I2P mail + Thunderbird + OpenPGP

Instructions for using the Thunderbird email client with a built-in OpenPGP correspondence encryption module. The example uses a mail server from a hidden I2P network.

Thunderbird - an open and free email client from Mozilla. The first release took place in 2003. The application is cross-platform; official builds are released for Windows, Linux and MacOS operating systems. The source code is written in C and C++; the GTK framework is used for the graphical shell. Burevestnik - this is how the name of the program is translated - has an intuitive interface.

The client supports SMTP (for sending mail), POP3 (for receiving mail without leaving a copy on the server) and IMAP (for receiving mail that remains on the server) protocols. In addition, two additional protocols are supported for receiving news and updates from sites - NNTP and RSS, as well as instant messaging protocols IRC and XMPP. Since Thunderbird is primarily an email client and not a chat application, the IRC and XMPP implementations are not very impressive.

The email protocol is very old and does not have any built-in encryption, other than support for a secure connection to the server. On the mail server itself, all letters are stored in plain text, so they are always available to those who have direct access to the server, including unauthorized ones.

Next, we will consider an example of using a mail server from an I2P network, which in general does not have any practical differences when using the same Gmail and others. When using a private server, your soul only becomes warmer. To ensure end-to-end encryption of correspondence from sender to recipient, the RNP module will be used - a type of implementation of standard asymmetric OpenPGP encryption.

To make it easier for an inexperienced user to understand, all examples are demonstrated on Windows. On other operating systems, interfaces and configuration files look similar.

This material is for educational purposes only. The author is not responsible for any errors in the operation of the described software, as well as for those who will use the described technology for illegal purposes..

Installing i2pd and registering a mailbox

In order for your computer to have access to the anonymous I2P network, you must install a special program - I2P router. Due to good performance it is recommended to use i2pd. Installation on any operating system is very trivial, so the process from download to first launch will not be discussed. In order for your web browser to access a hidden network, you need to configure a proxy. In Firefox, this is done through Settings -> Network Options -> Manual Proxy Configuration. Default i2pd HTTP proxy address: 127.0.0.1:4444.

Now the browser is configured and can open hidden sites! For example, the most popular mail service of the I2P network will be used - hq.postman.i2p, which is most often called simply "mail.i2p". To create a new mailbox, select the menu item "Creating a mailbox".

The page describing the service reports that when using a mailbox within an I2P network, the address is possible @mail.i2p, and for requests from outside - @i2pmail.org. It is also highlighted in bold text that using the service for criminal purposes is strictly prohibited! We thoroughly agree with these words and move on..

After filling out the registration form and confirming the entered data, we see a summary of the new account. A warning tells us that the registration process may take up to five minutes. The service supports SMTP and POP3 protocols. It is also reported that the account will be deleted if there is no activity on it for more than a hundred days.

There is an account, now you need to connect to it. By now you should already have the Thunderbird email client installed. Download it exclusively from the official website, because it is free and there is no need to pirate it.

To access the server from I2P using the SMTP and POP3 protocols, you need to create client tunnels. Don't be alarmed, this is an extremely simple operation. To do this, you need to open the text tunnel configuration file tunnels.conf. On Windows, the file is usually stored in a directory %APPDATA%\i2pd\ , on Debian - /etc/i2pd/.

The default file has the necessary tunnels, but they are commented out. Remove hash marks at the beginning of rows of sections [SMTP] And [POP3]. If for some reason you do not have a template configuration file, create a new file tunnels.conf in the i2pd working directory (it can be viewed in web console) and paste the following content into it:

[SMTP]
type = client
address = 127.0.0.1
port = 7659
destination = smtp.postman.i2p
destinationport = 25
keys = smtp-keys.dat

[POP3]
type = client
address = 127.0.0.1
port = 7660
destination = pop.postman.i2p
destinationport = 110
keys = pop3-keys.dat

After this, you need to restart the I2P router. In simple terms: close i2pd and start it again. After this, you can verify that the tunnels named SMTP and POP3 have been created. To do this, open "I2P tunnels" in the web console.

If you have technical skills, you can take your mail server to a hidden network and use it in a similar way.

Setting up Thunderbird

At the top of the interface, find the "Account Settings" button. Then, from the "Account Actions" menu, select "Create a mail account"".

Registration information is required.

Thunderbird complains about email domain @mail.i2p, however, it allows it to be applied after a warning. To receive incoming mail, the default protocol is IMAP; it must be changed to POP3. Specify the addresses and port numbers that are included in the tunnel configuration file. Disable SSL encryption, which is responsible for secure connection to the server, since the I2P network itself provides security. Authentication is a regular password. Username - the name of your email without ending @mail.i2p. When you click on the “Finish” button, the program will probably complain that you are using an unencrypted connection. But there is encryption, believe me, and some more! Therefore, ignore the warning and complete adding your account.

If, when you click on the “Receive” button in the upper left corner (meaning “Receive mail”), a connection to the server is established, then the setup is done correctly.

If you use mail servers from the regular Internet, you will find the specified connection parameters in the service documentation or on the help page.

Now let's move on to the "End-to-end encryption" item - select the desired account and click on the mentioned button on the right side of the screen.

Since August 2020, the email client uses a built-in key store that is not associated with any key managers in the operating system or third-party plugins. It is possible to create new keys (or import existing ones) directly in the Thunderbird client. The built-in key manager supports the creation of keys and the binding of a specific key to a mailbox, which will be used by default to decrypt and sign sent correspondence. Since this is an instruction for beginners, we will analyze the creation of a new key and further operations with it.

Click the "Add key" button, then "Create a new OpenPGP key"".

The screenshot demonstrates the option of creating a perpetual key using elliptic curves - a more advanced cryptography than the RSA type, which is offered by default. After creating a key, it is automatically linked to the mailbox for which it was created.

The fundamental point in asymmetric encryption is the presence of two keys: private and public. The private key is used for decryption and signing, and is stored in a safe place, while the public key is distributed freely and is used to verify the signature and encrypt information. To be able to use your key identity in the future, for example, on another device, you need to make a backup copy of it. To do this, open the spoiler of the selected key, click the "More" button and "Create a backup copy of the secret key in a file".

It is important to understand that if the secret key falls into the wrong hands, it will put an end to your previous encrypted correspondence. You will also again need to create a new key and share it with your interlocutors, explaining that you are a partridge. In short: you don't want anyone other than you to have your private key, so keep it in a safe place. Preferably in a crypto container and on an isolated device.

Below on the same page are the default encryption and signature settings. It is recommended to activate both options.

Signing is carried out with your key, so you need to sign messages regardless of the availability of the interlocutor’s keys, and encryption is only possible if you have the recipient’s public key. The integrity of the digital signature is verified by your public key, which is attached to the letter. It allows you to verify that the contents of the message have not been changed during forwarding..

When launched, Thunderbird decrypts its key store. If your computer falls into the wrong hands, the secret key will be stolen. To be safe, you need to set a master password in the Thunderbird settings, which will be required to decrypt the storage. The password will be requested every time you start the email client, and if the correct passphrase is not entered, the client will still start, but the keys will not be used.

Open your email client's Settings, then select Privacy & Security. On this page, check the “Use master password” checkbox, after which you will be prompted to create one. Don't skimp on complexity! This is the last line of defense for your private keys..

If you forget your master password, all data protected by it will be lost forever..

Sending and receiving encrypted emails

When creating a new message with the above settings, a public key is attached to each letter, the message is signed and, if the interlocutor has the public key, encrypted. The interlocutor's key in the key store is determined by email address.

Since the recipient’s public key is not in the storage, you must select “Do not encrypt” in the “Protection” tab, because there is nothing to encrypt with and the message will not be sent.

Having received the letter, the addressee imported our public key into his storage and sent the answer in encrypted form, and also signed it with his key so that we could be sure who the sender was.

An icon with a lock and a check mark in the message status indicates that the message was encrypted on the sender’s side and successfully decrypted on our side. The certificate icon indicates a digital signature. To verify it, you need to import the sender's public key into the local key store. If the public key is attached to the message, a button prompting import appears automatically.

After importing the key, the signature can be verified. The screenshot shows that the signature is valid, but Thunderbird is in no hurry to display the green full trust icon until we manually confirm the authenticity of the received key. This is done using a fingerprint of the key, which is usually published in public places: on web pages, in the signature of a letter, and similar places.

In the example, the sender’s key fingerprint is present in the letter, therefore, after checking the fingerprints, we certify the received key. After this, a signature icon will appear on the screen, but no longer with a yellow icon and an exclamation mark, but with a green checkmark.

Afterword

The key fingerprint with which you sign your messages is your identity identifier. If you ever need to send a message that is not associated with your identity, do not use your previous digital signature..

No encryption is completely secure because there are other attack methods that can compromise your device and identity. Never open attachments or click on links from emails whose senders you do not fully trust..