A guide to relatively secure email

qube_bert · October 13, 2021, 10:07am

Continuing the discussion from [qubes-users] Has anyone had a qube compromised?:

Folks!

Posts like this can’t be just allowed to pass by like it’s nothing.

It would take most of us six months of blundering to try and recreate this email setup, and even then we wouldn’t have certainty in it’s operation.

Unman has outlined a guide to a secure email system that a couple of skilled people can follow.

We need a guide that can be followed by people just below that skill level.

…and a guide for people the skill level below that.

I don’t have the skills to write the guide but can certainly edit, format or complete it properly. I’m sure there’s no shortage of people on this forum that would do that.

Is this possible? It’s great that people can use email somewhat securely. I sure would like to use email again.

unman · October 13, 2021, 2:00pm

I have a somewhat more detailed note on split-mutt in my notes
I guess it could be extended to any offline mail reader.

Sven · October 13, 2021, 5:03pm

This is a very cool setup @unman. I am struggling however to say why it would be more secure than a (minimal) qube with firewall rules that only allow the pop/imap/smtp server(s).

Let me be more precise in what I am trying to compare:

a) your offline, 3 qube, qrexec, mutt setup
b) my minimal qube with only thunderbird and firewall to only my mail server

So one would receive a malicious email with a successful exploit achieving code execution, that code could then attempt to exfiltrate information by sending another email only – right? All other paths out are cut off. The only thing I can think of is the “All DNS requests and ICMP (pings) will be allowed” disclaimer in the firewall panel.

As for sending the information by email, that would work with your setup too, or do you have a manual review/allow before sending/receiving? (that’d be really cool)

slcoleman · October 14, 2021, 3:38pm

I used to do the Thunderbird/firewall rule setup at work (and to some degree at home) before I retired, and if my memory serves me correctly thunderbird was hanging for a while while attempting to verify/update plug-ins which was a pain. These attempted accesses had to timeout first before I could retrieve my mail.

I also had one work specific authentication DNS issue with a third party software that never seemed to use the same name/address so I could not just set-and-forget a firewall rule for that. I can’t go into details on that issue, but it was a real pain in the ass for me. What I wound up doing was setting up a process to monitor ICMP access denied comming back from sysfirewall so that I could make the required adjustments and complete the login process.

qube_bert · October 15, 2021, 2:49pm

This seems great. It’s beyond me however.

Would it be possible for a power user to do a screen recording of the entire process from beginning to end?

Something like that would be a great help in giving an average user some certainty in an email setup.

Would it be a kind of “killer app” for qubes? “Install Qubes, then follow this video. Now you’ve got reasonably secure email”

unman · October 16, 2021, 1:46am

I do use custom rules to not allow these: depending on your mail
servers you may not be able to do this.

There is a manual review before syncing to the poster qube, and also a
review there before sending - cool indeed.

More importantly, exfiltration via SMTP does not usually use the user
account - that covert mechanism is blocked here, since exfiltration would
have to cross the qrexec channel and then execute some SMTP process on
the poster. Since that is a disposable, that would be somewhat difficult
to keep running.
It is also possible to restrict outbound traffic from the poster to the
SMTP servers, and to traffic from the msmtpqueue process.

On a more general point, the standard system is persistent and has a
single netvm - if you separate these functions, the fetcher and poster
are disposables, and can be easily routed through separate netvms,
if needed.
Another point I have not emphasized is that you can use a number of
fetchers and posters to cover different accounts, but accumulate the
mail in the same mail reader.

qube_bert · October 17, 2021, 8:25am

From what I’m able to understand this seems like an extremely well thought out email setup.

Could it be made a priority to write guides, for various skill levels, to recreate and verify this setup?

Sven · October 18, 2021, 4:41pm

Hi @qube_bert:

Could it be made a priority to write guides, for various skill levels, to recreate and verify this setup?

I agree with you that this is an awesome setup, but please realize that @unman and many others that would have the skills to create such a guide have currently their hands full getting R4.1 out of the door.

If there are community members who have setups like this and could start a draft, I’d be happy to test and edit. This would make it easier for someone like @unman to review the result and give feedback instead of having to create something from scratch.