this post was submitted on 12 May 2024
5 points (100.0% liked)

Privacy

22 readers
1 users here now

Privacy is the ability for an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively.

Rules

  1. Don't do unto others what you don't want done unto you.
  2. No Porn, Gore, or NSFW content. Instant Ban.
  3. No Spamming, Trolling or Unsolicited Ads. Instant Ban.
  4. Stay on topic in a community. Please reach out to an admin to create a new community.

founded 2 years ago
MODERATORS
 

cross-posted from: https://sopuli.xyz/post/12515826

I’m looking for an email service that issues email addresses with an onion variant. E.g. so users can send a message with headers like this:

From: replyIfYouCan@hi3ftg6fgasaquw6c3itzif4lc2upj5fanccoctd5p7xrgrsq7wjnoqd.onion  
To: someoneElse@clearnet_addy.com

I wonder if any servers in the onionmail.info pool of providers can do this. Many of them have VMAT, which converts onion email addresses to clearnet addresses (not what I want). The docs are vague. They say how to enable VMAT (which is enabled by default anyway), and neglect to mention how to disable VMAT. Is it even possible to disable VMAT? Or is there a server which does not implement VMAT, which would send msgs to clearnet users that have onion FROM addresses?

you are viewing a single comment's thread
view the rest of the comments
[–] mark@infosec.pub 1 points 6 months ago (1 children)

Because dmarc, DKIM, and SPF validate the domain against the sending server, not the address.

When i send from noreply@ at work, it passes dmarc, DKIM, and SPF, because the recipient mail server validates the message came from an authorized mail server for the domain (mosty based on dns entries).

Without that validation, you can certainly still send emails, but most clearnet mail hosts will drop your messages. Google, Microsoft, and yahoo at the bare minimum will

[–] freedomPusher@sopuli.xyz 1 points 6 months ago (2 children)

The server is checking that the EHLO domain matches that of the IP of the sending server. Whatever is in the FROM: field is entirely irrelevant to that. The RFC even allows multiple email addresses in the FROM field. It’s rarely practiced, but it’s compliant. So if you have FROM: bob@abc.com, bob@xyz.onion, bob@xyz.org, are you saying the receiving server would expect the domain of all FROM addresses to match that of the sending server? What happens when a sender has a gmail account but uses a vanity address? Instead of bob@gmail.com, he has bobswidgets@expertcorp.com. Are you saying expertcorp.com ≠ gmail.com, so the receiving server will reject it? I think not. Google offers the ability of their users to use an external address last time I checked.

[–] mark@infosec.pub 1 points 6 months ago (1 children)

Maybe i need to further clarify that none of this is in the email RFC. Email is very old. These are new standards that everyone has agreed to on top of the RFC

[–] freedomPusher@sopuli.xyz 1 points 6 months ago

I’m not surprised. Google took an anti-RFC posture when they broke email and brought in their own rules under the guise of anti-spam (the real reason is domination). The whole point of RFCs existence is interoperability. That was broken when servers reject RFC-compliant messages.

I’m not interested in bending over backwards to accommodate. Satisfying Google’s dkim reqs requires the server admin to solve a CAPTCHA. That’s a line I personally will not cross. So at the moment I simply do not email gmail users (or MS Outlook users, same problem).

[–] mark@infosec.pub 1 points 6 months ago (1 children)

That is 100% what im saying, yes. The sending server needs to sign all messages with a private DKIM key where the public key is in a dns text entry. Then the reverse dns lookup for the mailserver needs to match the SPF txt record. Then your DMARC record has to match the dkim and spf settings.

Ive set this up for exchange at work as well as my own personal mailserver, which is just a debian server running postfix and dovecot.

When you want to use gmail as a mailserver for your own domain, you set these three things up so that your messages arent all blocked.

Keep in mind, you do not need these to simply send and recieve messages, but if you want to interact with the rest of the world you do. Email is too easy to spoof, so everyone has agreed on these protocols for authenticity.

[–] freedomPusher@sopuli.xyz 1 points 6 months ago* (last edited 6 months ago) (1 children)

That is 100% what im saying, yes.

Okay, so AFAICT you’ve not said anything that prevents individual users from using an onion FROM address, so long as the sending server is authorized via all the shitty spf, dkim, dmarc, dane hoops. This is what I’m after. In fact, I’m even less demanding. I don’t care if a service provider doesn’t bother with dkim and gets rejected by some servers. Email is in such a broken state anyway.. I just need the option to set the FROM field to an onion address. The reason my own server is insufficient is the residential IP is very widely rejected.

[–] mark@infosec.pub 2 points 6 months ago

No you can totally modify mail headers anytime you want to, just be prepared to get mail rejection if you're not following current mail security best practices.

I'd recommend just renting a cheap vps from vultr or something, then you can setup your mailserver to send from anything you like. That's how my mailserver works. I pay like $3 a month, and its plenty of space for a single user mailserver (i have like 3 mailboxes)

I did go through the work to setup dkim/dmarc/spf. Took a weekend, but wasnt too bad. My mail is received by gmail yahoo and Microsoft. I imagine doing the same with onion addressing would be complicated.