= WARNING: THIS PAGE IS *HEAVILY* DEPRECIATED. IT ONLY REMAINS FOR HISTORICAL VALUE - DO NOT FOLLOW THE INSTRUCTIONS PROVIDED HERE! =
== Remailing ==
# WARNING: THIS PAGE IS *HEAVILY* DEPRECIATED. IT ONLY REMAINS FOR HISTORICAL VALUE - DO NOT FOLLOW THE INSTRUCTIONS PROVIDED HERE!
## Remailing
This How-To is intended to increase the security and anonymity of remailing with SMTP, M2N, HHTP/S Stats Updates and NNTP/S to the *highest* possible level.
...
...
@@ -26,7 +26,7 @@ This How-To is written in laymen's language; but it's not "dumbed down".
These instructions should work fine for any OS, but I have only tested them on Windows XPHome and 98se (don't worry, I'm not an average Windoze user ;-).
=== Tor, TLS, SMTP, M2N & NNTP/S ===
### Tor, TLS, SMTP, M2N & NNTP/S
If you use remailers you can also use TLS and Tor to add additional layers of encryption and anonymity. There are only a few remailers that accept TLS connections and offer non-standard SMTP ports; my favorite is mail.bananasplit.info, another good one is panta-rhei.dyndns.org.
...
...
@@ -48,7 +48,7 @@ The following traffic will be completly hidden from an adversary:
* Downloading on-topic NNTP/S NG messages (like a.a.m)
==== QS FTP Component Downloads ====
#### QS FTP Component Downloads
After you first install QS.exe (current release) you should use QS "Update Wizard" to download QS plugins (POP, PGP, NNTP, etc) and MixMaster.
...
...
@@ -66,13 +66,13 @@ Socks Level: 4a
Click "Next" to access the QS FTP page.
}}}
{{{
```
Highlight the .exe, .sig or .txt files you want to download via. QS > Tor > QS FTP and click "Next".
}}}
```
After you download a file re-access the QS FTP as per above and choose your next download.
You can configure QS to access remailer Stats Pages via. SSL (HTTPS) and Tor. In this example I use Banana's HTTPS Stats Page; Panta also offers an SSL (HTTPS) Stats Page. These Stats Pages are accessed via. QS > Stunnel > Tor > Stats Page.
...
...
@@ -104,15 +104,15 @@ After you click "OK" QS will bring up the "Statistics & Keyrings" window. Ensur
In the "Statistics & Keyrings" window check the following boxes:
The box Type2.list should be unavailable; Type2.list isn't necessary with QS, Richard created Type1.list to better serve QS's preferred use of Type II !MixMaster remailers. Type1.list is a bit easier to read and allows QS to seamlessly use !MixMaster remailers.
The box Type2.list should be unavailable; Type2.list isn't necessary with QS, Richard created Type1.list to better serve QS's preferred use of Type II MixMaster remailers. Type1.list is a bit easier to read and allows QS to seamlessly use MixMaster remailers.
The boxes "Pubring.txt" and "Pubring.asc" don't need to checked as QS automaticaly updates these Stats with the first Stat Update each day.
...
...
@@ -121,11 +121,11 @@ You can also download Statistics Updates via. Hidden Services offered by Panta;
I have noticed when I Update Stats via. Panta's Hidden Services there is a conciderable difference in the rlist and mlist Stats vs. Banana's TLS echolot Stats Pages.
For example, there are more remailer and config keys when Updating !CypherPunk (Type I; rlist.txt) Stats via. Panta's Hidden Services then Updating CypherPunk Stats via. Bananan's TLS echolot Stats Pages.
For example, there are more remailer and config keys when Updating CypherPunk (Type I; rlist.txt) Stats via. Panta's Hidden Services then Updating CypherPunk Stats via. Bananan's TLS echolot Stats Pages.
Also, when Updating MixMaster (Type II; mlist.txt) Stats via. Panta's Hidden Services the "Broken type-I remailer chains:" and "Broken type-II remailer chains:" sections are missing. Only the "Last update: mixmaster history latency uptime" section is available.
===== Type I DSS and RSA Issues =====
##### Type I DSS and RSA Issues
This section isn't directly related to TLS or Tor; but this is an important remailing security issue and I didn't think it was too far off-topic.
...
...
@@ -138,7 +138,7 @@ If you use hard coded or random remailers in your header 'Chain:' QS will by def
QS will not use CypherPunk remailers in the header 'Chain:' unless specified.
====== DSS and RSA ======
###### DSS and RSA
You can create your PGP NymKey with the DSS algorythm and select DSS capable Type I NymServers and DSS capable Type I ESUB remailers for use in your reply block.
...
...
@@ -147,48 +147,48 @@ Type II remailers (MixMaster) offer DSS keys which will be automatically selecte
Note:
It is possible to create and remail with a PGP NymKey using the DSS algorythm and an 'encryption key' bit size of 4096, 'signing key' bit size of 1024.
====== 'Disable Key' DSS & RSA Type I Keys ======
###### 'Disable Key' DSS & RSA Type I Keys
Another option that can increase your security is to use the "Disable Key" option on certain !CypherPunk remailer keys.
Another option that can increase your security is to use the "Disable Key" option on certain CypherPunk remailer keys.
If you created your PGP !NymKey with the DSS algorythm then select Type I !NymServers and Type I reply block ESUB remailers that offer DSS keys.
If you created your PGP NymKey with the DSS algorythm then select Type I NymServers and Type I reply block ESUB remailers that offer DSS keys.
You can then use the 'Disable Key' option on all RSA remailer keys in the !CypherPunk Keyring to ensure QS only uses DSS CypherPunk remailers.
You can then use the 'Disable Key' option on all RSA remailer keys in the CypherPunk Keyring to ensure QS only uses DSS CypherPunk remailers.
Or, if you prefer RSA you can use the 'Disable Key' option on all DSS keys to achieve !CypherPunk RSA algorythm use.
Or, if you prefer RSA you can use the 'Disable Key' option on all DSS keys to achieve CypherPunk RSA algorythm use.
====== Type II Exit Remailer ======
###### Type II Exit Remailer
For increased reliability and control you can select a Type II remailer to use as a hard coded Exit remailer in your header 'Chain:'.
When choosing your hard coded Exit remailer read the "cap codes" of each remailer listed in the MixMaster keyring.
Attempt to choose a Type II remailer with the following capabilities:
{{{
```
N = Posting to news
C = Compression
m = posting via. M2N gatway
p = posting via. local inews
}}}
```
Try to choose a remailer without this capability:
{{{
```
M = Middleman Only
}}}
```
Also, read the "mlist.txt" to enusure your choosing a remailer with very good "uptime" (100%) and quality "history".
{{{
```
Mlist.txt is located under View > mlist.txt.
}}}
```
Here is a sample message header with a Type II remailer hard coded as the Exit remailer in the header 'Chain:':
{{{
```
Chain: banana,*,*,starwars; copies=6
}}}
```
====== Reply Block, ESUB and A.A.M. Issues ======
###### Reply Block, ESUB and A.A.M. Issues
I highly recommend the use of ESUB and a.a.m. in your reply block.
...
...
@@ -199,9 +199,9 @@ To use 'Encrypt-Subject:' (ESUB) a single Type I ESUB capable remailer is requir
Type I remailers are located on the Cypherpunks keyring; Type I remailers are only used for reply block ESUB messages and NymServer (config) Keys.
Your reply block route will look like this:
{{{
```
Message Origin > Your NymServer > ESUB Type I remailer > M2N > a.a.m. (ESUB message).
}}}
```
When chooseing your hard coded reply block ESUB remailers read the "cap strings" of each remailer listed in the CypherPunks keyring by accessing "rlist.txt".
...
...
@@ -213,23 +213,23 @@ Rlist.txt is located under View > rlist.txt.
Attempt to choose Type I remailers with the following capabilities:
{{{
```
pgp
mix
cpunk
esub
ek
latent
}}}
```
Try to choose a remailer without this capability:
{{{
```
middle
}}}
```
Here is a sample reply block with an ESUB remailer to a.a.m.; don't use these Encrypt-Key: and Encrypt-Subject: passcodes.
{{{
```
Reply-Block:
Anon-To: austria
Encrypt-Key: cvxbdsfgasfbg
...
...
@@ -240,49 +240,49 @@ austria
Newsgroups: alt.anonymous.messages
Subject: What you want
mail2news_munge@bananasplit.info
}}}
```
==== QS New Message Window Proxy & TLS Settings ====
#### QS New Message Window Proxy & TLS Settings
This section of the How-To describes the configuration of QS new message headers, templates and proxies.
===== QS New Message Proxy Settings =====
##### QS New Message Proxy Settings
When you are in the window where you encrypt your message and create the message headers there is a box in the upper right; disable it.
QS > Stunnel (via. Sockscap) > Tor (via. port 2525) > Tor Entry Node > Tor Middleman Node > Tor Exit Node > mail.bananasplit.info (Entry Remailer & Host) > Random Middleman Remailer > Ramdom Middleman Remailer > itlay (Exit Remailer) > reciepent.
}}}
```
This route completly anonymizes your use of the remailer network; an advasary will have no idea your using SMTP, M2N, NNTPS, MixMaster, CypherPunk, etc.
Copy and paste this into the headers section of the send mail window:
{{{
```
Host: 127.0.0.1:2525
From: your nym here@your.nym.server.here
From: your nym here
Chain: banana,*,*,italy; copies=6
To:
Subject:
}}}
```
You need to hard code Banana as the first remailer in your chain if your going to use the Banana TLS Host.
===== QS New Message TLS SMTP, M2N Template =====
##### QS New Message TLS SMTP, M2N Template
This template will route traffic to Usenet via. the route described above then on though Banana's M2N gateways.
Copy and paste this into the headers section of the send mail window:
{{{
```
Host: 127.0.0.1:2525
From: your nym here@your.nym.server.here
From: your nym here
...
...
@@ -293,7 +293,7 @@ X-No-Archive: Yes
Newsgroups:
References:
Subject:
}}}
```
Note:
Make sure to un-wrap the header "To: mail2news_munge@bananasplit..., mail2news@bananasplit..., mail2news@anon...".
...
...
@@ -302,7 +302,7 @@ You need to hard code Banana as the first remailer in your chain if your going t
You need to add a Banana HashCash Token to use Banana M2N; get HashCash here: http://www.panta-rhei.dyndns.org/downloads/
==== Configure Stunnel ====
#### Configure Stunnel
This template will accecpt QS traffic via. LocalHost (127.0.0.1) on Port 2525 (SMTP & M2N), Port 119 (NNTPS) or Port 4430 (HHTPS) and uses Zax's bananasplit.info as the TLS host.
...
...
@@ -318,7 +318,7 @@ D. Downloading NNTPS on-topic NG messages via. TLS.
Copy and paste this into your Stunnel .conf file:
{{{
```
debug = 7
CAfile = banana.pem
output = log.txt
...
...
@@ -343,13 +343,13 @@ delay = no
accept = 4430
connect = pinger.bananasplit.info:443
delay = no
}}}
```
==== Configure SocksCap ====
#### Configure SocksCap
!SocksCap will route traffic from Stunnel into Tor using Socks5.
SocksCap will route traffic from Stunnel into Tor using Socks5.
Import the address of Stunnel.exe shortcut into !SocksCap; then when you want to use Stunnel click "Run Socksified".
Import the address of Stunnel.exe shortcut into SocksCap; then when you want to use Stunnel click "Run Socksified".
{{{
Start SocksCap > File > Setup >
...
...
@@ -360,35 +360,35 @@ Protocol: Socks5
Name Resolution: Resolve all names remotely
}}}
==== Configure Tor ====
#### Configure Tor
Upgrade to current stable (or test) release; default setup.
==== Downloading NNTPS NG Messages ====
#### Downloading NNTPS NG Messages
You can also setup QS to download on-topic messages from news.bananasplit.info (NNTPS) via. QS > Stunnel > Tor > NNTPS.
All the settings that are requred you have already configured; all you need to do is configure the QSNews Plugin (NNTP).
===== QS NNTP Account Manager Setup =====
##### QS NNTP Account Manager Setup
{{{
```
Start QS > Tools > News Accounts >
New > News Server > 127.0.0.1
News Groups and Subjects > On-topic groups; use Esub for a.a.m
You can configure QS to access remailer Stats Pages via. Panta's Hidden Services. These Stats Pages are accessed via. QS > Tor > Hidden Services > Stats Page.
...
...
@@ -439,13 +439,13 @@ After you click "OK" QS will bring up the "Statistics & Keyrings" window. Ensur
In the "Statistics & Keyrings" window check the following boxes:
The box Type2.list should be unavailable; Type2.list isn't necessary with QS, Richard created Type1.list to better serve QS's preferred use of Type II MixMaster remailers. Type1.list is a bit easier to read and allows QS to seamlessly use MixMaster remailers.
...
...
@@ -454,15 +454,15 @@ The boxes "Pubring.txt" and "Pubring.asc" don't need to checked as QS automatica
Note:
I have noticed when I Update Stats via. Panta's Hidden Services there is a considerable difference in the rlist and mlist Stats vs. Banana's TLS echolot Stats Pages.
For example, there are more remailer and config keys when Updating !CypherPunk (Type I; rlist.txt) Stats via. Panta's Hidden Services then Updating !CypherPunk Stats via. Bananan's TLS echolot Stats Pages.
For example, there are more remailer and config keys when Updating CypherPunk (Type I; rlist.txt) Stats via. Panta's Hidden Services then Updating CypherPunk Stats via. Bananan's TLS echolot Stats Pages.
Also, when Updating MixMaster (Type II; mlist.txt) Stats via. Panta's Hidden Services the "Broken type-I remailer chains:" and "Broken type-II remailer chains:" sections are missing. Only the "Last update: mixmaster history latency uptime" section is available.
==== QS New Message Window Hidden Services Settings ====
#### QS New Message Window Hidden Services Settings
This section detials the configuration of QS so you can send SMTP, M2N and download on-topic NNTP NG messages through Tor Hidden Services.
===== QS New Message Header Proxy Settings =====
##### QS New Message Header Proxy Settings
When you are in the window where you encrypt your message and create the message headers there is a box in the upper right; enable it.
...
...
@@ -475,33 +475,33 @@ Socks Level: 4a
Check the use Tor box
}}}
===== QS New Message SMTP Hidden Services Template =====
##### QS New Message SMTP Hidden Services Template
This template will route SMTP traffic through Panta's Hidden Services then on to your reciepent.
Copy and paste this into the headers section of the send mail window:
You need to hard code Panta as the first remailer in your chain if your going to use the Panta Hidden Services.
Note:
I have noticed when sending SMTP via. Panta's Hidden Services my recipients receive 2 or more duplicate messages. I'm not sure why this happens; you may want to lower your "copies=" paramiter from "copies=6" to "copies=3".
===== QS New Message SMTP M2N Hidden Services Template =====
##### QS New Message SMTP M2N Hidden Services Template
This template will route traffic to Usenet (NNTP) via. the route described above then on though Panta's M2N gateways.
Copy and paste this into the headers section of the send mail window:
Make sure to un-wrap the header "To: mail2news-hashcash@panta..., mail2news-hashcash_nospam@panta, mail2news@anon...".
...
...
@@ -521,39 +521,39 @@ You need to hard code Panta as the first remailer in your chain if your going to
You need to add a Panta HashCash Token to use Panta M2N; get HashCash here: http://www.panta-rhei.dyndns.org/downloads/
==== Configure Tor ====
#### Configure Tor
Upgrade to current test release (at present 0.1.0.7-rc); default setup.
Note:
If you don't plan on using Tor Hidden Services for SMTP, M2N, HHTP Stats Updates or NNTP NG's downloads you can use the latest stable Tor release. If you want to use Hidden Services you should upgrade to Tor 0.1.0.7-rc (current test release as of 05-18-05); this test relese allows QS the best access Hidden Services.
==== Downloading Hidden Services NNTP NG Messages ====
#### Downloading Hidden Services NNTP NG Messages
You can also setup QS to download on-topic NNTP NG messages from Panta's Hidden Services NNTP protal: rjgcfnw4sd2jaqfu.onion via. QS > Tor > Hidden Services > NNTP NG's.
All the settings that are requred you have already configured; all you need to do is configure the QSNews Plugin (NNTP Account Manager).
===== QSNews NNTP Account Manager Setup =====
##### QSNews NNTP Account Manager Setup
{{{
```
Start QS > Tools > News Accounts >
New > News Server > rjgcfnw4sd2jaqfu.onion
News Groups and Subjects > On-topic groups; use Esub for a.a.m
Check the box "Download All"
}}}
```
{{{
```
Start QS > Tools > News Accounts > Proxy >
Proxy Server: 127.0.0.1
Proxy Port: 9050
Socks Level: 4a
}}}
```
==== Hidden Services End Notes ====
#### Hidden Services End Notes
A. Banana also offers SMTP, M2N and NNTP via. Tor Hidden Services. ZAX's Hidden Services are down right now but he's getting them up soon.
...
...
@@ -561,9 +561,9 @@ As far as I understand you can post and download though Banana'a Hidden Services
B. Don't have Stunnel running in system tray when your using Hidden Services and QS; this causes QS to lock and give me "unable to wipe" error message; requiring hard restart of QS.
#### Onion Routing and Hidden Services Security & Anonymity Issues
===== Multiple Calls =====
##### Multiple Calls
At the present time Tor *does not* support multiple calls on different Onion Routes.
...
...
@@ -581,7 +581,7 @@ Example B:
If you are surfing (HHTP/S) with your browser's "muti-tab" function; both tab's HTTP/S calls will use the same Onion Route.
===== Tor Rendezvous Node =====
##### Tor Rendezvous Node
The rendezvous node of the Tor network is where you and the Panta or Banana Hidden Services meet, I believe the rendezvous node should be verified; by default it is unverified.
...
...
@@ -603,17 +603,17 @@ Rendezvous node tweak:
Now the rendezvous node must have it's PGP sig and Tor fingerprint w/valid email on file with the Tor network (DirPort).
===== EHLO Answer =====
##### EHLO Answer
There is a *large* anonymity hole in the use of remailers and Tor Hidden Services. When you use SMTP and M2N on Tor's Hidden Services your real Host and IP can be leaked via. the EHLO answer to the Tor Introduction Points server, OR and Rendezvous Point node.
QS spoofs the EHLO answer (as does JBN2 Panta mod) so your Host and IP are secure.
=== Everyday Use ===
### Everyday Use
Your done! Now to use the monster you created...
==== Tor and TLS Stats Page ====
#### Tor and TLS Stats Page
A. Start QS
...
...
@@ -627,7 +627,7 @@ E. Select Banana's TLS echolot Stats Page URL's in QS URL Manager
F. QS > Tools > Remailers > Update
==== Tor, TLS, SMTP and M2N ====
#### Tor, TLS, SMTP and M2N
A. Start QS
...
...
@@ -639,7 +639,7 @@ D. Start Stunnel via. SockCap
E. Use either template for TLS SMTP or M2N
==== Tor, TLS and NNTPS NG Downloads ====
#### Tor, TLS and NNTPS NG Downloads
A. Start QS
...
...
@@ -655,7 +655,7 @@ F. Select News Account for "127.0.0.1"
G. Start downloading messages
==== Tor Hidden Services Stats Page ====
#### Tor Hidden Services Stats Page
A. Start QS
...
...
@@ -665,7 +665,7 @@ C. Select Panta's Hidden Services Stats Page URL's in QS URL Manager
D. QS > Tools > Remailers > Update
==== Tor Hidden Services SMTP and M2N ====
#### Tor Hidden Services SMTP and M2N
A. Start QS
...
...
@@ -673,7 +673,7 @@ B. Start Tor
C. Use either template for Hidden Service SMTP or M2N
==== Tor Hidden Services NNTP NG Downloads ====
#### Tor Hidden Services NNTP NG Downloads
A. Start QS
...
...
@@ -685,7 +685,7 @@ D. Select News Account for "rjgcfnw4sd2jaqfu.onion"
E. Start downloading messages
=== Further Reading ===
### Further Reading
Panta Hidden Services info & JBN/Tor:
...
...
@@ -719,7 +719,7 @@ QS website:
http://www.quicksilvermail.net/
=== In A Perfect World... ===
### In A Perfect World...
...SocksCap speaks Socks4a, both Panta and Banana offer NNTPS and SMTP/M2N(TLS) via. Tor Hidden Services on port 563 & 2525 (or other ports).
...
...
@@ -729,35 +729,35 @@ Thus, having an encrypted Ephemeral TLS route through Tor Hidden Services withou
I don't know if this is possible as Hidden Services may not allow a Stunnel (TLS) forward:
{{{
```
#[PANTA_TLS_SMTP_HIDDEN_SERVICES]
#accept = 2525
#connect = rjgcfnw4sd2jaqfu.onion:2525
#delay = no
}}}
```
Or something of that nature...
== Credits ==
## Credits
=== Contributing Authors ===
### Contributing Authors
* HereHere
* Steve Crook
* PeterPalfrader
=== Thanks and Respect ===
### Thanks and Respect
Thanks to all those past and present who have taught, created, tested and used open-source privacy related software.
Without your help and time none of this would be possible...
