Julian OliverOnce again Proton hand over data on an activist to authorities, this time to the FBI via the Swiss High Court.
Proton is unsafe for use by frontliners.
https://www.404media.co/proton-mail-helped-fbi-unmask-anonymous-stop-cop-city-protestor/
Group-wide selfhosted mail is so often the solution here, but it needs to be done right, and with strong operational security posture. This includes the jurisdictional layer relative to operating context.
And yet #selfhosted mail is famously hard. We dedicate much time to this, deploying a full blown high-reputation MTA with webmail frontend, in the Fortress sessions https://courses.nikau.io/fortress/
mike805@JulianOliver Has anyone considered replacing SMTP? People complain about mail all the time. The way to replace an obsolete protocol is to create a new one and use it in parallel with the old one until the old one goes away.
Miha Markič@mike805 @JulianOliver The few big email providers don't care.
@mihamarkic @JulianOliver That's why I am saying you need an "email 2" that you use in parallel for the time being. You ultimately want "email 2" to become the high value endpoint and gmail to be the junk box.
@mike805 @JulianOliver From what I remember you'd want to standardize the protocols and there it usually gets stuck.
@JulianOliver how does disk encryption on servers work? Where do you store the secret?
Howard Chu @ Symas@mihamarkic @JulianOliver use public key encryption, a server can encrypt all your non-encrypted incoming email with your public key, and only your client with your private key can decrypt it. Without your private key, nothing stored on the server can be decrypted.
This is pretty easy to implement yourself, using pgp, if you already run your own mail server.
@hyc @JulianOliver I was having disk encryption in mind, not the e-mail. Where even PGP is not a 100% solution.
@mihamarkic @JulianOliver ah. Yes, a good question, with, IMO, no good answers. On a laptop you can just prompt for a key or password on boot. On a server that must be able to reboot without human intervention, there is nowhere to store the key that's safe from snooping.
I've daydreamed about building a USB flash drive that only stays active for N seconds after a bus reset, then shuts itself off. Thus you could store a key on it that can be read at boot time, but not long after.
@hyc @JulianOliver That's not a solution though - what would prevent the attacker to read from your USB drive? I thought of something else - what if server asked you for a password (you'd have an app i.e. on your phone) instead? That would help if you knew server was stolen but not if somebody broke in.
@mihamarkic @JulianOliver if they're not physically present then they can only attempt to read it during a short time window at bootup, when nothing but the kernel has started.
If they're physically present, all bets are off.
@mihamarkic @JulianOliver I suppose if only your home/data disk is encrypted, the machine could bring up enough networking to talk to an app on your phone. But still, if the attacker has physical access to the machine, they can sniff traffic or scan memory to grab the key.
@hyc @JulianOliver Agreed and that's what I said. So I were to suspect physical access or something, I wouldn't enter password.
@hyc @JulianOliver Yep, I'm not concerned about remote scenarios, but physical. With remote scenarios encryption doesn't help anyway, as they would have access to an unencrypted disk.
Ronny Lam@JulianOliver with modern mailers like Mox, Stalwart, or even Mailcow, self-hosting mail is not hard anymore. And considering the profile I would advise against running such thing on a VPS, rather deploy this in your own premisse where they have no jurisdiction.
@ronnylam those turnkey solutions are good for very simple setups but can be awfully inflexible and easily outgrown. I believe also people invite risk running complex infra they don't understand. Mail is complex. The way it is.
For the longhaul, esp so far as adding new mailing domains and forwarding, aliasing and even hardening, it is hard to beat native Postfix/Dovecot/OpenDKIM for MTA with webmail frontend on separate host. No containerisation, all legible, fast, tunable and readily secured.
@JulianOliver from your answer I get the feeling that you have never looked at, let even tried Mox or Stalwart. Both are all-in-one single binary mail solutions, one written in Go, the other in Rust. Both are very easy to set up, flexible and secure. Maybe they can be outgrown, but not by families or small associations that want to run their own mail. No containerisation, all legible, fast, tunable and readily secured.
@ronnylam I have not tried Mox no. I have been meaning to setup a sandbox for this. Thank you.
@JulianOliver I am really interested in your findings.
Claudius Link@JulianOliver
https://riseup.net/ offers something like this.
Including onion/tor access.
I'm slightly surprised that they don't state what data they store
@realn2s Riseup have been around for ages and are an activist favourite, but still bound to local laws (California).
I agree, they remain too skinny on details, esp given how vulnerable they will be in the US right now.
It would be good to see them move out, say, to an Icelandic DC.