How to use a and which mailclient in QUBES (via TOR)?

[pix...@mail2tor.com]

Hello group,

I'm (somewhat proudly) running Qubes OS on my Thinkpad and new to this group.
Installation was straight foreward, thanks to the excellent documentation.
I'm currently migrating all my date into Qubes OS to use it as my primary OS.

Using TOR via the builtin anon-whonix is super easy and I have
successfully created a new email address via mail2tor.com /
http://mail2tor2zyjdctd.onion/.

I would like to use a mailclient with IMAP/SMTP to access my mail2tor
mailbox. Within the Anon-Whoonix I haven't found a mailclient.

Question: Which mail client do you suggest to use?

- Thunderbird
- Claws
- ...

I would like to use GnuPG and maybe S/MIME with my mail2tor-mail-adress
via Whoonix/TOR, so the mailclient should support this or offer plugings
to do so.
Are there any security concerns storing my GnuPG-Keys (for the
mail2tor-adress) within the Whoonix VM?

Kind regards

Pixr

[Andrew David Wong]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

One option is to use Thunderbird with TorBirdy and Split GPG. This is
what I used to do, though I did run into compatibility issues, which
*might* now be solved. Using Split GPG would help to mitigate the
concern about exposing your PGP keys to the Whonix Workstation VM:

https://www.qubes-os.org/doc/split-gpg/

- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYrm2zAAoJENtN07w5UDAw6DYP/iWTobB43zRVnPTxqNdoni0u
0CdGSZuvXGASFRhcD9gkpbwUg7cviFS/JbHdf4VjzsugMtYlZEx+0krAjkmQo+fG
7zWMOnQ6d+Klh83V8lLkCHFx0VJ4WARBZER1vgKlDJrkdPTR2SfAUnOJq/NJnb19
WvI7Ag6iS0Wps89r1zMKxj930wEh7QyD0iJV0k9snUF5f90q0cgZ/kys+H64OVsf
+NekxDyklMmXaB0r8VQ56b5IAlLKp0IItSoGPEQ0ypyJX1xGMIDeCQVUxg/7yiT6
PAnB6l7fgs0DDePt065RVRm7MmHnWBhFaatbDtjO63lkLA1XLReMxaLUPJDK6sju
j5v/ZIc7eF6RtNr88rvpBgqDYlWYx1oHWmFWhw6eJEaAiPCpQ5/MAsxNM04PG+lE
29i6LHmB2oNjhjXoL+0nxmrhNGEXlr9ApG8gANTXVFuWo8GM6ckbf+lN1wii/PId
mT/ARsFP7ejZwvoYlhEP1acX9JZePJgXrRAVoEPG5J+hJcZApjRjHig44s2xk2N8
F1+0TPhZPFdvYdRvWMuqkw7fllAoS4a5SIU6fDxfNOvyjjRRl1319tYpjfatIaXh
dmN2+OsxIbZFjCVbg2ttHjfOE3aC4nY2BgggesQfAfg1U8bgNTHV5BgYpfZeaD14
qDGUTP23hoL0SpFfbHYO
=D1Ds
-----END PGP SIGNATURE-----

[Tim W]

SOemthing you might consider as you are already moving to a new system (Qubes):

I have switched to a cmd line email client (mail user agent)using a MTA MTR. There is qubes doc on how to set it up with MUTT, Postfix and fetchmail or what ever combo you wish. When I look at the security risks with emails, going to text only client removes 99% and its fast, slick and powerful. Combine with split GPG and it gives a compete package aong with sticking to light powerful programs that each is dedicated to one goal (Unix doctrine).

[Unman]

Yes, mutt is great client. I run it in a minimal template.
Make sure that you have mailcap entries to open attachments
in dispVMs - and have the spawned dispVM with no network connection.
Highly recommend this route.

[pix...@mail2tor.com]

Hello Tim,

> On Wed, Feb 22, 2017 at 10:25:10PM -0800, Tim W wrote:

>> [...]

>> I have switched to a cmd line email client (mail user agent)using a MTA
>> MTR. There is qubes doc on how to set it up with MUTT, Postfix and
>> fetchmail or what ever combo you wish. When I look at the security
>> risks with emails, going to text only client removes 99% and its fast,
>> slick and powerful. Combine with split GPG and it gives a compete
>> package aong with sticking to light powerful programs that each is
>> dedicated to one goal (Unix doctrine).

>> [...]

Thank you for the suggestions, I try to follow this path.
From what I have understand using mutt will result in the following "recipe":

1) Install a MRA (Mail Retrieval Agent) to receive Email via IMAP/POP
=> Fetchmail
Install Howto: https://www.qubes-os.org/doc/fetchmail/

2) Install a MTA (Mail Transfer Agent) to send Email via SMTP
=> Posfix
Install Howto: https://www.qubes-os.org/doc/postfix/

3) Install Textmail-Client
=> MUTT
Install Howto: https://www.qubes-os.org/doc/mutt/

4) Optional: SplitGPG
Install Howto: https://www.qubes-os.org/doc/split-gpg/


Unfortunately the documentation for steps 1-3 is very short, I'll try to
make it work with one of my Googlemail-Accounts

I have problems understanding what to do at the step "Postfix: Lookup
Tables":

I need to edit: /usr/local/etc/postfix/sender_relay.

your...@exmaple.com [mail.example.com]:submission
your....@mail.com [smtp.mail.com]:smtp

What is meant with :submission and :smtp?
Do I need to enter this?

Can someone post example files with their configuration for ex. googlemail?
(of course without the personal mail adresses)

Pixr

[pix...@mail2tor.com]

Hello,

I tried to install the first parts to get MUTT running, but run into an
error when launching the make command at the end of the guide.

> I need to edit: /usr/local/etc/postfix/sender_relay.
> your...@exmaple.com [mail.example.com]:submission
> your....@mail.com [smtp.mail.com]:smtp

I have understand that :smtp and :submission are just placeholders for ports.
As such I have the following entry in my /usr/local/etc/postfix/saslpass:

[smtp.gmail.com]:587 MYUSE...@gmail.com:MYPASSWORD

Strangely I run into an error at the end of the postfix guide
(https://www.qubes-os.org/doc/postfix/):

I have copied and pasted the content for the
"usr/local/etc/postfix/Makefile", but when I enter "sudo make" in
/usr/local/etc/postfix
I get the following error message:

[user@mail postfix]$ make
Makefile:2: *** missing separator. Stop.

Any idea where to start troubleshooting from this point on?

I'm running all this command in my App-VM, which is based on the fedora-23
Template which I have cloned and installed the additional packages as
suggested in the >Qubes Postfix docu.

Pixr

[Unman]

This generally indicates that you have a syntax error in the Makefile.
Spaces not tabs would be an obvious error, particularly if you have
just done a cut and paste job. Try replacing indent spaces with tabs.

I don't know what the Fedora package is like, but installing postfix
using a Debian package is absolutely straightforward to get up and
running.

Incidentally, mutt itself does have support for pop and imap, and so
your use case may enable you to use a much more straightforward set up
than that described in the docs.

You say you'll be trying it with a googlemail account, and you should be
able to find MANY guides online to configuring mutt to work with gmail,
without struggling with postfix and fetchmail. There is a clear one on
the mutt wiki.)

unman

[Tim W]

I would say if he wants only pop3 then sure using MUTT built in capabilities is ok but for IMAP its far from ideal unless using only a very basic setup.

As he mentioned IMAP I thought the full setup gave a more robust setup. But then again no need to make something more complex than you need so........

[Tim W]

Did you get this to work and configured properly?

[pix...@mail2tor.com]

Hi Tim,

>On Thu, Feb 23, 2017, pix...@mail2tor.com wrote:
>> [user@mail postfix]$ make
>> Makefile:2: *** missing separator. Stop.
>>
>> Any idea where to start troubleshooting from this point on?

>On Thu, Feb 24, 2017, timw...@gmail.com wrote:
>This generally indicates that you have a syntax error in the Makefile.
>Spaces not tabs would be an obvious error, particularly if you have
>just done a cut and paste job. Try replacing indent spaces with tabs.

exactly this was the problem (no spaces allowed).
I followed all 3 howtos to install fetchmail + postfix + mutt.

1) Install a MRA (Mail Retrieval Agent) to receive Email via IMAP/POP
=> Fetchmail
Install Howto: https://www.qubes-os.org/doc/fetchmail/

2) Install a MTA (Mail Transfer Agent) to send Email via SMTP
=> Posfix
Install Howto: https://www.qubes-os.org/doc/postfix/

3) Install Textmail-Client
=> MUTT
Install Howto: https://www.qubes-os.org/doc/mutt/

In the end I was unable to receive emails with this setup and honestly I
didn't understand why I need to setup fetchmal+postfix to receive emails
which can just be pulled via IMAP, which seems to work fine with mutt.

>Incidentally, mutt itself does have support for pop and imap, and so
>your use case may enable you to use a much more straightforward set up
>than that described in the docs.

reading some example configurations I was able to setup MUTT to connect to
googlemail for a test.

QUESTION:
In case I have created a mail account somewhere via a WebGUI and I have
used my anon-whonix App-VM nobody should know who this emails belongs to,
as I am hidden behind tor.
What do I need to do, so that all IMAP traffic is now also running via TOR
as I want to keep my identity protected, even when I use IMAP to get my
emails.
What needs to be done that IMAP goes over TOR? can this be done and if so
how should I set it up in Qubes?


To complete the information within this topic, my /home/user/.mutt/muttrc
looks like this (maybe helpfull for others searching the archives)


# accounts
#
set from = "Name <USER...@googlemail.com>"

# Setup to get emails from Googlemail per IMAP
set imap_user = 'USER...@gmail.com'
set imap_pass = 'SUPER-SECRET-PASSWORD'
set folder = imaps://imap.gmail.com/
set spoolfile = +INBOX
set record = "+[Gmail]/Sent Mail"
set postponed = "+[Gmail]/Drafts"

# IMAP Tweaks
# https://gist.github.com/bnagy/8914f712f689cc01c267
#set imap_keepalive=60
#set imap_passive=no
#set imap_check_subscribed=yes
#set imap_idle=yes
#set mail_check=60

#Setup a Sidebar
# https://vigasdeep.com/2014/05/07/install-config-mutt-sidebar/
#change width accordingly
set sidebar_width=30
#Visible at first, then change its value to yes
set sidebar_visible=no
#set sidebar_delim='|'
#set sidebar_sort=yes
mailboxes =inbox =ml
bind index CP sidebar-prev
bind index CN sidebar-next
bind index CO sidebar-open
bind pager CP sidebar-prev
bind pager CN sidebar-next
bind pager CO sidebar-open
macro index b '<enter-command>toggle sidebar_visible<enter>'
macro pager b '<enter-command>toggle sidebar_visible<enter>'
bind index B bounce-message

[Unman]

On Sat, Mar 04, 2017 at 11:30:35PM -0000, pix...@mail2tor.com wrote:

> What needs to be done that IMAP goes over TOR? can this be done and if so
> how should I set it up in Qubes?
>

Just put your mail qubes downstream from a TorVM, so that the traffic is
routed through Tor.
Or look at implementing this on a whonix workstation.

[sm8ax1]

Unman:

New to this thread (and list) so sorry if I missed something, but
Icedove (Thunderbird) with TorBirdy is preinstalled in Whonix which is
included with Qubes. All you have to do is configure it with your email
account. It only took me a couple of minutes and it works well. I think
I had to manually add a shortcut via the Qubes VM manager.

As for which client to use, I think Claws is the only client officially
deemed safe. Thunderbird+TorBirdy seems pretty safe to me, at least
there are no critical outstanding bugs, but it's still considered
experimental. Beyond that, it's a matter of personal preference, but be
aware of both exploitation and fingerprinting matters especially in
clients not designed for Tor.

-------------------------------------------------

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!

[Unman]

On Sun, Mar 05, 2017 at 01:25:19PM +0000, sm8ax1 wrote:
> Unman:
> > On Sat, Mar 04, 2017 at 11:30:35PM -0000, pix...@mail2tor.com wrote:
> >
> >> What needs to be done that IMAP goes over TOR? can this be done and if so
> >> how should I set it up in Qubes?
> >>
> >
> > Just put your mail qubes downstream from a TorVM, so that the traffic is
> > routed through Tor.
> > Or look at implementing this on a whonix workstation.
> >
>
> New to this thread (and list) so sorry if I missed something, but
> Icedove (Thunderbird) with TorBirdy is preinstalled in Whonix which is
> included with Qubes. All you have to do is configure it with your email
> account. It only took me a couple of minutes and it works well. I think
> I had to manually add a shortcut via the Qubes VM manager.
>
> As for which client to use, I think Claws is the only client officially
> deemed safe. Thunderbird+TorBirdy seems pretty safe to me, at least
> there are no critical outstanding bugs, but it's still considered
> experimental. Beyond that, it's a matter of personal preference, but be
> aware of both exploitation and fingerprinting matters especially in
> clients not designed for Tor.
>

You did miss something - this was the first response.

But Tim suggested trying mutt, and I endorsed that, which is how the
thread progressed.