cross-posted from: https://sopuli.xyz/post/12515826

I’m looking for an email service that issues email addresses with an onion variant. E.g. so users can send a message with headers like this:

From: replyIfYouCan@hi3ftg6fgasaquw6c3itzif4lc2upj5fanccoctd5p7xrgrsq7wjnoqd.onion  
To: someoneElse@clearnet_addy.com

I wonder if any servers in the onionmail.info pool of providers can do this. Many of them have VMAT, which converts onion email addresses to clearnet addresses (not what I want). The docs are vague. They say how to enable VMAT (which is enabled by default anyway), and neglect to mention how to disable VMAT. Is it even possible to disable VMAT? Or is there a server which does not implement VMAT, which would send msgs to clearnet users that have onion FROM addresses?

  • freedomPusherOP
    link
    fedilink
    arrow-up
    1
    arrow-down
    2
    ·
    7 months ago

    How do you expect to receive replies from clearnet users, or are you okay not receiving replies?

    Indeed that’s the idea. If you’ve ever received a message where the sender’s address is “noreply@corp.xyz”, it’s similar. But in fact the onion address is slightly more useful than a “noreply” address because the responder would at least have the option of registering with an onion-capable email server to reply.

    Imagine you want to email a gmail user. You can ensure that the message contains nothing you don’t mind sharing with a surveillance advertiser, but you cannot generally control what gets shared in the response. An onion address ensures that replies will be outside of Google’s walled garden, for example. That’s just one of several use cases.

    Also most mail hosts these days toss emails that dont match dmarc/dkim/spf, which would be especially hard to do for an onion email

    Those are server to server authentication protocols, not something that validates the functionality of a sender’s disclosed email address. Otherwise how would a bank send an announcement from a “noreply” address?

    • mark@infosec.pub
      link
      fedilink
      arrow-up
      1
      ·
      7 months ago

      Because dmarc, DKIM, and SPF validate the domain against the sending server, not the address.

      When i send from noreply@ at work, it passes dmarc, DKIM, and SPF, because the recipient mail server validates the message came from an authorized mail server for the domain (mosty based on dns entries).

      Without that validation, you can certainly still send emails, but most clearnet mail hosts will drop your messages. Google, Microsoft, and yahoo at the bare minimum will

      • freedomPusherOP
        link
        fedilink
        arrow-up
        1
        arrow-down
        2
        ·
        7 months ago

        The server is checking that the EHLO domain matches that of the IP of the sending server. Whatever is in the FROM: field is entirely irrelevant to that. The RFC even allows multiple email addresses in the FROM field. It’s rarely practiced, but it’s compliant. So if you have FROM: bob@abc.com, bob@xyz.onion, bob@xyz.org, are you saying the receiving server would expect the domain of all FROM addresses to match that of the sending server? What happens when a sender has a gmail account but uses a vanity address? Instead of bob@gmail.com, he has bobswidgets@expertcorp.com. Are you saying expertcorp.comgmail.com, so the receiving server will reject it? I think not. Google offers the ability of their users to use an external address last time I checked.

        • mark@infosec.pub
          link
          fedilink
          arrow-up
          1
          ·
          7 months ago

          That is 100% what im saying, yes. The sending server needs to sign all messages with a private DKIM key where the public key is in a dns text entry. Then the reverse dns lookup for the mailserver needs to match the SPF txt record. Then your DMARC record has to match the dkim and spf settings.

          Ive set this up for exchange at work as well as my own personal mailserver, which is just a debian server running postfix and dovecot.

          When you want to use gmail as a mailserver for your own domain, you set these three things up so that your messages arent all blocked.

          Keep in mind, you do not need these to simply send and recieve messages, but if you want to interact with the rest of the world you do. Email is too easy to spoof, so everyone has agreed on these protocols for authenticity.

          • freedomPusherOP
            link
            fedilink
            arrow-up
            1
            arrow-down
            2
            ·
            edit-2
            7 months ago

            That is 100% what im saying, yes.

            Okay, so AFAICT you’ve not said anything that prevents individual users from using an onion FROM address, so long as the sending server is authorized via all the shitty spf, dkim, dmarc, dane hoops. This is what I’m after. In fact, I’m even less demanding. I don’t care if a service provider doesn’t bother with dkim and gets rejected by some servers. Email is in such a broken state anyway… I just need the option to set the FROM field to an onion address. The reason my own server is insufficient is the residential IP is very widely rejected.

            • mark@infosec.pub
              link
              fedilink
              arrow-up
              2
              ·
              7 months ago

              No you can totally modify mail headers anytime you want to, just be prepared to get mail rejection if you’re not following current mail security best practices.

              I’d recommend just renting a cheap vps from vultr or something, then you can setup your mailserver to send from anything you like. That’s how my mailserver works. I pay like $3 a month, and its plenty of space for a single user mailserver (i have like 3 mailboxes)

              I did go through the work to setup dkim/dmarc/spf. Took a weekend, but wasnt too bad. My mail is received by gmail yahoo and Microsoft. I imagine doing the same with onion addressing would be complicated.

        • mark@infosec.pub
          link
          fedilink
          arrow-up
          1
          ·
          7 months ago

          Maybe i need to further clarify that none of this is in the email RFC. Email is very old. These are new standards that everyone has agreed to on top of the RFC

          • freedomPusherOP
            link
            fedilink
            arrow-up
            1
            arrow-down
            2
            ·
            7 months ago

            I’m not surprised. Google took an anti-RFC posture when they broke email and brought in their own rules under the guise of anti-spam (the real reason is domination). The whole point of RFCs existence is interoperability. That was broken when servers reject RFC-compliant messages.

            I’m not interested in bending over backwards to accommodate. Satisfying Google’s dkim reqs requires the server admin to solve a CAPTCHA. That’s a line I personally will not cross. So at the moment I simply do not email gmail users (or MS Outlook users, same problem).