Email service (📧) is another excellent example that can be accessed safely
over Tor Onion services. This is in particular useful in places where people in
power do not like their citizens accessing privacy-focused email providers. I
know, you must be thinking about your own country, but no worries, we all are
in the same place :)
In this post, I will explain how one can access their emails via IMAP, and send
using SMTP over onion services. I am taking Riseup as an
example because they provide this option to the users, and also because I
personally use their service. This document assumes that you already have
service running on your system.
Riseup Tor Onion services address
Riseup has a page listing
all the Onion service addresses they provide. You can also verify the signed
address from the signed file in the same page. For the rest of this post, we
the address for both
SMTP services. In the normal Internet, those
Getting the SSL certificate for the service for verification
Riseup uses Let's Encrypt for the SSL certificates. We have to pin them for the above-mentioned onion address so that we can use them in our system.
mkdir -p ~/.cert
torify openssl s_client -connect 5gdvpfoh6kb2iqbizb37lzk2ddzrwa47m6rpdueg2m656fovmbhoptqd.onion:993 -showcerts 2>&1 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | sed -ne '1,/-END CERTIFICATE-/p' > ~/.cert/riseuponion.pem
openssl x509 -in .cert/riseuponion.pem -noout -sha256 -fingerprint
The first command fetches the SSL certification from the given onion addresses,
and stores it in the
~/.cert/riseuponion.pem file. The second command gives
us the fingerprint for the same. You can verify these values by running the
imap.riseup.net:993 and comparing the values.
By the way, remember that these values will change every 3 months (like any
other Let's Encrypt certificate).
Setting up mbsync for IMAP access of the emails
I prefer to use the
mbsync command from the imap package. The following the
configuration for the same.
# Address to connect to
User <my full email address without angle brakets>
PassCmd "/usr/bin/pass riseup"
# Use SSL
SSLVersions TLSv1 TLSv1.1 TLSv1.2
# The trailing "/" is important
# Exclude certain things
# Or include everything
# Automatically create missing mailboxes, both locally and on the server
# Save the synchronization state files in the relevant directory
You can notice that I am using the CertificateFile key to point to the
certificate we downloaded previously.
Now, I can sync the emails using the
torify along with the regular
torify mbsync -a riseup
Setting up msmtp to send emails
The following is my
user <my full email address without angle brakets>
passwordeval "/usr/bin/pass riseup"
from <my full email address without angle brakets>
One thing to notice that
msmtp actually allows us to directly mention the
tor socks proxy details in the configuration file. And then in my
configuration, I mentioned
set sendmail="/usr/bin/msmtp -a riseup"