Changes

Page history
Raw import from Trac using Trac markup language. authored by Alexander Hansen Færøy's avatar Alexander Hansen Færøy
Show whitespace changes
Inline Side-by-side
doc/TorCitadel.md 0 → 100644
View page @ 53a16e3a
[[TOC]]
= TorCitadel - Network of homemade MAIL- and JABBER-servers with TOR transport encryption =
If you use email, your SMTP client or your browser sends the email to an email server. Depending on your mail provider this can be encrypted - or not and be free to sniff for intelligence agencies and hackers. Your mail provider has full access to your mails on his server - intelligence agencies, too. When your mail provider sends your mail to the recipients mail provider the connection is often unencrypted - and can be sniffed again. The remote mail provider - and intelligence agencies - have access to your mail on the remote mail server - again. When the recipient pulls your mail from his provider's mail server the connection often isn't encrypted - again.
Email and privacy are mutual exclusive. Or is there a solution?
What if you move the mail server to your home or office (no physical access for third parties) and use TOR as end-to-end encryption of content and to anonymize the transport meta data?
This is what TorCitadel does. It's YOUR personal well-fortified mail server at YOUR home or YOUR office. Other TorCitadel users can send you mail to your "<user>@<hidden-service ID>.onion" mail address.
== Prerequisites ==
* [http://elinux.org/RPi_Hardware RaspberryPi] ~30,- €
* [http://elinux.org/RPi_Hardware#Power Power-supply] ~5,- €
* [http://elinux.org/RPi_SD_cards SD-Card] (e.g. Transcend TS8GSDHC10U1) ~10,- €
* Network cable or [http://elinux.org/RPi_USB_Wi-Fi_Adapters USB Wi-Fi Adapters]
* USB Keyboard for initial setup
* [http://downloads.raspberrypi.org/raspbian_latest Current Raspbian OS (Debian Wheezy) 0,00 €]
== Installation ==
=== !RaspberryPi ===
1. Unzip 201X-XX-XX-wheezy-raspbian.zip
1. [http://www.raspberrypi.org/documentation/installation/installing-images/README.md Write the extracted image 201X-XX-XX-wheezy-raspbian.img to the SD-card]
1. Connect the RaspberryPi to your private network, your USB keyboard and plug in the SD-card
1. Boot the RaspberryPi by connecting the power-supply
1. RaspberryPI Configuration Tool (raspi-config)
1. Expand file system to use maximum space on SD-card
1. Change password of user "pi"
1. Internationalisation Options
1. Adjust "Locale" to your needs
1. Adjust "Timezone" to your needs
1. Adjust "Keyboard layout" to your needs
1. Advanced options
1. Change hostname to "mail"
1. SSH -> <Enable>
1. Select <Finish> and answer the reboot question with <Yes> to reboot
=== Generic Debian/Ubuntu ===
1. Become root
{{{
sudo -s
}}}
1. Activate IPv6 (necessary for Citadel to work!)[[BR]]
{{{
echo "ipv6" >> /etc/modules && modprobe ipv6 && echo SUCCESS || echo ERROR
}}}
1. Upgrade all packages to the most current version [[BR]]
{{{
apt-get update && apt-get upgrade && apt-get dist-upgrade
}}}
1. Install TOR and IPtables[[BR]]
{{{
apt-get install tor iptables-persistent
}}}
1. Create the TOR transparent proxying and the hidden service
{{{
echo "
### Tor transparent proxying
VirtualAddrNetwork 10.0.0.0/8
AutomapHostsSuffixes .onion,.exit
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 127.0.0.1
DNSPort 53
DNSListenAddress 127.0.0.1
### Citadel hidden service
# These ports are publicly accessible via TOR!!!
# Comment out ports you do not need!!!
HiddenServiceDir /var/lib/tor/mail
HiddenServicePort 25 127.0.0.1:25 # Mail SMTP + optional StartTLS
HiddenServicePort 25 [::1]:25 # Mail SMTP + optional StartTLS
#HiddenServicePort 80 127.0.0.1:80 # Webif HTTP unencrypted + plain-text auth
#HiddenServicePort 80 [::1]:80 # Webif HTTP unencrypted + plain-text auth
#HiddenServicePort 110 127.0.0.1:110 # Mail POP3 unencrypted + plain-text auth
#HiddenServicePort 110 [::1]:110 # Mail POP3 unencrypted + plain-text auth
#HiddenServicePort 143 127.0.0.1:143 # Mail IMAP + opportunistic StartTLS
#HiddenServicePort 143 [::1]:143 # Mail IMAP + opportunistic StartTLS
#HiddenServicePort 443 127.0.0.1:443 # Webif HTTPS SSL
#HiddenServicePort 443 [::1]:443 # Webif HTTPS SSL
#HiddenServicePort 465 127.0.0.1:465 # Mail SMTPS SSL
#HiddenServicePort 465 [::1]:465 # Mail SMTPS SSL
#HiddenServicePort 504 127.0.0.1:504 # Decentralized Citadel nodes synchronisation
#HiddenServicePort 504 [::1]:504 # Decentralized Citadel nodes synchronisation
#HiddenServicePort 587 127.0.0.1:587 # Mail MSA + forced StartTLS
#HiddenServicePort 587 [::1]:587 # Mail MSA + forced StartTLS
#HiddenServicePort 993 127.0.0.1:993 # Mail IMAPS SSL
#HiddenServicePort 993 [::1]:993 # Mail IMAPS SSL
#HiddenServicePort 995 127.0.0.1:995 # Mail POP3S SSL
#HiddenServicePort 995 [::1]:995 # Mail POP3S SSL
HiddenServicePort 5222 127.0.0.1:5222 # Jabber
HiddenServicePort 5222 [::1]:5222 # Jabber
" >> /etc/tor/torrc && service tor restart
}}}
1. '''Backup the directory "/var/lib/tor/mail/"! '''
1. "hostname" contains the fully-qualified hostname/email domain of your TOR hidden service
1. "private_key" contains the private key of your TOR hidden service. If you loose the it, you loose your .onion-domain. If anyone gets the private key he can manipulate your .onion-domain and connections to it!
1. IPTables rules for transparent proxying[[BR]]
{{{
iptables -t nat -A OUTPUT -p tcp -d 10.0.0.0/8 -j REDIRECT --to-ports 9040 -m comment --comment "TOR transparent proxying for .onion"
iptables -t filter -A OUTPUT -d 10.0.0.0/8 -j REJECT -m comment --comment "Reject non-TCP traffic to TOR"
service iptables-persistent save
}}}
1. Use Tor as nameserver (necessary for .onion domains of hidden services)
{{{
echo 'prepend domain-name-servers 127.0.0.1;' >> /etc/dhcp/dhclient.conf
}}}
1. Follow [http://www.ducky-pond.com/posts/2012/Jul/installing-citadel-on-rpi/ Ducky Ponds installation and configuration guide] for Citadel
1. At "Now we're going to go to '''Domain names and Internet mail configuration'''. Here you'll need to add the domains you want to receive mail for under the '''Local host aliases'''." enter your TOR hidden service hostame from "/var/lib/tor/mail/hostname"
1. Reboot the !RaspberryPi
1. Read the Citadel documentation at !http://citadel.org/
\ No newline at end of file