
Set up an email server in two hours - steveklabnik
http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/
======
brown9-2
_If you are still using GMail (or Yahoo, or arbitrary US-based email company)
in August, your right to complain about the NSA spying on you is revoked. If
you’re complaining about government spying on the Internet, or in a gathering
of programmers, and you won’t take basic steps to do anything about it, then
you’re a hypocrite, full-stop._

I don't understand this point of view. Your opinion on how fair or legal or
morally right a law is has nothing to do with the steps you've taken to avoid
that law.

Why do the "basic steps to do anything about it" stop at protections that the
technically-skilled can take, rather than contacting and complaining to your
Congressperson or otherwise actual attempts to have the law changed?

And how useful is it to run your own encrypted email server if the email
message itself isn't encrypted in transit?

~~~
cabalamat
> And how useful is it to run your own encrypted email server if the email
> message itself isn't encrypted in transit?

It isn't, of course.

The proportion of mail that is encrypted is the square of the proportion of
email users who have encryption set up (assuming all email users are equally
likely to mail any other user). So if 1% use encryption, only 0.01% of emails
will be encrypted. If we want most mail to be encrypted we need 70% of people
to use encryption. This means it has to be REALLY EASY TO SET UP AND USE.

Ideally, when someone buys a PC/phone/tablet, and uses it to communicate with
others, it should do strong encryption out of the box, so that the user would
have to take explicit steps to not encrypt.

Most of these devices run software controlled by Microsoft, Apple or Google,
all of which are deeply implicated with the NSA. So it's futile to expect that
they will willingly protect their users' privacy. Therefore the next best
thing is to write software that once installed will be really easy to use,
that is to say in normal operation it will take no effort at all to use (zero
user interface).

~~~
pjungwir
Just why isn't key distribution an SMTP extention? I'd expect there to be an
RFC for it, but I couldn't find anything. (I'm not talking about DomainKeys.
I'm asking why an SMTP client can't ask for a recipient's public key, and if
it exists do the encryption.) Here is a blog post about it:

[http://www.illuminatedcomputing.com/posts/2013/07/public-
key...](http://www.illuminatedcomputing.com/posts/2013/07/public-keys-via-
smtp/)

~~~
cabalamat
I'm currently writing software that essentially does this. It doesn't put the
key in the SMTP protocol, but in the mail header, e.g.

    
    
        X-Purrcat-Key: ...public key goes here....

~~~
pjungwir
Well I commend you for moving things forward! Have you talked with any
security professionals about possible pitfalls of using mail headers? I was
sort of hoping tptacek would come on and tell me why my idea is no good. :-)

~~~
cabalamat
Not yet, though the project will be open sourced, which will hopefully enable
other people to catch any security holes I've left in it.

------
jgrahamc
Odd blog post.

Talks about "NSA-proofing email" and doesn't mention PGP, GPG or S/MIME.

Should be titled "How to set up a mail server with SMTP and IMAP". Seems only
peripherally connected with protecting email from snooping in any way.

~~~
namank
It's defence against legal compliance with the NSA.

Emphasis is privacy and compliance, not security.

~~~
richardwhiuk
No it isn't. The email passes through the server unencrypted (between Postfix
and Dovecot), so it's still a potential tap point. In fact, running encryption
to the server simply says to the NSA: Ask Linode for access to this disk.

~~~
varikin
He used an encrypted FS I believe, but the NSA could just ask to monitor all
mail to and from his instance at Linode (or any ISP) since he didn't encrypt
the mail.

~~~
cenhyperion
And they probably have most of the mail anyways because odds are he's mostly
communicating with people using google, yahoo, microsoft, etc.

------
route66
I do not want to NSA-proof my email or phone conversations. I do not want to
wear a mask to avoid face recognition and what more propositions are yet to
come how we should adapt to the situation given.

While we are are from the ideal world where this behaviour would be without
consequences, the matter asks for a change of the situation we are finding
ourselves in.

Get loud, get political. Don't dream that you are holding a weapon in your
hand because you can half assedly encrypt peer to peer communication. This is
only confirming the status quo. Like n umbrella might confirm it's raining.

As side-thought: the same technical reflex might have occurred to that
institutions in the first place: let's record everything and we will be more
safe.

~~~
gnosis
_" Get loud, get political."_

A major problem with this is that advanced surveillance technology and the
increased sharing and cooperation between the various spy agencies and ever
more militarized police force is being used to target, spy on, and repress
political activists and protestors.

If you seriously, but peacefully and non-violently, try to oppose the
surveillance state aparatus and are deemed to be a threat to the huge sums of
money they are getting to fight the good fight or a threat to the power
they're ammassing, you can expect to be spied upon and harassed at the bare
minimum. The more of a threat they consider you to be, the more you're likely
to find yourself in jail or worse.

Of course, this has been par for the course for political activists ever since
Spartacus led a slave rebellion, and it will not stop the minority truly
dedicated and idealistic activists. But the tools of state surveillance and
repression have advaced so much that it's much harder for ordinary people to
participate in the political process beyond voting for two mostly the same
parties, writing emails, or making phone calls without suffering serious
consequences.

This is scaring a lot of people off from even trying to make a difference. In
many ways, many of us already are living in a dystopia.

That said, trying to raise the political consciousness, technological
literacy, and privacy awarenss of the average individual is still a very
worthwhile and usually safe thing to do (depending on how radical and
confrontational your tactics are), and we'd all be much better off if more
people did this instead of throwing up their hands and giving up or pretending
it's not happening.

------
venomsnake
Well it is good that NSA have never heard about zero day exploits. Otherwise
think of all the nasty stuff they could do to a machine.

Stop with the proofing stuff already. Security is hard and relative. Having a
very hardened system can only take you so far. Also it makes you visible - a
lot of encrypted traffic is red flag for these kind of agencies. By claiming
something is "Villain of the month" proof you just may put someone that really
needs security in hot water. In some parts of the world literally.

~~~
Derbasti
I always thought that if the NSA really wanted to target my data, they would

a) Hand me a letter signed by a judge.

b) Delay my luggage at the next convenient airport and have a look.

c) Have someone break into my house.

d) Have someone rob me personally.

For all these, a self-hosted mail server offers no protection whatsoever. And
for none of them, any zero day exploits are needed either.

------
KaiserPro
Nope. this is not NSA proof.

This is PRISM proof. i.e. it is not trivial for the NSA to request records
from your $emailhost.

However it does not prevent your emails from being read by the NSA.

Firstly, your emails still have destination outside your linode bubble. so you
email your friends who are on Gmail? well that in the NSA database now.

Secondly your linode machine is entirely virtual, so there is no way to see if
your data has been tapped at the datastore level. How do you know that linode
is not in bed with the NSA. Are there any backdoors in the provisioning
system? What about the random number generator?

Thirdly and most importantly, most network connections are tapped by either
the British, Germans, French, Austrailans or the US. so any network traffic is
considered to be entering hostile territory as soon as it leaves your LAN.

So your options are:

Encrypt[1] or not use the internet.

Tor is largely pointless, as who do you think puts all that money and time
into operating large exit points? also having the ability to interrogate
packets at carrier level make it much easier to do timing attacks.

[1] assuming your machine isn't compromised, or the encryption is "NSA proof"

~~~
marcosdumay
> so any network traffic is considered to be entering hostile territory as
> soon as it leaves your LAN.

I wouldn't trust the routers and modems either... And there are some problems
with trusting the actual computers. At a minimum, USB devices shouldn't be
trusted.

NSA proofing your data isn't easy.

------
k2enemy
Great article about setting up a mail server, but the privacy claims seem a
little dubious. Private email takes two. Running your own server won't do much
good if all of your email exchanges are with people on gmail, hotmail, yahoo,
etc.

------
vilda
Please please don't use greylisting. It's not cool. There are too many broken
mail servers around and you'll loose emails. I was unfortunate enough that I
had to use mail server with greylisting enabled. As a result I regularly lost
booking confirmations.

Spammers know greylisting. Workaround is cheap for them. That's why you are
receiving some spams twice.

~~~
jrabone
Not in my experience. I'm using greylistd with Exim and a custom config which
uses geolocation to do greylisting by subnet country code. I've only needed to
whitelist a handful of broken MTAs which don't retry.

My spammers clearly haven't caught on yet...

    
    
          zgrep grey /var/log/exim4/rejectlog* | rev | cut -c 2-3 | rev | sort | uniq -c | sort -rn | head
          8 CA
          7 IT
          5 ES
          4 BR
          4 AR
          2 TR
          2 RO
          2 IR
          2 EC
          1 PT

------
mseebach
So, this is nice, but it's not going to "NSA proof" your email in any
meaningful sense. You're still going to be exchanging plain text email with
most counter parties, and unless you require TLS (as is mentioned in the end,
and which will lose you quite a bit of email), you can trivially be MITM'd.
Also, the author appears to run it on Linode, ie. a VPS in the US. In other
words, the encrypted filesystem is only marginally more complicated to get at
than a non-encrypted one.

But that doesn't mean it isn't an extremely useful guide. What would be even
cooler was if it would be productized, e.g. by packaging a VM image or as
Puppet/Chef recipes - this would make leaving GMail a much simpler proposition
to a much larger audience (and make large scale collection of emails, if not
impossible, then significantly more complicated) - just get a cheap VPS, do a
git clone on the recipe and invoke puppet.

~~~
dmix
There is an email service that offers what the article explains:
[https://countermail.com](https://countermail.com)

~~~
eli
Is it safe from the Feds compelling them to insert a backdoor?

[http://www.wired.com/threatlevel/2007/11/encrypted-e-
mai/](http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/)

~~~
dmix
No but neither is the setup of the article mentioned. PRISM is all signal
intelligence. That is what SSL/PGP effectively solves.

Wiretapping (rootkits or backdoors) are almost impossible to stop. The
endpoint is always the weakest point. And I'm sure the NSA spends millions on
the latest exploits. No 3rd party hosting service is capable of preventing
that.

 _> Encryption works. Properly implemented strong crypto systems are one of
the few things that you can rely on. Unfortunately, endpoint security is so
terrifically weak that NSA can frequently find ways around it._

------
joewee
Patch management and zero-day protection are pretty important, but
unfortunately not covered in this. It is also hard to maintain over the long
term.

This is why I stopped hosting my own email.

~~~
zachlatta
That's also the reason why I stopped hosting my own email. I don't trust
myself with not losing any emails while properly configuring spam blockers,
keeping the system up to date, and staying on top of vulnerabilities.

------
greyman
IMHO, it's a bit irresponsible, to call something XXX-proof, when we don't
even known the full range of capabilities of XXX.

~~~
SG-
Could the NSA use some random hidden exploit and break into the machine if
they really wanted to? Probably. But this is about all your emails not being
easily indexed by Google/NSA and whoever else the NSA works with.

Obviously emails you've sent out to other servers/domains will be in the clear
and will then be indexed.

~~~
greyman
> Obviously emails you've sent out to other servers/domains will be in the
> clear and will then be indexed.

Yes, that's what I meant. And - aren't those the majority of the emails? If
so, it's incorrect to call it NSA-proof.

------
efdee
Too bad this does not mention two-factor authentication. I've grown so
accustomed to it that I feel naked without it.

~~~
theboywho
Why would you need a two-factor authentication if the server is yours ? You
can always reset everything, you are your own Google.

~~~
efdee
I'm not sure what you mean. I use two-factor authentication to ensure that
people can't log in to my mail from 'new' locations without needing my
cellphone. Having root access to the server and being able to reset everything
doesn't fix this, unless I'm misunderstanding you.

------
LordAragorn
How is this really NSA-proof? If your family/friends/colleagues are using
GMail/Outlook/Yahoo/etc. to send you emails, the security of those emails is
anyway compromised.

~~~
SG-
But if your family/friends all have their email hosted on your server then
it's "safe".

------
schrodingersCat
The was a great tutorial! Would a raspberry pi have enough power to tackle
this setup? I only ask because I have seen similar self-hosting projects on a
pi, but nothing quite this complex.

~~~
lloeki
Full-text indexing via Solr would certainly kill it (if it runs at all —
what's the JVM landscape like on ARM?) but many of us have been running a
similar setup on a vastly less powerful NSLU2.

------
hnriot
What I have increasingly seen (not because of the NSA - most of my friends
just assume the government are watching - they grew up on 24 and Jason Bourne)
- is that email is just not something they use much. I'm told that email is
all "spam", by which they mean followups to services they signed up with, not
really spam, but not personal communications either. For them, personal
communications is increasingly switching to txt/iMessages. The interactivity,
the ability to be in a conversation is more natural than email where you write
something, toss it over the fence at some MTA. The NSA might just be watching
the wrong channel.

Obviously they are no doubt snooping iMessages, but if someone wanted to NSA
proof their "email", maybe instead they should just forget email all together
and think about mobile, point to point solutions. I used to use bbm before
they have up on releasing new phones (something they have since done, but too
late for me) - they used to have a decide pin you could use to make point to
point encrypted messaging - it was easy to use and I assume reasonably secure.
Maybe something like that is far better than even bothering with email.

------
yuvadam
I'd like to see this setup coded into a proper server provisioning tool like
Chef/Puppet/Ansible.

------
pron
OK, a general question. I understand why it's really bad that the government
is spying on us. They shouldn't do it. But that's a civic and political issue
(a very important one!) much more than a personal issue. As a private e-mail
(and internet) user, I'm 100 times more concerned about Google reading my
e-mail than the US government. I don't think the government cares much about
my correspondence, but I know for a fact that not only is Google interested,
they're actually sifting through my e-mails, extracting information and
actively using that information against me every day.

Government sponsored invasion of privacy is infuriating, but corporate
invasion of privacy is constant, on a far larger scale, not subject to almost
any kind of oversight and scrutiny -- however slim --, and is much harder to
stop (partly because it has less sinister connotations in people's minds, and
people have the illusion that they're submitting voluntarily). In addition --
and this may be beside the point and a matter of personal taste -- corporate
surveillance is used for far more egregious ends.

Why would you want to NSA-proof your e-mail but not Google-proof it (though
that would probably be far harder to do)?

~~~
tlrobinson
"I don't think the government cares much about my correspondence"

That sounds a lot like the "I don't have anything to hide" argument.

~~~
pron
The "I don't have anything to hide" argument is irrelevant when it applies to
the political sphere. But when an article says, "this is how to hide your
stuff" that argument becomes very relevant. If it's not about politics and
society anymore but about your own actual privacy, why try to hide your stuff
from the government when Google not only keeps a copy of your house keys but
makes it a habit to snoop around and then show off about how well it knows
you.

------
abbot2
If I were from NSA: 1\. Go to linode (or your favourite hosting provider). 2\.
Make a snapshot of memory of a running VM. 3\. Extract encryption keys from
that snapshot. 4\. Decrypt.

The message here is: it does not matter which server setup you use, be it own
hardware, cloud hosting or gmail. If data is seen unencrypted in any place
which is not under exclusive control of yourself or your peers, it can (and
eventually will) be intercepted.

~~~
jlgaddis
I'm suddenly really happy that we decided to build our own facility to house
our gear and even happier that there's only a couple of us with physical
access to that particular facility (and that I'm notified almost immediately
if/when the door opens).

------
nivla
Good tutorial but its does not make it fully secure. SMTP is an unsecure
protocol, so if your host decides or is compelled to sniff the traffic, all
emails received or sent could be recorded in plain text. Not to mention emails
from senders using 3rd party services are already compromised even before it
gets to you.

How is it that we still don't have proper support for secure SMTP among most
email providers?

------
stonemetal
How? Stop sending email? That takes a lot less than two hours. As soon as I
email someone who uses gmail nothing you have done prevents the NSA from
seeing it. Without heroic measures to run my own private email system and
force every person or company that I might email to use it, there is no way to
keep the NSA completely out.

~~~
mhurron
When the NSA can (is) watching the actual traffic through the internet
backbone, NOTHING you do that is not encrypting is doing anything.

I sit and laugh at people who say they're switching to Linux or moving their
mail to their own mail server because of the recent NSA revelations. They're
not logging into your desktop directly. They weren't logging directly into
your GMail, they're just quietly letting it accumulate as it passes something
they do monitor.

------
saosebastiao
Sure would be lovely if some of our German hacker brethren would start a
strong gmail competitor. It wouldn't even need to be "NSA-proof", but just
something with a large userbase and an order of magnitude harder to spy on,
with no jurisdiction for NSL shenanigans.

~~~
jlgaddis
Are you listening, Germany? =)

Many of us would pay a fair amount for such a product!

------
danielsamuels
I wish people would stop calling "#" a "hashtag" outside of social networks.

~~~
RexM
I agree. Everyone should call it an octothorpe because that's an awesome word
to say.

------
JonFish85
Well that's cool. Except, as others here have noted: what assurances do you
have on the other end (destination)? You can have all the encryption you want,
but ultimately "they" (NSA, FBI, CIA, whoever) have a thousand ways to get at
the information they want: keyloggers, 0-days to get into your machine, 0-days
to get into your email server, etc. Sure it's a fun exercise, but don't kid
yourself into thinking that you're bulletproof. Whether you agree with it or
not, the NSA can more than likely get around any protection you try to
implement, if they have enough reason to put the effort into it.

~~~
jlgaddis
Interestingly enough, one of the best tools that many of us "techies" have to
help prevent this was developed (at least in part and initially) by the NSA
itself: SELinux.

------
smokinjoe
NSA-proofing is (in my opinion) a very temporary and actually kind of a
selfish way of solving this problem. This is a situation where everyone is
affected by legislation, cutting yourself out of the situation doesn't help
anyone around you (and those you may communicate with, bringing you back into
the 'grid') and really just delays the inevitable.

Everyone has some responsibility, and for any sort of permanent or at the very
least long-lastic effect, people need to motivate and bombard their
representatives with letters and phone calls.

~~~
MarcParadise
Conversely - if significant numbers of people DID leave hosted services for
this kind of solution, wouldn't that prompt the big providers (with deeper
pockets and far more lobbying capability) to push back in order ensure their
business is not negatively affected?

------
glogla
More than a few things in the article made me go "wait a minute", like saying
"Dovecot is LDA, so it runs IMAP", the chained IV and the warning that some
programs might not work (and if mutt won't work, how do you know Dovecot
will?), or the use of mysql ... but the glibc bcrypt story is especially sad.

------
mstrem
I have been wanting to set up my own mail for quite a while (I don't really
care about it being encrypted etc. at the moment). Ideally this is going to
give me the right push to do so. I do have a dedicated server so that makes
things easy, hopefully the fact I am running CentOS will not make a
difference.

------
jaynos
>Better SPAM detection. Yes, you can beat the Big G.

I never had a spam problem with gmail. V!AGRA and other spam emails are always
in my spam filter. I'd say current detection is around 98% effective with the
remaining 2% due to the fact that I haven't tried to correct miscategorization
of some newsletters.

------
dhotson
Is this really going to protect you? I get the feeling it'll just give you a
false sense of security.

They will still know who you are sending email to and receiving from.

The recipient metadata is unencrypted correct? As we've seen recently—the
metadata often reveals more than the message content.

~~~
SG-
Not if you're sending important emails to other people hosted on your own
server.

------
future_grad
Should be titled "How to make yourself feel secure with a mail server that
isn't".

------
excitom
It has been pointed out elsewhere that if you encrypt your data, you give the
NSA reason to hold it indefinitely since you might be hiding something. In
other words, the act of attempting to insure your privacy makes you more
suspect. This sucks.

------
mrt0mat0
this is akin to having to put all of your snail mail in a lock box and set up
your own post offices just to get mail to where you want it to, hoping it
won't get intercepted along the way. I think the government needs to change,
not us.

~~~
dllthomas
The costs look _radically_ different. Which isn't to say the government _doesn
't_ need to change, of course.

------
runn1ng
The problem with this approach is - I know how dangerous is to run un-updated
system, and I am too lazy to check updates at yet another system, and correct
stuff when the updates break something.

And updates always break something.

------
Korban
I think the author missed one requirement: you need to have your own
(sub)domain. Since it cost money most people do not have it.

~~~
jlgaddis
You can get third-level domain names for free from various dynamic DNS
providers.

------
luke-stanley
Surely there should be a Bash script or Debian package for this kinda thing?

------
jafaku
Nice try, NSA. This won't protect us at all.

------
MrBra
ok I don't want to set up a whole system or even a virtual OS for reading
email. Any lighter, less-invasive alternatives ?

------
coldcode
If you are in the US, you are not NSL proof.

~~~
schrodingersCat
Yes, the NSA could still get your metadata, content from your ISP with an NSL,
but this would eliminate the possibility of getting your email directly from
the g00g

~~~
mpyne
Given that 'the g00g' is delivering email in accordance with the very same
NSLs I'm not sure how that's really better though. I would certainly place
more faith in Google to properly maintain the security and configuration of an
email server than myself.

The one advantage I see is that someone has to write the NSL in the first
place so if you use a hosting provider that is very small you'd probably avoid
attention just due to prioritization of resources. But that would only last
until enough other people become aware of that refuge for it to become visible
on the NSA's radar...

~~~
schrodingersCat
Yep, you are absolutely correct. This approach is only for the truly paranoid.
But if you host accounts for your friends, family, and s/o, then your messages
/ metadata will never go out onto the web in any readable form. Yes, emails
from businesses and other people will be visible but it is certainly a better
setup if you care about your privacy.

------
timbrooke
> NSA-proof your email in two hours

Or just get used to using decentralized and encrypted p2p communication
solutions. No server to set-up, just the client to install.

~~~
schrodingersCat
Have recommendations?

~~~
conductor
RetroShare

~~~
mark_l_watson
Thanks, that looks useful. Quick questions: would non-tech friends and family
be able to use this? Problems being behind a NAT?

~~~
conductor
You should just exchange your public keys with your friends. The software
makes this easy: it can create an email with your public key and open your
default MTA for sending it to your friends. Then they can easily import the
received email (with your public key attached). Then, of course, they should
send their public keys to you.

There is no problem being behind a NAT, it supports UPnP / NAT-PMP port
forwarding.

------
hannibal5
Instructions of how to secure your email even faster with same level of
security.

1\. Have Gmail account.

2\. Use disc encryption in your desktop/laptop.

3\. Have your own email client.

4\. Use IMAP to download mail from your Gmail acocunt and to delete mails in
Gmail.

NSA can still snoops your email like it does when you use your own server, but
you don't keep the archive of your emails accessible to them.

~~~
Ziomislaw
you do realize that 'delete' does not actually delete your messages?

~~~
hannibal5
Yes, but the messages stay only six months. Probably roughly the same time as
NSA would store intercepted mails.

