what about SMTPS over Tor?

anonym anonym at lavabit.com
Wed Jan 2 18:27:16 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/01/08 09:16, anon ymous wrote:
> 
> On 12/25/07, anonym <anonym at lavabit.com> wrote:
>> So I'm investigating the possibility of using SMTPS (i.e. SMTP over SSL)
>> on Thunderbird with Torbutton. In fact, this email should have been sent
>> over Tor. But as we know, there are several issues with using a mail
>> client and SMTP with Tor.
> 
> One way to go would be to offer your SMTPS-server as a hidden service
> and publish it's .onion-name to your users.
> That works around any exit-policy-issues.

Yes, there are some interesting things with this, and i2p already has a
nice service for this with some cool features (e.g. hash cash for
sending more than a set daily threshold of messages to precent spam).
But I'm more interested in smtp on the "open" Internet currently as I
don't want to push too many new concepts on the people I try to help,
_and_ I need a solution fast (+ I don't have any resources for putting
up the required setup for a hidden service email).

I would like that smtps got a similar status with Tor as http(s) has.
IMHO the issues with http(s) (e.g. javascript, cookies) seem to be far
worse than smtp unless I've missed something, so I don't understand
while it's not focused on more. At least until all the issues with
anonymous remailers have been sorted out (like that you can't reply to
messages).

>> Standard SMTP seems to be completely blocked. BTW, is it possible to do
>> queries over all exit nodes to see which of them that allow certain
>> services?
> 
> Yes, there is a dns-service that you can use to query if
> a given ip is an exit-node and allowes connection to a given port(+ip).
> (Not perfect yet.)

Yes, but I want to query over _all_ servers. Or rather, what I'm really
interested in is statistics over exit policies. How is the Tor client
determining which exit nodes it can choose from?

>> * The mail header might contain identifying information
>> - From my experiments, I've seen fields like User-Agent, x-mozilla-status,
>>  x-enigmail-version and openpgp (key ID and key URL) which are not
> 
> Your smtp-server can send mails through scripts and thus remove/rewrite
> these lines. This can also be done on a local sendmail that the client uses
> (thus no need to trust the server) instead.
> Rewriting all the ".onion" in the headers also helps with servers that
> check these
> to be valid dns-names.
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHe9d/p8EswdDmSVgRAlugAJ9BFy2ccF0NkNTpgXyiSIx2Nd1b7wCg2ND3
yilgEoDhRdyuEo/8438eG4A=
=NZst
-----END PGP SIGNATURE-----



More information about the tor-talk mailing list