Technical

It seems like nobody has figured it out yet: How to use your email client (like Thunderbird) over TOR to access a “private” email provider. Almost all “private” email providers like Proton Mail only allow you to read your mail via a web service, either via the clearweb or via a TOR hidden service. But you might like to access your mail account via your own email client like Thunderbird, to get a notification when you have new mail, to keep the mail on your own system and access it offline. Yes, it is possible to do this completely safe and private but it looks like until now nobody figured out how to do it. Well here it is (don't skip the donate button!).

I tested this with Thunderbird with it will most likely work with any email client. No plugins are necessary.

What we are doing is setting up a few SSH-tunnels via TOR into the email-server. The SSH-tunnel will provide a few alternate ports and all you have to do in your email client is to change the port numbers. In this example we just added 8000 to the standard ports.

Prerequisites

• You have setup an anonymous VPS like in my previous post. (Really, there is no point in accessing your VPS with TOR if it is already known that you are associated with it.)
• You have installed a mail server on the VPS.
• You have tested with a local mail client on the VPS that imap works. I installed RoundCube on the VPS which is a web based mail client.
• You have a laptop running linux with TOR installed on it. See again my previous post for more information.

On the server

First we create a new user “mailtunnel” without a home directory, without logging, and without shell access: useradd mailtunnel -s /bin/false -l -M

Even though we didn't set a password, we still need to delete the password provision from the user (if you don't understand this exactly, don't care about it, I don't understand it either and don't care about it as long as it stops the unnecessary password prompt): passwd -d mailtunnel

Now we need to change /etc/ssh/sshd_config to allow (but restrict) this passwordless user. Append the following to /etc/ssh/sshd_config: nano /etc/ssh/sshd_config

Match User mailtunnel
	AllowTcpForwarding yes
	X11Forwarding no
	AllowAgentForwarding no
	PermitTunnel no
	GatewayPorts no
	ForceCommand /bin/false
	PasswordAuthentication yes
	PermitEmptyPasswords yes
  PermitOpen 127.0.0.1:143 127.0.0.1:993 127.0.0.1:587

This allows the user “mailtunnel” to log in without a password but also without any privileges, except for accessing the ports mentioned in the “PermitOpen” list. This is not insecure: These are exactly the ports that would be open to the public anyway if you would have a normal clearnet mailserver. Once someone connects to these ports the mailserver will take it from there and proceed through its normal login procedure with password and TLS encryption etc.

If you want to use POP3 then you should also add the associated ports to the “PermitOpen” command.

On the laptop

Add/create this to the ssh config file of the root. sudo nano /root/.ssh/config

add:

Host *.onion
        Compression Yes
        ProxyCommand /bin/nc -x10.8.0.1:9050 -X5 %h %p

Host mail.madwizards.onion
        Hostname 7tduhhyhyo9urniduppnedul6ebqovs2kwmyen5d7o4bqjfyd.onion
        User mailtunnel
        ForwardAgent no
        ServerAliveInterval 30
        ServerAliveCountMax 3
        LocalForward 8143 127.0.0.1:143
        LocalForward 8993 127.0.0.1:993
        LocalForward 8587 127.0.0.1:587

A few notes:

• The “Host” entry is just a name, it doesn't has to be an actual domain name, it can be anything.
• The “ProxyCommand” should refer to the TOR ip:port. In this example I used 10.8.0.1 because that is the IP of my VPN which runs a TOR node. If you have TOR on your laptop you should change it into 127.0.0.1.
• For the “Hostname” this should be your SSH hidden service on the VPS. (See my previous blog).
• The “LocalForward” entry is our workhorse. It specifies the local port on the laptop, and the ip:port once it arrives on the VPS.
• If you want to use POP3 as well, add a corresponding “LocalForward” entry for it.

You can now test to see if it is working with the command ssh mailtunnel@mail.madwizards.onion

It should not ask for a password but reply with a simple “connection closed”. It means that it successfully logged in and was thrown out immediately after executing the /bin/false command, which is exactly what we want.

If you want to test it with your email client, you could run this with the addition of the -N parameter: Allow some 10 seconds or so to setup the initial connection. ssh -N mailtunnel@mail.madwizards.onion

While this is running you should be able to use your email client.

Setup the email client

In the email client (like Thunderbird) you normally have to enter the mail server domain and its port. As the mail server domain, it is best to enter the mail server domain provided you have redirected it in your /etc/hosts file to 127.0.0.1 (see my previous post). If for some reason you choose to do not so, you will have to enter 127.0.0.1 as the mail server domain name. In this case you might run into problems that the security certificate of the mail server doesn't match the mail server name, so in this case use port 143 (8143) without encryption. For the port, enter the default port but add 8000 to it. So port 143 becomes 8143, port 993 becomes 8993 and port 587 becomes 8587.

Since the connection is over TOR, it will run a bit slower than normal.

Make the connection permanent

So far so good. We now need to make this tunnel permanent and automatic. The test command given above works but we would lose this connection at every temporary disconnect from the wifi, internet backbone, tor, closing the lid of the laptop, or whatever. Luckily, there is a program that can reconnect the SSH connection automatically after a disconnect: autossh. This is a small program with no dependencies.

To install autossh go to the terminal and execute: sudo apt install autossh

While we are at it, let's turn it into a system service. Create a new service file: sudo nano /etc/systemd/system/mailtunnel.service

And paste the following into the file:

[Unit]
Description=AutoSSH tunnel "mailtunnel"
After=network-online.target

[Service]
Environment="AUTOSSH_GATETIME=0"
ExecStart=/usr/bin/autossh -M 0 -N mailtunnel@mail.madwizards.onion

[Install]
WantedBy=multi-user.target

To start this service, execute: sudo systemctl start mailtunnel

To allow this service to start up automatically, execute: sudo systemctl enable mailtunnel

Conclusion

You now have a anonymous email server which you can operate with your standard email client. You will receive new mail popups, you can receive and send emails without having to think about security. All the communication between your email client and the email server will go into TOR straight from your laptop and will magically arrive in your VPS without ever leaving the TOR network.

If for some reason TOR stops, the email client will not fall back to insecure connections but just fail to connect altogether, exactly what we want.

Franz (administrator) Fediverse (“Mastodon”) handle: @franz@madwizards.net