ehloonion / onionmx Goto Github PK
View Code? Open in Web Editor NEWOnion delivery, so delicious
Onion delivery, so delicious
suddenly you speak of postdns.ini ???? where is this file wher does it come from ?
do you assume posfix tor and Maiserver are all on one machine?
I have these three services in 3 separate VM's
Hey folks
Host authentication via onionmx, from what I understand, hinges on the SRV record that points to the hidden service, with no TLS/PKI or DNSSEC. That's not a huge issue compared to typical regular SMTP, given that most hosts don't validate TLS certificates either, and connections can be trivially downgraded.
However, this does become an issue for hosts that use MTA-STS, which offers reliable PKI host authentication via strict verification policies, and some measure of downgrade resistance.
So on a host that respects onionmx and MTA-STS for outgoing e-mails, the onionmx SRV record suddenly becomes the weakest link for authentication of recipient hosts. For example, if some host already knows via MTA-STS that gmail.com
can be strictly authenticated by PKI certificate, an attacker could spoof an onionmx SRV record, and circumvent the host authentication that would have happened otherwise.
Any thoughts on this? Perhaps there is a simple fix, or my analysis is wrong?
(context: I considered adding onionmx support to keys.openpgp.org)
A couple things I thought of about the output of map2postfix-transport.rb:
.onion smtptor:
. We had used this in the past to cover any MX records that pointed to onion addresses directly. I don't know if this is common at all, or if it should be encouraged/discouragedOpinions?
you assume I cloneed the project
you assume I have Ruby installed
you assume I mad a pull request with the changed map.yaml
this Doku needs rewriting
Thought you might be interested. The following Exim macro+router allows me to route to systems with _onion-mx srv records without having to use an external script:
ONIONMX = ${map{\
${filter\
{${lookup dnsdb{srv=_onion-mx._tcp.$domain}}}\
{match{$item}{ 25 \\S+}}\
}\
}{\
${sg{$item}{.+ }{}}\
}}
onionmx:
driver = manualroute
transport = remote_smtp
route_data = ONIONMX
Of course, it relies on the system that it is running on to be set up with transparent Tor routing.
I can't get this to work for postfix. All I see in the log is:
postfix/master[197567]: warning: process /usr/lib/postfix/sbin/smtp_tor pid 197606 exit status 134
postfix/master[197567]: warning: /usr/lib/postfix/sbin/smtp_tor: bad command startup -- throttling
I've found one person who seems to have had a similar problem: https://endchan.net/os/res/2.html#240
Is this still working for anyone else?
I ran strace and got:
1656582307 WARNING torsocks[1946690]: [syscall] Unsupported syscall number 39. Denying the call (in tsocks_syscall() at syscall.c:604)
1656582307 WARNING torsocks[1946690]: [syscall] Unsupported syscall number 39. Denying the call (in tsocks_syscall() at syscall.c:604)
1656582307 WARNING torsocks[1946690]: [syscall] Unsupported syscall number 39. Denying the call (in tsocks_syscall() at syscall.c:604)
...
Assertion 'fclose_nointr(f) != -EBADF' failed at src/basic/fd-util.c:126, function safe_fclose(). Aborting.
Aborted (core dumped)
Currently it uses #!/bin/env ruby
which doesn't exist in newer distro releases. I think it should just call the interpreter directly #!/usr/bin/ruby
but if there is a good reason I suppose #!/usr/bin/env ruby
might be acceptable.
I realized the static postfix map we were using locally hadn't been updated in a while, so I generated a new one from git and compared them and discovered that we had made some updates that weren't in the upstream map. I will list them below, but first I think we should consider if there are reasons to still maintain this file over using the SRV method.
If these domains want to keep doing onion-mx, make sure you are on v3 and publishing SRV records. Then we can either update the records in the map, or just drop them in the move to SRV only.
I had to manually add these to the tor_transport file:
tt3j2x4k5ycaa5zt.onion smtptor:[tt3j2x4k5ycaa5zt.onion]
danwin1210.me smtptor:[tt3j2x4k5ycaa5zt.onion]
wc2eyfmw7wrwomf4.onion smtptor:[wc2eyfmw7wrwomf4.onion]
onionmail.info smtptor:[wc2eyfmw7wrwomf4.onion]
bitmailendavkbec.onion smtptor:[bitmailendavkbec.onion]
bitmessage.ch smtptor:[bitmailendavkbec.onion]
eludemaillhqfkh5.onion smtptor:[eludemaillhqfkh5.onion]
elude.in smtptor:[eludemaillhqfkh5.onion]
Note as well that I added "<onion host> smtptor:[<onion host>]" for each of them as well as for all the existing ones. Not sure why those were not generated, but they are needed when the recipient is addressed using the .onion
form.
With the support of onion v3 landing in stable Tor, it is time to take advantage of the better crypto and security properties of next generation of onion. I'm not sure what's the best way to coordinate the effort with all the maintainers of the servers included on the static map, but it would be great to nudge them to upgrade to onion v3 if they haven't already. And also to include the ones who already have. I know Riseup has, for example.
What is the reason for using SRV records instead of simply having .onion MX records?
Also, none of the docs seem to mention dnssec as a way to verify the .onion addresses as being genuine?
I did not find a policy on how to get a domain added or removed from the project's map.yml file. It seems like a nice possibility for MitM attacks.
I propose to require prove of ownership by the non-onion domain owner. This can be done simply by requiring the presents of a SRV record pointing to the provided onion domain.
In #25 I created a simple script to check for the SRV records. This or something similar could be used for regular checking of currently present records and those to be added.
Why don't you verify the smtp server's onion service with the tls certificate they offer on direct connect? This would make trolling etc harder
get with the program
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.