3

In my server, I installed tor and postfix. I can send an email via this simple shell commands : 

echo "foo" | mail -s "example" testest@sigaint.org

No problem here, its work.

Now, I want be able to send emails to .onion address. So When I execute this command : 

echo "foo" | mail -s "example" testest@sigaintdjfu3jveh.onion

The mail isn't received in my email address. Below my mail.log logs :

Nov 29 00:50:10 mycomputername postfix/pickup[6641]: 49B4F342961: uid=1001 from=myunixuser

Nov 29 00:50:10 mycomputername postfix/cleanup[6974]: 49B4F342961: message-id=<20161128235010.49B4F342961@mycomputername>

Nov 29 00:50:10 mycomputername postfix/qmgr[6642]: 49B4F342961: from=, size=297, nrcpt=1 (queue active)

Nov 29 00:50:10 mycomputername postfix/smtp[6976]: 49B4F342961: to=, relay=none, delay=0.19, delays=0.12/0.01/0.05/0, dsn=5.4.4, status=bounced (Host or domain name not found. Name service error for name=sigaintevyh2rzvw.onion type=AAAA: Host not found)

I think I must configure my 'mail' command for use the proxy tor, but I don't know how I can do that and I didn't find any doc/tutorial.. Thank you =)

spacecodeur
  • 91
  • 1
  • 5

1 Answers1

3

The problem in your case consists of two parts, actually:

  • Sending mail from command line to the MTA - Here you need to spool your message from a command line into the thing that will deliver it from this step forward. It can be either Postfix, or any other. I prefer QMail
  • Delivering mail to dot-onion addresses - Here you need to handle all steps as in clearnet, but in Darknet. And a proxy is a bad solution!

So - how to do it? Let's take a look:

  • First check this manual about mailer.conf and make sure that everything is pointed out correctly to your MTA. It usually looks like this:

    # $FreeBSD: head/en_US.ISO8859-1/books/handbook/mail/chapter.xml 48529 2016-04-03 18:57:15Z wblock $
#
# Execute the "real" sendmail program, named /usr/libexec/sendmail/sendmail
#
sendmail        /usr/libexec/sendmail/sendmail
send-mail       /usr/libexec/sendmail/sendmail
mailq           /usr/libexec/sendmail/sendmail
newaliases      /usr/libexec/sendmail/sendmail
hoststat        /usr/libexec/sendmail/sendmail
purgestat       /usr/libexec/sendmail/sendmail

Check that every line is pointing to your MTA corresponding tools, not just sendmail and send-mail! It's a common problem in "fast howto's"...

  • Second, in your Tor installation, you don't need any proxy-stuff for mail processing - inbound and outbound. You will need two features of Tor to implement proper handling of the "email stuff": host mapping and DNS backend. In your torrc you should enable it like that:

    VirtualAddrNetworkIPv4 10.192.0.0/10
AutomapHostsOnResolve 1
DNSPort 53
DNSListenAddress 127.0.0.2
TransPort 9040
TransListenAddress 127.0.0.1

    So all the dot-onion addresses will be mapped out to the desired network range. Pay attention: you should not interfere with your ISP local subnets(if there any) and a home/LAN ones! You should use the range big enough to map lots of hosts, so 10.0.0.0/8 subnet is a good choice for that.

  • Third, you will need a properly installed full DNS local server, no "tiny-stubs" or "fast-but-truncated-in-functionality DNS systems". And here is why: mail processing involves lots of DNS-elaborating techniques, like RBL checking, hostname resolution e.t.c. Set up a full-featured BIND and point the dot-onion names to Tor listening on 127.0.0.2 like that:

    zone "onion" {
    type forward;
    forward only;
    forwarders {
        127.0.0.2;
    };

    In your MTA settings explicitly disable reverse DNS checks on incoming SMTP connections(for receiving inbound mail) and in SMTP use STARTTLS first, i.e. do not accept plaintext SMTP, it's a bit risky of spam. But you can use it if you wish - it's just a warning. SMTPS is the best way In My Humble Opinion =)

  • Fourth, use a firewall to divert all the traffic to your Tor mapping zone (specified in torrc in VirtualAddrNetworkIPv4 xxx option) to your TransPort: because once resolved, the packets must go to the packet trap, not via routing table! In iptables it is done like this:

    iptables -t nat -A PREROUTING -i $_int_if -p tcp --syn -j REDIRECT --to-ports $_trans_port

All the variables are self-explaining, but _int_if is another loopback device with an address like 127.0.0.3 - bind everything for your MTA to use that address as a source address, binding address and the interface bind. The config depends on the MTA, so check your MTA doc's ;)

And that's it! Of course there're mane optional tweaks can be done, but they do depend on an MTA, the mailserver setup and the task specifics. All the steps above will give you the full power of darknet mail =) Feel free to ask questions if you have ones!

Alexey Vesnin
  • 6,385
  • 3
  • 15
  • 36