DevOps/hidden-mailserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
95d413db4e
hidden-mailserver/README.md
Eric Meehan 95d413db4e
Initial commit
2026-02-07 11:36:54 -05:00

81 lines
4.3 KiB
Markdown
Raw Blame History

!!! Work in Progress !!!
# Hidden Mailserver
This repository deploys a simple SMTP server on the Tor network using Docker containers for the purpose of self-hosting
anonymous and end-to-end encrypted email communications without a public domain name or opening ports on one's router.
It is based on the instructions provided by [ehloonion/onionmx](https://github.com/ehloonion/onionmx/tree/master), and is
designed to be as easy as possible to deploy.
The goal of this project is to allow individuals to communicate with as much privacy and security as possible. If you and
your friend each deploy this and share your .onion email addresses, your subsequent correspondance would be virtually
untraceable. Clearnet email providers will reject mail from servers lacking authentication from DNS records, so this is
primarily intended for interpersonal communications between trusted parties.
## Requirements
* Linux or MacOS (PRs welcome for Windows support)
* 2GB RAM (minimum)
* 2GB available storage for your emails (bare minimum)
* Internet connection
* [Docker](https://www.docker.com/)
* Sudo privileges to change the ownership of directories within this repository (read ```startup.sh```)
## Usage
1. Add known .onion addresses to the ```known_servers``` file, one per line
2. Run the startup script
```
./startup.sh
```
3. Create an initial email account (pseudonyms are more secure)
```
docker compose exec mailserver setup email create {{ your_username }}@{{ your_onion_service }}.onion
```
4. Configure your email client to use a SOCKS5 proxy
5. Import the CA cert into your email client
6. Login with POP3 using an email client
7. Configure GPG in your client (optional but highly recommended)
## Security
You are encouraged to read ```startup.sh```, ```docker-compose.yaml```, and the provided configuration files. This repository
utilizes well-known Docker containers ([mailserver/docker-mailserver](https://hub.docker.com/r/mailserver/docker-mailserver)
and [dockurr/tor](https://hub.docker.com/r/dockurr/tor)) with minimal configurations to achieve SMTP over Tor. Most users
should be able to verify the contents of this repository themselves, and are encouraged to do so.
The startup script will generate keys for encrypting mail on disk; however, it stores these keys alongside the encrypted data
all within this repository. You are highly encouraged to take steps to separate your keys from your data.
The encryption keys created in the startup script encrypts all mail stored on the server. GPG encryption establishes
true end-to-end encryption between the sender and receiver. Configuring GPG encryption in your email client is highly
recommended.
TLS is not used here, and [is not needed](https://community.torproject.org/onion-services/advanced/https/).
Beware spoofed email addresses. Usernames can be reused across server instances and .onion addresses can be difficult to
discern by eye. Make sure the person to whom you reply is who you think they are.
Additional restrictions may be desireable in ```docker-mailserver/postfix/master.cf``` and
```docker-mailserver/postfix/main.cf``` (not provided) to ensure the server does not reveal its public IP address by attempting
to send or relay mail over the public internet. Please submit a PR if you have suggestions for a more secure default
configuration.
## Notes
A bridge network with static IPs is defined in ```docker-compose.yaml```. This was done so that container IP addresses could
be hardcoded into ```docker-mailserver/smtp_tor/smtp_tor.sh``` and ```tor/config/torrc```. You can duplicate this repository
in order to host multiple email servers at different .onion addresses from a single machine, which will allow you to maintain
different identities for different purposes; however, the name of the network must be changed between deployments. Edit lines
2, 15, and 30 of ```docker-compose.yaml``` to do this.
You can [use Python to generate a QR code](https://pypi.org/project/qrcode/) an easy way to share your .onion address and GPG
public key with trusted parties.
This application can easily run on modern consumer-grade hardware. While it can be hosted on one's own personal desktop or
even laptop computer, delivery can fail if your server is offline. A Raspberry Pi is an inexpensive option for an always-on
server. The same hardware requirements listed above would apply to a Raspberry Pi (2GB RAM, >2GB storage).
Reference in New Issue View Git Blame Copy Permalink