[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Update to default exit policy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
anonym wrote:
>> I have a *lot* of experience with email administration on a very large
>> scale, I know what I'm talking about.
> 
> I'm sure you do. I'd love to have email work flawlessly and securly with
> Tor, so opening ports 465 and 587 would be great (currently I do have
> problems since there's few exit nodes which do that). But as I
> understand it, email clients + Tor might be a very bad idea ATM. Email
> clients leak tons of information, the most critical I know of being your
> IP address and/or host in the EHLO/HELO in the beginning of the SMTP(S)
> transaction.
Lots of protocols that can be used over Tor are potentially leaky. There
are tonnes of exit nodes that allow IRC traffic for example, which can
easily leak your username/hostname if you don't configure it correctly.
I'm not sure what makes SMTP submission special when it comes to the
exit policy.
> Really, this isn't an argument countering your in any way, but rather a
> plea that the issues of using email clients with Tor are researched and
> resolved before that combination gets promoted (IMHO opening ports 465
> and 587 is a step towards promoting it). It's very likely your average
> user will screw up given the current state of things.
As you said, the main issue is your hostname being leaked along with the
EHLO, or your client loading remote images without using Tor.
Personally, I use Thunderbird inside a virtual machine which can only
access the Internet via Tor and has no personally identifiable
information, including a random hostname and username etc.
- --
Dawn
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIrAfrcoR2aV1igfIRAsyuAJ9JTHIuRJQ12qS3j2G1P5QTjHxqJACgkAQT
E8DK8FuClOfL7Wuvd9A2zSQ=
=oHrD
-----END PGP SIGNATURE-----