Ping Zax - snorky.mixmin.net:2525

[Jack Ryan]

Is snorky.mixmin.net/2525/TLS just a virtual host that does some
checking to see that what it has received is a valid remailer
message and then sends it on to its first destination?

[Anonymous]

It checks for a valid destination To: address - any of the remailers it knows about.

The message content isn't checked - it will accept anything.

[Anonymous]

Thanks, Stray Zax

[Jack Ryan]

> Is snorky.mixmin.net/2525/TLS just a virtual host that does some
> checking to see that what it has received is a valid remailer
> message and then sends it on to its first destination?

Anyone know what kind of server he is using to retrieve the input?

[Anonymous]

220 snorky.mixmin.net ESMTP Postfix (Debian/GNU)

Postfix on Debian.

[Jack Ryan]

> Is snorky.mixmin.net/2525/TLS just a virtual host that does some
> checking to see that what it has received is a valid remailer
> message and then sends it on to its first destination?

Since QSL's 'SMTP Server' points to only 'snorky.mixmin.net' port
2525, how does snorky.mixmin.net receive the mix input? There is
no user@ prefix. I am trying to understand how this TLS service
works.

[Anonymous]

snorky.mixmin.net is a mail server. It has been set to allow relaying mail to other known remailer domains in addition to the remailers
run by the operator. That's all there is to it, there is nothing unusual about it.

[Zax]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sat, 14 Mar 2015 23:35:57 -0400, Bergman Admin wrote in
Message-Id: <U67Nw.189041$807....@fx01.am1>:

> snorky.mixmin.net will accept delivery and will proceed to send it to
> rema...@dizum.com, much the same way that your ISP would accept delivery and
> send it.

Yes, that's exactly how it works. Snorky also supports TLS so messages
from a suitable client (like QSL) have an additional layer of encryption
wrapped around them.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVBWGEAAoJEC3jHKG+PvqniVYP/2HP46lN9d5QGjbawzRAuIIm
D+K1zMgr8iQrjfohIfDlWPgsxnjiaSsbi0k8uDHZe4mhkwjjuxsCey8KyOkROH0o
5ko2+u/SfVnLwdlje3ZueoC7kJDRuHGCFXRiwx75u6tppgdBcOn+SFLyeiCmYxfI
Wj0f+FEImPvGcf85us0sbgk8HUS7ZzeBAncQcqSgUAyJVFMyEvjA2ChI2TD6tIpa
t8qIbhEHqdVfD4ynBdq3W/lPsTSFIQx4KkSM0t/v9h8AEUftiPeKkgipn3BW43Yr
IjU9oXdQ9lmFvQAjPHQmCGWUbo5o4JntZSOTPFN0M51vOXy3y+8m4a4GnlLn4O1W
P5EuL996xxUf/85MYJ7B9BbDOBDB0UjJnR3RBWNeHzeFuRolkzTbMO/BDJ5MoUjz
MvBmlMEPxF0rmX6a6B9RZ65+lr8zpaaGZGWIlz3pVP2NMp3cIWS+Wgl96OKtR2q4
yLtfpO3HaMEBR9nV5JoGM/gA9snCWS1vXDXp6aUkKbk03+NA0DJxfI/ocSPCDaMm
QWiE8SyAdofgMIuPyvfuNEzk9dXlmB7xO5+s7hmddRJQ1MFqzJGRYU2KjdGpJIIb
Sskl7B5WcGNnfGNwdhqyBo09ohbRs9h3EXm7rEcf0YZZcnsZdpQiirpG/O27l0ER
lGsDPd6WfLGQ/rKoskE4
=Q+lJ
-----END PGP SIGNATURE-----

--
pub 1024D/228761E7 2003-06-04 Steven Crook <st...@mixmin.net>
Key fingerprint = 1CD9 95E1 E9CE 80D6 C885 B7EB B471 80D5 2287 61E7
sub 4096R/BE3EFAA7 created: 2014-11-14 expires: 2016-11-13 usage: S

[Nomen Nescio]

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Sat, 14 Mar 2015 23:35:57 -0400, Bergman Admin wrote in
> Message-Id: <U67Nw.189041$807....@fx01.am1>:
>
>
>> snorky.mixmin.net will accept delivery and will proceed to send it to
>> rema...@dizum.com, much the same way that your ISP would accept delivery and
>> send it.
>
> Yes, that's exactly how it works. Snorky also supports TLS so messages
> from a suitable client (like QSL) have an additional layer of encryption
> wrapped around them.

Does iptables just preroute 2525 to 25? I am not getting how or
if stunnel input to snorky is routed to postfix.

[Jack Ryan]

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On Sat, 14 Mar 2015 23:35:57 -0400, Bergman Admin wrote in
> Message-Id: <U67Nw.189041$807....@fx01.am1>:
>
>
>> snorky.mixmin.net will accept delivery and will proceed to send it to
>> rema...@dizum.com, much the same way that your ISP would accept delivery and
>> send it.
>
> Yes, that's exactly how it works. Snorky also supports TLS so messages
> from a suitable client (like QSL) have an additional layer of encryption
> wrapped around them.

Then it is just a virtual server with all the remailer's
addresses therein?

virtual file:

@dizum.com dizum.com
@mixmaster.mixmin.net mixmaster.mixmin.net
@remailer.frell.eu.org remailer.frell.eu.org
...

[Anonymous Remailer (austria)]

I think Zax's stunnel is pointing 2525 input to port 25 on his
machine. You wouldn't need to mess with prerouting.

[Anonymous]

Among other services provided, snorky.mixmin.net listens on ports 25, 2525, and 587 for email service.

As far as connecting clients are concerned, it doesn't matter how this is accomplished. But the most straight forward way is to just
configure Postfix to listen on multiple ports.

[Anonymous]

It's not an stunnel listening on port 25 because you can telnet directly to it and submit mail messages that way in the clear, if
desired. Submitting a STARTTLS command will tell the server you wish to continue the conversation encrypted, but naked telnet is not
capable of that.

The point is it's Posfix that can handle all of this directly, no intermediate shims like stunnel are required.

[Anonymous]

Doubtful he's handling it that way as he isn't receiveing and _holding_ mail for those domains. He's only allowing Postfix to be a relay
host for the other remailer domains and this can be done via relay_domains= in main.cf.

[Jack Ryan]

It is probably stunnel that is taking care of the routing. His
config file probably is like this.

[BANANA_NNTP]
accept = snorky.mixmin.net:2525
connect = 127.0.0.1:25

[Anonymous]

Wrong. Telnet to that host and port and see why.

[Nomen Nescio]

> accept = snorky.mixmin.net:2525
> connect = 127.0.0.1:25

You are thinking too deeply, too analytically about this. QSL (I
assume that is what you are using) is connecting to
snorky.mixmin.net port 2525 and that is all that you need to be
concerned with. When you select tls, QSL and snorky.mixmin.net
make the encrypted connection transparently in the background.

[Anonymous]

Not to argue, but if you don't have user names setup on your
server for the virtual host entries, then nothing is being held for
that user on the VH machine. It is just being forwarded, just like
below.

> host for the other remailer domains and this can be done via relay_domains= in main.cf.

This is something I didn't know about - relay_domains=. Still
not clear on how his stunnel connection connects to postfix.

[Anonymous]

On Sun, 15 Mar 2015 17:09:32 +0000 (UTC), Anonymous <nob...@remailer.paranoici.org> wrote:

>This is something I didn't know about - relay_domains=. Still
>not clear on how his stunnel connection connects to postfix.

What make you think there is an stunnel on snorky?

[Anonymous]

On Sun, 15 Mar 2015 17:09:32 +0000 (UTC), Anonymous <nob...@remailer.paranoici.org> wrote:

>Not to argue, but if you don't have user names setup on your
>server for the virtual host entries, then nothing is being held for
>that user on the VH machine. It is just being forwarded, just like
>below.

Forwarded? I think the messages bounce.

[Anonymous]

Apparently this entails my lack of understanding how stunnel is
operating here. Upon looking at a packet sniffer, it looks like
the initial connection to snorky.mixmin.net:2525 is not encrypted,
as I thought the initial connection would be. Only after the
snorky.mixmin.net:2525 connection does stunnel become involved,
encrypting the conection while the data is being transfered. I am
still not understanding how postfix then is able to receive the
data. It would seem that stunnel would have to point to postfix
somehow. Possibly QSL and snorky.mixmin.net magically connect the
data to postfix 2525.

[Anonymous]

On Sun, 15 Mar 2015 18:10:00 +0000 (UTC), Anonymous <nob...@remailer.paranoici.org> wrote:

> Apparently this entails my lack of understanding how stunnel is
>operating here. Upon looking at a packet sniffer, it looks like
>the initial connection to snorky.mixmin.net:2525 is not encrypted,
>as I thought the initial connection would be. Only after the
>snorky.mixmin.net:2525 connection does stunnel become involved,
>encrypting the conection while the data is being transfered. I am
>still not understanding how postfix then is able to receive the
>data. It would seem that stunnel would have to point to postfix
>somehow. Possibly QSL and snorky.mixmin.net magically connect the
>data to postfix 2525.

What you are missing is that there is no stunnel involved when connecting to any of the snorky.mixmin.net mail ports (25, 2525, 587),
period.

The connection to Postfix is in the clear until the client sends a STARTTLS command, then the client and Postfix begin speaking TLS to
each other. If the client can't or won't speak TLS at this point, the connection is dropped.

[Jack Ryan]

Dang! I hate being wrong everytime. I checked and yes, the
server has to have the user in place to do a vh forward. The mail
seems to just disappear however, if the user doesn't have a mailbox
in /var/mail/. I guess this would not be necessary with
relay_domains = dizum.com, mixmin.net, ...

[Anonymous]

Hard to say what's being done, but mail for arbitrary known to be good usernames is not being relayed, just that for the published
remailer addresses, so it's not blanket relay for the entire domains. And here is probably at least two ways to do that. Zax knows for
sure :)

[Jeremy Bentham]

That does clear it up. I thought tls had to do only with the
high level server to server communication.

[Anonymous Remailer (austria)]

Yes, but he's not talking. And they don't even have the 5th in
Great Britian. And the only way you can exercise your right to
remain silent is to answer 'no comment' to every question.

[Anonymous]

On Sun, 15 Mar 2015 21:57:31 +0100 (CET), "Anonymous Remailer (austria)" <mixm...@remailer.privacy.at> wrote:

>Yes, but he's not talking. And they don't even have the 5th in
>Great Britian. And the only way you can exercise your right to
>remain silent is to answer 'no comment' to every question.

Oh please...... He would gladly answer if asked directly. Try it.

[Anonymous]

Re read subject line.

[Jack Ryan]

Re read subject line.

[Anonymous]

In article <83d96df95544a7ad...@remailer.privacy.at>
"Anonymous Remailer (austria)" <mixm...@remailer.privacy.at>

wrote:
>
>
> > On Sun, 15 Mar 2015 14:42:53 -0400 (EDT), Jack Ryan <nor...@remailer.cpunk.us> wrote:
> >
> >
> >>> On Sun, 15 Mar 2015 17:09:32 +0000 (UTC), Anonymous <nob...@remailer.paranoici.org> wrote:
> >>>
> >>>
> >>>> Not to argue, but if you don't have user names setup on your
> >>>> server for the virtual host entries, then nothing is being held for
> >>>> that user on the VH machine. It is just being forwarded, just like
> >>>> below.
> >>>
> >>> Forwarded? I think the messages bounce.
> >>
> >> Dang! I hate being wrong everytime. I checked and yes, the
> >> server has to have the user in place to do a vh forward. The mail
> >> seems to just disappear however, if the user doesn't have a mailbox
> >> in /var/mail/. I guess this would not be necessary with
> >> relay_domains = dizum.com, mixmin.net, ...
> >
> > Hard to say what's being done, but mail for arbitrary known to be good usernames is not being relayed, just that for the published
> > remailer addresses, so it's not blanket relay for the entire domains. And here is probably at least two ways to do that. Zax knows for
> > sure

Yes it is. If you know anything at all how SMTP works you can
figure it out in short order.

> Yes, but he's not talking. And they don't even have the 5th in
> Great Britian. And the only way you can exercise your right to
> remain silent is to answer 'no comment' to every question.

Maybe you should ask questions instead of bitching.

[Zax]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Sun, 15 Mar 2015 14:53:30 -0400, Anonymous wrote in
Message-Id: <63lbgalum7grqcpqv...@news.stray.cat.edu>:

> Hard to say what's being done, but mail for arbitrary known to be good
> usernames is not being relayed, just that for the published remailer
> addresses, so it's not blanket relay for the entire domains. And here
> is probably at least two ways to do that. Zax knows for sure :)

Amazing how much interest there seems to be in this topic! Here are all
the details. :)

In postfix main.cf:

smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
check_recipient_access hash:/etc/postfix/remailer_access,
reject_unauth_destination

The remailer_access file has lots of lines, like this:
an...@anonusa.net OK
The list of remailers is produced using this script:

#!/bin/bash

grep \$remailer $1 \
| cut -f 2 -d \< \
| cut -f 1 -d \> \
| xargs printf "%-60s OK\n"

That script is called from cron.daily by this script:
#!/bin/bash

SCRIPT=/usr/local/bin/remailer-relays
DEST=/etc/postfix/remailer_access

MLIST=/home/echolot4/echolot/results/mlist2.txt

$SCRIPT $MLIST > $DEST
/usr/sbin/postmap $DEST

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVBp4iAAoJEC3jHKG+PvqnNxAP/i954nnp7HeAzJsob1EBoHCk
jvk1BOp4wCMP5TKllrlLInY+A24XSgH33jMulv2Ewha2RYNUuoJwtBuchUBhQBL+
TihLWogxWnm/SM3soHcVQ6crJMCCeV95pvWyfIx/yqr34igQjW9S/CEmG9+2fn2S
j/kpFULVQZUqGnn1UurO8b0VCVBuiv91u9HVOO+3QMBGTEyw/A+EGGu+R7jjt1g/
8zh5CN7yIyNEOiTSvaNiT9n52aQWKzWt7gGOjERlwj5jsfsSLNBMQPSKwezIgz88
1rbChPPQLa9CDnLDpkPSCTNQKWs6jVeb1WIn1cqhZuX63yGLccHjaq6Wf8NcLXGT
uTqVJXtMPrBk6l4AVAJcntyloTdYN7H2xJR/LlpcrT0zEMr2ySqNFHs8itndHtVN
JU0otDGWmn6jpgxthYlzHerXJsSroB1I7iVRkCupQ5MTuw6nYFufAn46K4+59uMo
1N3Lou1posUXmN9huJtwHry/GEjhu2E0XMckzdZ1YkSKEi4dxdf4F8dr9eE/T9Wh
Gn6ioqdTEG5Dm1yvhd9EXwT8NXqv9k4dikVJDXQPucH94OWZNm+2gRYN0ua8bhWL
Tj2pg0v+GS7LTMNYL0nX6BXc1nY7Cta2nkRoAs3zRpgHd/WNPlb/LTvQZqo1Z/tG
azGPhe/YZmxuxMtf/+ez
=RqNP

[Anonymous Remailer (austria)]

This kind of response doesn't ever bother me because it always
comes from someone who was born out of wedlock.

[Anonymous]

See all the questions in the above threads - ASSHOLE!

[Anonymous]

<snip>

> Amazing how much interest there seems to be in this topic! Here are all
> the details.
>

> In postfix main.cf:
>
> smtpd_relay_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> check_recipient_access hash:/etc/postfix/remailer_access,
> reject_unauth_destination
>
> The remailer_access file has lots of lines, like this:
> an...@anonusa.net OK
> The list of remailers is produced using this script:
>
> #!/bin/bash
>
> grep \$remailer $1 \
>
>> cut -f 2 -d \< \
>> cut -f 1 -d \> \
>> xargs printf "%-60s OK\n"
>
> That script is called from cron.daily by this script:
> #!/bin/bash
>
> SCRIPT=/usr/local/bin/remailer-relays
> DEST=/etc/postfix/remailer_access
>
> MLIST=/home/echolot4/echolot/results/mlist2.txt
>
> $SCRIPT $MLIST > $DEST
> /usr/sbin/postmap $DEST

Works ok except smtpd_relay_restrictions works only on postfix
v3.0+.
Use smtpd_recipient_restrictions on current Debian postfix 2.9.6.

[Nomen Nescio]

In article <268174dcb085dfcf...@remailer.privacy.at>

Thats an even dumber response because obama was born out of
wedlock and he's president. You're just some jerk playing with
kid toys.

[Anonymous Remailer (austria)]

In article
<da3e6d74e7012541...@foto.nl1.torservers.net>

Look at the emphasis on ASSHOLE. You just outed yourself gayboi.