Email service (📧) is another excellent example that can be accessed safely over Tor Onion services. This is in particular useful in places where people in power do not like their citizens accessing privacy-focused email providers. I know, you must be thinking about your own country, but no worries, we all are in the same place :)
In this post, I will explain how one can access their emails via IMAP, and send
using SMTP over onion services. I am taking Riseup as an
example because they provide this option to the users, and also because I
personally use their service. This document assumes that you already have
service running on your system.
Riseup Tor Onion services address
Riseup has a page listing
all the Onion service addresses they provide. You can also verify the signed
address from the signed file in the same page. For the rest of this post, we
the address for both
SMTP services. In the normal Internet, those
Getting the SSL certificate for the service for verification
Riseup uses Let's Encrypt for the SSL certificates. We have to pin them for the above-mentioned onion address so that we can use them in our system.
mkdir -p ~/.cert torify openssl s_client -connect 5gdvpfoh6kb2iqbizb37lzk2ddzrwa47m6rpdueg2m656fovmbhoptqd.onion:993 -showcerts 2>&1 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | sed -ne '1,/-END CERTIFICATE-/p' > ~/.cert/riseuponion.pem openssl x509 -in .cert/riseuponion.pem -noout -sha256 -fingerprint SHA256 Fingerprint=C6:BB:7B:04:97:54:05:65:76:81:4D:56:22:CE:50:6C:91:53:D3:3E:27:95:CC:C9:B8:B7:19:A5:E9:31:7D:15
The first command fetches the SSL certification from the given onion addresses,
and stores it in the
~/.cert/riseuponion.pem file. The second command gives
us the fingerprint for the same. You can verify these values by running the
imap.riseup.net:993 and comparing the values.
By the way, remember that these values will change every 3 months (like any other Let's Encrypt certificate).
Setting up mbsync for IMAP access of the emails
I prefer to use the
mbsync command from the imap package. The following the
configuration for the same.
IMAPAccount riseup # Address to connect to Host 5gdvpfoh6kb2iqbizb37lzk2ddzrwa47m6rpdueg2m656fovmbhoptqd.onion Port 993 User <my full email address without angle brakets> PassCmd "/usr/bin/pass riseup" # Use SSL AuthMechs PLAIN SSLType IMAPS SSLVersions TLSv1 TLSv1.1 TLSv1.2 CertificateFile /home/kdas/.cert/riseuponion.pem IMAPStore riseup-remote Account riseup MaildirStore riseup-local # The trailing "/" is important Path ~/.imap-mail/riseup/ Inbox ~/.imap-mail/riseup/Inbox Channel riseup Master :riseup-remote: Slave :riseup-local: # Exclude certain things # Or include everything Patterns * # Automatically create missing mailboxes, both locally and on the server Create Both # Save the synchronization state files in the relevant directory SyncState *
You can notice that I am using the CertificateFile key to point to the certificate we downloaded previously.
Now, I can sync the emails using the
torify along with the regular
torify mbsync -a riseup
Setting up msmtp to send emails
The following is my
# riseup account riseup host 5gdvpfoh6kb2iqbizb37lzk2ddzrwa47m6rpdueg2m656fovmbhoptqd.onion port 587 auth on proxy_host 127.0.0.1 proxy_port 9050 tls on tls_fingerprint C6:BB:7B:04:97:54:05:65:76:81:4D:56:22:CE:50:6C:91:53:D3:3E:27:95:CC:C9:B8:B7:19:A5:E9:31:7D:15 user <my full email address without angle brakets> passwordeval "/usr/bin/pass riseup" maildomain riseup.net from <my full email address without angle brakets>
One thing to notice that
msmtp actually allows us to directly mention the
tor socks proxy details in the configuration file. And then in my
configuration, I mentioned
set sendmail="/usr/bin/msmtp -a riseup"