diff --git a/website/EN/usage_email.html b/website/EN/usage_email.html new file mode 100644 index 00000000..80c13c47 --- /dev/null +++ b/website/EN/usage_email.html @@ -0,0 +1,1070 @@ + + + + + + + + + + + + + + + + + + + +
+ +
+
+
+ +
+




+ +. + + + + +++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Things to be aware of
A technical note about email transport security
Add a password to your GPG key
Publishing your GPG public key
Mutt email client
Thunderbird/Icedove
K9 Android client
Subscribing to mailing lists
Adding email addresses to a group/folder
Ignoring incoming emails
Your own mailing list
+ +
+

Things to be aware of

+
+

+Even though this system makes it easy to set up an email server, running your own email system is still not easy and this is mainly due to the huge amount of collatoral damage caused by spammers over a long period of time, which in turn is due to the inherent insecurity of email protocols which enabled spam to become a big problem. Email is still very popular though and most internet services require that you have an email address in order to register. +

+ +

+In using an email address hosted on your own system you will quite likely find that it is blocked and bounced by other popular email systems. Such blocking is almost never based upon any evidence that your system is actually producing spam and usually it's just because your IP address happens to be within a certain range. Rather arrogantly many of the anti-spam rule sets assume that if an email is sent from an IP address range which is "residential" (i.e. not a company or other organisation) then it must therefore be spam. +

+ +

+So if you want to use your own email address hosted on your own system you do need to be prepared to encounter some difficulties and annoyances. Sadly, often these annoyances will be unsolvable and are not a matter of using different software or configuring things differently. +

+
+
+
+

A technical note about email transport security

+
+

+Port 465 is used for SMTP and this is supposedly deprecated for secure email. However, using TLS from the start of the communications seems far more secure than starting off with insecure communications and then trying to upgrade it with a command to begin TLS, as happens with STARTTLS. There are possible attacks against STARTTLS in which the command to begin secure communications is removed or overwritten which could then result in email being transferred in plain text over the internet and be readable by third parties. +

+ +

+From http://motherboard.vice.com/read/email-encryption-is-broken: +

+ +
+

+The researchers also uncovered mass scale attacks of STARTTLS sessions being stripped of their encryption. That attack itself isn't new: internet service providers sometimes do it to monitor users; organizations may use it to keep an eye on employees; or it may come from a malicious actor +

+
+
+
+
+

Add a password to your GPG key

+
+

+If you didn't use existing GPG keys during the Freedombone installation then you'll need to add a password to your newly generated private key. This is highly recommended. Go through the following sequence of commands to ssh into the Freedombone and then change your GPG password. +

+ +
+ +
ssh username@domainname -p 2222
+gpg --edit-key username@domain
+passwd
+save
+quit
+exit
+
+
+ +

+Having a password on your GPG key will prevent someone from reading your email even if your server gets lost or stolen or if someone else has physical access to it. Make the password something long and unlikely to be guessable or vulnerable to a brute force dictionary attack. +

+
+
+ +
+

Publishing your GPG public key

+
+

+If you havn't already then you should publish your GPG public key so that others can find it. +

+ +
+ +
ssh username@domainname -p 2222
+gpg --send-keys username@domainname
+exit
+
+
+
+
+
+

Mutt email client

+
+

+Mutt is a terminal based email client which comes already installed onto the Freedombone. To access it you'll need to access it via ssh with: +

+ +
+ +
ssh username@domainname -p 2222
+
+
+ +

+If you're using Windows there is an ssh client called putty, on Linux just open a terminal and enter the above command with your username and domain name. On Android you can use the ConnectBot app with the hostname username@domain:2222 +

+ +

+Once you have logged in via ssh then just type mutt. Like most terminal programs mutt is quite easy once you've learned the main keys. +

+ +

+Some useful keys to know are: +

+ + + + +++ ++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
"/"Search for text within headers
*Move to the last message
TABMove to the next unread message
dDelete a message
uUndelete a mail which is pending deletion
$Delete all messages selected and check for new messages
aAdd to the address book
mSend a new mail
ESC-mMark all messages as having been read
SMark a message as spam
HMark a message as ham
CTRL-bToggle side bar on/off
CTRL-nNext mailbox (on side bar)
CTRL-pPrevious mailbox (on side bar)
CTRL-oOpen mailbox (on side bar)
rReply to an email
LReply to a mailing list email
]Expand or collapse all threads
[Expand of collapse the current thread
CTRL-kImport a PGP/GPG public key
qQuit
+ +

+To use the address book system open an email by pressing the enter key on it and then to add the sender to the address list press the A key. It will ask you for an alias which may be used the next time you want to send a mail. Alternatively you may just edit the ~/.mutt-alias file directly to add email addresses. +

+ +

+One of the most common things which you might wish to do is to send an email. To do this first press m to create a new message. Enter the address to send to and the subject, then after a few seconds the Emacs editor will appear with a blank document. Type your email then press CTRL-x CTRL-s to save it and CTRL-x CTRL-c to exit. You will then see a summary of the email to be sent out. Press y to send it and then enter your GPG key passphrase (the one you gave when creating a PGP/GPG key). The purpose of that is to add a signature which is a strong proof that the email was written by you and not by someone else. +

+ +

+When reading emails you will initially need to enter your GPG password. It will be retained in RAM for a while afterwards. +

+
+
+ +
+

Thunderbird/Icedove

+
+

+Another common way in which you may want to access email is via Thunderbird (also known as Icedove on Debian). This may be especially useful if you're trying to convert former Windows users who may previously have been using some version of Outlook. +

+ +

+The following instructions should be carried out on the client machines (laptop, etc), not on the BBB itself. +

+
+ +
+

Initial setup

+
+

+Install Thunderbird and Enigmail. How you do this just depends upon your distro and software manager or "app store". +

+ +

+Open Thinderbird +

+ +

+Select "Skip this and use existing email" +

+ +

+Enter your name, email address (myusername@mydomainname.com) and the password for your user. +

+ +

+You'll get a message saying "Thunderbird failed to find the settings" +

+ +

+The settings should be as follows, substituting mydomainname.com for your domain name and myusername for the username. +

+ +
    +
  • Incoming: IMAP, mydomainname.com, 993, SSL/TLS, Normal Password
  • +
  • Outgoing: SMTP, mydomainname.com, 465, SSL/TLS, Normal Password
  • +
  • Username: myusername
  • +
+ +

+Click Done. +

+ +

+Click Get Certificate and make sure "permanently store this exception" is selected", then click Store Security Exception. +

+ +

+From OpenPGP setup select "Yes, I would like the wizard to get me started". If the wizard doesn't start automatically then "setup wizard" can be selected from OpenPGP on the menu bar. +

+ +

+Select "Yes, I want to sign all of my email" +

+ +

+Select "No, I will create per-recipient rules" +

+ +

+Select "yes" to change default settings. +

+
+
+
+

Import your GPG keys

+
+

+On the Freedombone export your GPG public and private keys. +

+ +
+ +
ssh username@domainname -p 2222
+gpg --list-keys username@domainname
+gpg --output ~/public_key.gpg --armor --export KEY_ID
+gpg --output ~/private_key.gpg --armor --export-secret-key KEY_ID
+
+
+ +

+On your laptop or desktop you can import the keys with: +

+ +
+ +
scp -P 2222 username@domain:/home/username/*.gpg ~/
+
+
+ +

+Select "I have existing public and private keys". +

+ +

+Select your public and private GPG exported key files. +

+ +

+Select the account which you want to use and click Next, Next and Finish. +

+ +

+Remove your exported key files, both on your laptop/desktop and also on the Freedombone. +

+ +
+ +
shred -zu ~/public_key.gpg
+shred -zu ~/private_key.gpg
+
+
+
+
+ +
+

Using for the first time

+
+

+Click on the Thunderbird menu, which looks like three horizontal bars on the right hand side. +

+ +

+Hover over preferences and then Account settings. +

+ +

+Select OpenPGP Security and make sure that use PGP/MIME by default is ticked. This will enable you to sign/encrypt attachments, HTML bodies and UTF-8 without any problems. +

+ +

+Select Synchronization & Storage. +

+ +

+Make sure that Keep messages for this account on this computer is unticked, then click Ok. +

+ +

+Click on Inbox. Depending upon how much email you have it may take a while to import the subject lines. +

+ +

+Note that when sending an email for the first time you will also need to accept the SSL certificate. +

+ +

+Get into the habit of using email encryption and encourage others to do so. Remember that you may not think that your emails are very interesting but the Surveillance State is highly interested in them and will be actively trying to data mine your private life looking for "suspicious" patterns, regardless of whether you are guilty of any crime or not. +

+
+
+ +
+

Making folders visible

+
+

+By default you won't be able to see any folders which you may have created earlier using the mailinglistrule script. To make folders visible select: +

+ +

+Menu, hover over Preferences, select Account Settings, select Server Settings then click on the Advanced button. +

+ +

+Make sure that "show only subscribed folders" is not checked. Then click the ok buttons. Folders will be re-scanned, which may take some time depending upon how much email you have, but your folders will then appear. +

+
+
+
+ +
+

K9 Android client

+
+
+

A point about GPG on Android

+
+

+Before trying to set up email on Android you may want to consider whether you really need to do this. Android (and its variants) is not a particularly secure operating system and whether or not you wish to store GPG keys on it depends on your threat model and in what situations you'll be using your device. +

+ +

+If you are going to use email on an Android device then ensure that you have full encryption enabled via the security settings, so that if you subsequently lose it, or if it gets stolen, the chances of encryption keys being exposed are minimised. +

+
+
+
+

Compiling the development version

+
+

+To get K9 working with Freedombone you'll need to install development versions of OpenKeychain and K9. At the time of writing the versions available in F-Droid do not support PGP/MIME or the "hidden recipient" feature of GPG. It is hoped that at some stage the patches will be integrated into the mainline or functionally equivalent changes made. Admittedly, this is not at all user friendly, but currently it's the only way to read Freedombone email on Android systems. +

+ +

+Build script for OpenKeychain: +

+ +
+ +
mkdir ~/develop
+cd ~/develop
+git clone https://github.com/bashrc/open-keychain
+cd open-keychain
+git checkout origin/bashrc/hidden-recipient-minimal
+git checkout -b bashrc/hidden-recipient-minimal
+cd tools
+nano build.sh
+
+
+ +

+Then add the following: +

+ +
+ +
#!/bin/bash
+
+# This script is intended to be used on Debian systems for building
+# the project. It has been tested with Debian 8
+
+USERNAME=$USER
+SIGNING_NAME='openkeychain'
+SDK_VERSION='r23.3.4'
+SDK_DIR=$HOME/android-sdk
+
+cd ..
+
+PROJECT_HOME=$(pwd)
+
+sudo apt-get install build-essential default-jdk \
+     lib32stdc++6 lib32z1 lib32z1-dev
+
+if [ ! -d $SDK_DIR ]; then
+    mkdir -p $SDK_DIR
+fi
+cd $SDK_DIR
+
+# download the SDK
+if [[ ! -f $SDK_DIR/android-sdk_$SDK_VERSION-linux.tgz ]]; then
+    wget https://dl.google.com/android/android-sdk_$SDK_VERSION-linux.tgz
+fi
+tar -xzvf android-sdk_$SDK_VERSION-linux.tgz
+SDK_DIR=$SDK_DIR/android-sdk-linux
+
+echo 'Check that you have the SDK tools installed for Android 22, SDK 21.1.2'
+
+export ANDROID_HOME=$SDK_DIR
+echo "sdk.dir=$SDK_DIR" > $ANDROID_HOME/local.properties
+export PATH=${PATH}:$ANDROID_HOME/tools:$ANDROID_HOME/platform-tools
+
+cd $SDK_DIR/tools
+./android sdk
+
+if [ ! -f $SDK_DIR/tools/android ]; then
+    echo "$SDK_DIR/tools/android not found"
+    exit -1
+fi
+cd $SDK_DIR
+chmod -R 0755 $SDK_DIR
+chmod a+rx $SDK_DIR/tools
+
+# android sdk
+cd $PROJECT_HOME
+git submodule init && git submodule update
+
+if [ ! -f $SDK_DIR/tools/templates/gradle/wrapper/gradlew ]; then
+    echo "$SDK_DIR/tools/templates/gradle/wrapper/gradlew not found"
+    exit -2
+fi
+. $PROJECT_HOME/gradlew assembleDebug
+
+# cleaning up
+cd $PROJECT_HOME/OpenKeychain/build/outputs/apk
+if [ ! -f OpenKeychain-debug.apk ]; then
+    echo 'OpenKeychain-debug.apk was not found'
+    exit -3
+fi
+
+echo 'Build script ended successfully'
+echo -n 'apk is available at: '
+echo "$PROJECT_HOME/OpenKeychain/build/outputs/apk/OpenKeychain-debug.apk"
+exit 0
+
+
+ +

+Save and exit with CTRL-o, CTRL-x. +

+ +
+ +
chmod +x build.sh
+./build.sh
+
+
+ +

+Build script for K9: +

+ +
+ +
cd ~/develop
+git clone https://github.com/k9mail/k-9
+cd k-9
+cd tools
+nano build.sh
+
+
+ +

+Then add the following: +

+ +
+ +
#!/bin/bash
+
+# This script is intended to be used on Debian systems for building
+# the project. It has been tested with Debian 8
+
+USERNAME=$USER
+SIGNING_NAME='k-9'
+SDK_VERSION='r24.3.3'
+SDK_DIR=$HOME/android-sdk
+
+cd ..
+
+PROJECT_HOME=$(pwd)
+
+sudo apt-get install build-essential default-jdk \
+     lib32stdc++6 lib32z1 lib32z1-dev
+
+if [ ! -d $SDK_DIR ]; then
+    mkdir -p $SDK_DIR
+fi
+cd $SDK_DIR
+
+# download the SDK
+if [ ! -f $SDK_DIR/android-sdk_$SDK_VERSION-linux.tgz ]; then
+    wget https://dl.google.com/android/android-sdk_$SDK_VERSION-linux.tgz
+    tar -xzvf android-sdk_$SDK_VERSION-linux.tgz
+fi
+SDK_DIR=$SDK_DIR/android-sdk-linux
+
+echo 'Check that you have the SDK tools installed for Android 17, SDK 19.1'
+if [ ! -f $SDK_DIR/tools/android ]; then
+    echo "$SDK_DIR/tools/android not found"
+    exit -1
+fi
+cd $SDK_DIR
+chmod -R 0755 $SDK_DIR
+chmod a+rx $SDK_DIR/tools
+
+ANDROID_HOME=$SDK_DIR
+echo "sdk.dir=$SDK_DIR" > $ANDROID_HOME/local.properties
+PATH=${PATH}:$ANDROID_HOME/tools:$ANDROID_HOME/platform-tools
+
+android sdk
+cd $PROJECT_HOME
+
+if [ ! -f $SDK_DIR/tools/templates/gradle/wrapper/gradlew ]; then
+    echo "$SDK_DIR/tools/templates/gradle/wrapper/gradlew not found"
+    exit -2
+fi
+. $PROJECT_HOME/gradlew assembleDebug
+
+# cleaning up
+cd $PROJECT_HOME/k9mail/build/outputs/apk
+if [ ! -f k9mail-debug.apk ]; then
+    echo 'k9mail-debug.apk was not found'
+    exit -3
+fi
+echo 'Build script ended successfully'
+echo -n 'apk is available at: '
+echo "$PROJECT_HOME/k9mail/build/outputs/apk/k9mail-debug.apk"
+exit 0
+
+
+ +

+Save and exit with CTRL-o, CTRL-x. +

+ +
+ +
chmod +x build.sh
+./build.sh
+
+
+
+
+ +
+

Import your GPG key into OpenKeychain

+
+

+With your device connected to a laptop via USB cable and with USB debugging enabled on it: +

+ +
+ +
ssh username@domainname -p 2222
+gpg --list-keys username@domainname
+gpg --output ~/public_key.gpg --armor --export KEY_ID
+gpg --output ~/private_key.gpg --armor --export-secret-key KEY_ID
+cat ~/public_key.gpg ~/private_key.gpg > ~/mygpgkey.asc
+exit
+scp -P 2222 username@domainname:/home/username/mygpgkey.asc ~/
+sudo apt-get install android-tools-adb
+push ~/mygpgkey.asc /sdcard/
+shred -zu ~/mygpgkey.asc
+
+
+ +

+Then on your device select OpenKeychain and import your key from file. +

+
+
+
+

Incoming server settings

+
+
    +
  • Select settings/account settings
  • +
  • Select Fetching mail/incoming server
  • +
  • Enter your username and password
  • +
  • IMAP server should be your domain name
  • +
  • Security: SSL/TLS (always)
  • +
  • Authentication: Plain
  • +
  • Port: 993
  • +
+
+
+
+

Outgoing (SMTP) server settings

+
+
    +
  • Select settings/account settings
  • +
  • Select Sending mail/outgoing server
  • +
  • Set SMTP server to your domain name
  • +
  • Set Security to SSL/TLS (always)
  • +
  • Set port to 465
  • +
  • Set authentication to PLAIN
  • +
  • Enter your username and password
  • +
  • Accept the SSL certificate
  • +
+
+
+
+

Crypto settings

+
+

+Select settings, Account settings, OpenKeychain and then select your key and press Allow. You should now be able to decrypt emails by entering your GPG passphrase. +

+ +

+You may also want to change the amount of time for which passwords are remembered, so that you don't need to enter your passphrase very often. +

+
+
+
+

Folders

+
+

+To view any new folders which you may have created using the mailinglistrule script from your inbox press the K9 icon at the top left to access folders, then press the menu button and select refresh folder list. +

+ +

+If your folder still doesn't show up then press the menu button, select show folders and select all folders. +

+
+
+
+ +
+

Subscribing to mailing lists

+
+

+To subscribe to a mailing list log in as your user (i.e. not the root user). +

+ +
+ +
ssh username@domainname -p 2222
+freedombone-addlist -l <mailing list name> -s <subject tag> -e <list email address>
+exit
+
+
+ +

+The subject tag should be the word or phrase which appears within the brackets in the subject line of emails from the mailing list. The mailing list name should be something short so that it is readable within the left side column of the mutt email client, and contain no spaces. You can also use the freedombone-rmlist if you wish not to show a particular list within Mutt. +

+
+
+
+

Adding email addresses to a group/folder

+
+

+Similar to adding mailing list folders you can also add specified email addresses into a group/folder. +

+ +
+ +
ssh username@domainname -p 2222
+freedombone-addemail -e <email address> -g <group name>
+exit
+
+
+ +

+The group name should be something short so that it is readable within the left side column of the mutt email client, and not contain any spaces. You can also use the freedombone-rmemail command to remove an email address rule. +

+
+
+ +
+

Ignoring incoming emails

+
+

+It is possible to ignore incoming emails if they are from a particular email address or if the subject line contains particular text. +

+ +
+ +
ssh username@domainname -p 2222
+freedombone-ignore -e baduser@baddomain
+exit
+
+
+ +

+Or: +

+ +
+ +
ssh username@domainname -p 2222
+freedombone-ignore -t "make $$$ now!"
+exit
+
+
+ +

+You can also reverse this by using the freedombone-unignore command with the same options. +

+
+
+
+

Your own mailing list

+
+

+If you want to set up a public mailing list then when installing the system remember to set the PUBLIC_MAILING_LIST variable within freedombone.cfg to the name of your list. The name should have no spaces in it. Public mailing lists are unencrypted so anyone will be able to read the contents, including non subscribers. +

+ +

+To subscribe to your list send a cleartext email to: +

+ +
+ +
mymailinglistname+subscribe@domainname
+
+
+ +

+Tip: When using the Mutt email client if you want to send an email in cleartext then press p (for PGP) on the sending screen and select clear. Unsecure email is treated as being the exception rather than the default.1 +

+
+
+
+

Footnotes:

+
+ +
1

+Photo by THOR, CC BY 2.0 +

+ + +
+
+
+ + + +
+Back to top | E-mail me +
+ + +
+ +