# Automatically create missing mailboxes, both locally and on the server
Create Both
# Save the synchronization state files in the relevant directory
SyncState *
You can notice that I am using the CertificateFile key to point to the
certificate we downloaded previously.
Now, I can sync the emails using the torify along with the regular mbsync
command.
torify mbsync -a riseup
Setting up msmtp to send emails
The following is my msmtp configuration
# riseup
account riseup
host 5gdvpfoh6kb2iqbizb37lzk2ddzrwa47m6rpdueg2m656fovmbhoptqd.onion
port 587
auth on
proxy_host 127.0.0.1
proxy_port 9050
tls on
tls_fingerprint C6:BB:7B:04:97:54:05:65:76:81:4D:56:22:CE:50:6C:91:53:D3:3E:27:95:CC:C9:B8:B7:19:A5:E9:31:7D:15
user <my full email address without angle brakets>
passwordeval "/usr/bin/pass riseup"
maildomain riseup.net
from <my full email address without angle brakets>
One thing to notice that msmtp actually allows us to directly mention the
tor socks proxy details in the configuration file. And then in my mutt
configuration, I mentioned
set sendmail="/usr/bin/msmtp -a riseup"
