Encrypted Email - TLS/SSL
Overview
The purpose of this page is to provide Windows based remailer users with
information on how to connect directly to a mail service offering TLS/SSL
support. TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are
methods of encrypting traffic between Internet nodes. The two primary Windows
remailer clients (Quicksilver and Jack B. Nymble) don't support TLS/SSL
natively, and so a third party application called Stunnel has to be used. This page focuses on
the configuration of Stunnel for that purpose.
Benefits
Without TLS, the content of a message (the payload) is only encrypted using the
remailers' key. If the message is snooped during transit and retained, then it
could be decrypted at a later date if the remailer key is compromised.
Remailers often retain the same key for long periods of time, making this a
realistic threat. TLS can provide a solution to this problem by using
ephemeral keying. This means a temporary symmetric key is generated during
negotiation between the sender and the mail server. After transmission, the
key is destroyed, making it impossible to decrypt the message at a future time.
This is known as Perfect Forward Secrecy.
Beware: Not all remailers' mailservers with TLS capability are
configured to support ephemeral keying. The TLS capabilities of the
mailserver can be checked at noreply.org. On this page, the TLS
column provides this information in a cipher string similar to this example:
EDH-RSA-DES-CBC3-SHA
Each three letter mnemonic relates to one capability of the TLS cipher. MTA's
that support ephemeral Diffie Hellman key agreement will have one of the
following headers:
DHE-RSA-AES256-SHA
EDH-RSA-DES-CBC3-SHA
For those who prefer to query the mailserver directly, the following openssl
command can be used to obtain the cipher string:
openssl s_client -starttls smtp -connect hostname:port
Replace hostname and port with the relevent entries for the
server being queried.
The certificate for the Banana mail server can be validated against the
following:
Please take the time to verify the supplied signatures against the
certificates, it's a good habit to get into.
Downsides
SMTP was designed when the Internet was a young and friendly place to be. As a
result, mail servers had the capability to relay messages that were not
intended for local recipients. Unfortunately sub-lifeforms, such as spammers
soon found ways to exploit this to their advantage and so today most mail
servers no longer provide relaying.
In the context of this page, the result of mail servers not relaying is that
messages can only be sent to the location where the remailer resides. If the
first hop in a remailer chain is lcs, then the message must be sent to the mail
server responsible for lcs. In practical terms, this means you must hard code
the first hop in a remailer chain if you wish to use TLS/SSL between your email
client and the remailer.
Stunnel
Stunnel can be obtained from www.stunnel.org. Also required are the
OpenSSL libraries and application that can be obtained from the same
source.
Once Stunnel has been installed, create a config file in the same directory
called remailer_name-smtp.cfg
Replace remailer_name with the name of the remailer this configuration
applies to. In this manner, you will need a seperate configuration file for
each remailer you wish to use as a first hop. The example given below uses the
locally hosted banana remailer.
Once you have created the banana-smtp.cfg file, paste the following lines into
it.
RNDbytes = 2048
RNDfile = bananarand.bin
RNDoverwrite = yes
client = yes
options = ALL
#
[BANANA_SMTP]
protocol = smtp
accept = 25
connect = snorky.mixmin.net:2525
delay = no
The 'accept' instruction defines the port on the local machine that will listen
for incoming Email. The 'connect' instruction defines the address and port
that the chosen remailers' mail server is listening on. In the instance of
banana, it listens on port 2525 as well as the default 25 for Email. This
circumvents the blocks that some ISP's implement to stop users from directly
receiving and sending Email. Port 2525 is supported by a number of remailer
nodes.
Configurations for multiple remailers can exist within the same configuration
file. To do this, duplicate the [BANANA_SMTP] section, changing the name to
something suitable for a different remailer. The port that Stunnel listens on
must be different within each section. The following example demonstrates this
with a configuration for the banana, frell and dizum remailers.
RNDbytes = 2048
RNDfile = bananarand.bin
RNDoverwrite = yes
client = yes
options = ALL
#
[BANANA_SMTP]
protocol = smtp
accept = 2525
connect = snorky.mixmin.net:2525
delay = no
#
[FRELL_SMTP]
protocol = smtp
accept = 2526
connect = mail2.frell.eu.org:2525
delay = no
#
[DIZUM_SMTP]
protocol = smtp
accept = 2527
connect = mail.dizum.com:25
delay = no
Once the configuration file has been created, Stunnel can be loaded with the following command:
drive:\path\stunnel remailer_name-smtp.cfg
Quicksilver Configuration
Once an Stunnel session has been established, it will be necessary to use a template in Quicksilver that takes avantage of it. The following example will send anonymous messages through Stunnel on port 2525:
Fcc: outbox
Host: localhost:2525
From: myname@mydomain.com
Chain: banana,*,*
To:
Subject:
~~
This example assumes that stunnel is accepting connections on port 2525 and will forward them to the banana remailer, as that's the one defined as the first hop.
Jack B. Nymble
To set up JBN2 to communicate through Stunnel, you must create a Send
Profile for it:
- From the menu, click on Window/Send Profiles
- Choose any unused tab (from 1 to 15)
- Click the checkbox for "Enable"
- For "Profile Nickname", choose any name you wish, such as "Banana TLS"
- For "SMTP Server", specify "localhost" plus the port that Stunnel will be accepting the connection on. For example, this might be--> localhost:2525
- For "From Header", fill in anything, such as "none@none.none". This has no relation to the From: header in the actual message you are sending.
- All other fields are optional. For simplicity's sake, make sure they are
all clear.
- Click the "Okay" button at the bottom.
To now send a message via Stunnel:
- Make sure that Stunnel is running, and accepting the connection on the appropriate port
- From the JBN2 menu, click Message/Queue via
- Choose the TLS profile you've just created, making sure it is also the first remailer that you are sending to (e.g., choose the "Banana TLS" profile when Banana is the first remailer in the chain, or choose another profile such as "Frell TLS" when Frell is the first remailer.)
Some smtp servers require a real domain in the From: address, or else JBN will report a confusing error such as, "Mailbox is invalid or unavailable".
IMPORTANT NOTE on JBN2-->Stunnel. If you specify too high of a port, JBN2
will NOT connect to Stunnel. I don't know where exactly the dividing line
is, but 50025 will not work.
Home