Mastodawn

Julian Oliver Mar 6

Group-wide selfhosted mail is so often the solution here, but it needs to be done right, and with strong operational security posture. This includes the jurisdictional layer relative to operating context.

And yet #selfhosted mail is famously hard. We dedicate much time to this, deploying a full blown high-reputation MTA with webmail frontend, in the Fortress sessions https://courses.nikau.io/fortress/

#selfhosting

Fortress – Nīkau Courses

mike805 Mar 7

@JulianOliver Has anyone considered replacing SMTP? People complain about mail all the time. The way to replace an obsolete protocol is to create a new one and use it in parallel with the old one until the old one goes away.

@mike805 @JulianOliver The few big email providers don't care.

mike805 Mar 7

@mihamarkic @JulianOliver That's why I am saying you need an "email 2" that you use in parallel for the time being. You ultimately want "email 2" to become the high value endpoint and gmail to be the junk box.

@mike805 @JulianOliver From what I remember you'd want to standardize the protocols and there it usually gets stuck.

@JulianOliver how does disk encryption on servers work? Where do you store the secret?

@mihamarkic @JulianOliver use public key encryption, a server can encrypt all your non-encrypted incoming email with your public key, and only your client with your private key can decrypt it. Without your private key, nothing stored on the server can be decrypted.

This is pretty easy to implement yourself, using pgp, if you already run your own mail server.

@hyc @JulianOliver I was having disk encryption in mind, not the e-mail. Where even PGP is not a 100% solution.

@mihamarkic @JulianOliver ah. Yes, a good question, with, IMO, no good answers. On a laptop you can just prompt for a key or password on boot. On a server that must be able to reboot without human intervention, there is nowhere to store the key that's safe from snooping.

I've daydreamed about building a USB flash drive that only stays active for N seconds after a bus reset, then shuts itself off. Thus you could store a key on it that can be read at boot time, but not long after.

@hyc @JulianOliver That's not a solution though - what would prevent the attacker to read from your USB drive? I thought of something else - what if server asked you for a password (you'd have an app i.e. on your phone) instead? That would help if you knew server was stolen but not if somebody broke in.

@mihamarkic @JulianOliver if they're not physically present then they can only attempt to read it during a short time window at bootup, when nothing but the kernel has started.

If they're physically present, all bets are off.

@mihamarkic @JulianOliver I suppose if only your home/data disk is encrypted, the machine could bring up enough networking to talk to an app on your phone. But still, if the attacker has physical access to the machine, they can sniff traffic or scan memory to grab the key.

@hyc @JulianOliver Agreed and that's what I said. So I were to suspect physical access or something, I wouldn't enter password.

@hyc @JulianOliver Yep, I'm not concerned about remote scenarios, but physical. With remote scenarios encryption doesn't help anyway, as they would have access to an unencrypted disk.

Ronny Lam Mar 7

@JulianOliver with modern mailers like Mox, Stalwart, or even Mailcow, self-hosting mail is not hard anymore. And considering the profile I would advise against running such thing on a VPS, rather deploy this in your own premisse where they have no jurisdiction.

Julian Oliver Mar 7

@ronnylam those turnkey solutions are good for very simple setups but can be awfully inflexible and easily outgrown. I believe also people invite risk running complex infra they don't understand. Mail is complex. The way it is.

For the longhaul, esp so far as adding new mailing domains and forwarding, aliasing and even hardening, it is hard to beat native Postfix/Dovecot/OpenDKIM for MTA with webmail frontend on separate host. No containerisation, all legible, fast, tunable and readily secured.

Ronny Lam Mar 7

@JulianOliver from your answer I get the feeling that you have never looked at, let even tried Mox or Stalwart. Both are all-in-one single binary mail solutions, one written in Go, the other in Rust. Both are very easy to set up, flexible and secure. Maybe they can be outgrown, but not by families or small associations that want to run their own mail. No containerisation, all legible, fast, tunable and readily secured.

Julian Oliver Mar 7

@ronnylam I have not tried Mox no. I have been meaning to setup a sandbox for this. Thank you.

Ronny Lam Mar 8

@JulianOliver I am really interested in your findings.

Claudius Link Mar 7

@JulianOliver
https://riseup.net/ offers something like this.
Including onion/tor access.

I'm slightly surprised that they don't state what data they store

Home - riseup.net

Riseup provides online communication tools for people and groups working on liberatory social change. We are a project to create democratic alternatives and practice self-determination by controlling our own secure means of communications.

Julian Oliver Mar 8

@realn2s Riseup have been around for ages and are an activist favourite, but still bound to local laws (California).

I agree, they remain too skinny on details, esp given how vulnerable they will be in the US right now.

It would be good to see them move out, say, to an Icelandic DC.

@JulianOliver
dont give Proton your personal details and they cant give it to anyone else when compelled by law.
stupidity is unsafe for frontliners.

Julian Oliver Mar 7

@DonChacale When they sold out the French anti-gentrification and climate activist it was to trace the originating IP of emails sent and received. So an onion layer would also be required in that case that sends a fake user-agent string. The Tor browser, for instance.

Regardless, even with such provisions in place, I would not consider Proton safe

@JulianOliver
fair enough.
im not sure i would consider almost any email service safe if i was "front line"

@DonChacale @JulianOliver any commercial entity selling their services has to abide by the laws of the country they reside in. But a company like Proton that advertises themselves as private & secure should have had a policy to not keep any personally identifiable info on its customers. That also precludes accepting credit cards for payment. And again, any frontliner stupid enough to use a credit card there was going to get tracked sooner or later. They should have used Monero.

@hyc @JulianOliver
they should have a " we will defy any countries legal orders to obtain your identity though you have given it freely, of your own accord to us, even though we have not asked you for it" policy?

@DonChacale @JulianOliver if they don't ask for it, there should be no way for you to give it to them, and no database to record such info.

Aron Lindegård Mar 7

@JulianOliver @DonChacale they traced and gave away IPs? In that case, Proton isn't safe even for journalists. Are there even any zero-trust (or close enough to it) providers left?

@me @JulianOliver
i am a total layperson when it comes to cybersecurity.
and i am deeply uncertain it (absolute anonymity) actually exists on a deep level. isn't the internet inherently traceable? is/was the internet supposed to be an insoluble puzzle and an impenetrable mask behind which to obscure one's identity?

Aron Lindegård Mar 7

@DonChacale @JulianOliver not inherently, but email and/or chat is one of those things no-one can live without. And journalist is one of the most dangerous jobs in the world, and their enemies would rather kill them before they publish. When the USA is turning in to a corrupt bully state, like Russia, it absolutely matters who gets data, and when.

@me @JulianOliver

journalism is an entirely different conversation. being half Mexican I'm horrified by the routine murders of journalists in that country. for me, again, as an ablsoiture layperson with no computer skills, a group whcih did arson and vandalism paid for their email with a credit card with their name on it. smfh stupid. good people with mad computer skills may have a solution.