Sending/receiving emails without traces, using Icedove/POP3

I would like to use Whonix for sending and receiving emails without traces. I prefer using POP3 (and not storing any email on IMAP mailservers), and I plan to configure Icedove for it.

Basically, when I’m using Whonix and Tor, my ISP can’t see what webpages I visit and the webservers can’t see my real IP. If I’m using Whonix and Icedove, can my ISP see my connections to mail.xxxxx.com, or smtp.xxxxx.com when sending/receiving emails, and vice versa, can the mail servers log my real IP, or not? If answer is YES, then how to make it NO?

Thanks

No leaks.

See also:

Hi Patrick,

thanks, got it, so TorBirdy makes the trick.

Another issue is, how to deal with the folder and files that contain the emails? I mean, e.g. in Thunderbird under Windows, there is a “Local folder” folder, with .msf files and other files without extensions. They contain the emails.

In Whonix, will there be such file(s)? How to store them safely and securely? If an adversary forces to open Whonix and Icedove, then emails are there.

I was wondering whether it is possible to e.g. making a Truecrypt container on host, which would be a shared folder in Whonix WS. Then this container would have the Icedove file with emails. If the Truecrypt container is not opened when booting WS, then file would remain encrypted and Icedove could show nothing.

Any better way for managing Icedove ‘email file’?

(This would be a solution for my other concern: if I just keep the emails in Icedove, then everything is stored in the vmdk file in VM VirtualBox. If I have to reinstall host or VirtualBox, then I’m not sure if simply backing up and restoring the vmdk file would work; otherwise I lose everything which was inside Whonix).

Thanks

Yes, but Full-Disk Encryption is simpler to maintain and more secure.
https://www.whonix.org/wiki/Advanced_Security_Guide#Full_Disk_Encryption

POP3 instead of IMAP is a good start but remember that your emails still need to travel through your provider’s servers. They can be read by your provider or intercepted by someone else along the way. You should also assume that they might be captured and stored indefinitely. Encrypting them with Enigmail will help defend against this threat.

Good day,

adding to that, TC has a lot of proven, unpatched security issues, which makes it insecure over solution like LUKS.

Have a nice day,

Ego

Before you say ‘plausible deniability’, here’s a fun read:
https://defuse.ca/truecrypt-plausible-deniability-useless-by-game-theory.htm
(if torture can be fun, that is.)

Noted with thanks.
So the solution for securely storing email files can be keeping them within WS, then encrypting the whole .vmdk file. (Within my encrypted host.). Btw, should we forget encryption option offered by VirtualBox?

Moving off topic, as I’m using Windows host with VirtualBox, and LUKS was suggested instead of TC, can I use LibreCrypt safely? Are AES256 and SHA512 proper settings?

If I move into a new host, do I need to import your .ova files, then overwrite the newly generated .vmdk files with my encrypted, backed up and restored .vmdk file? Then all my settings, emails, etc should be there.

Thanks

Good day,

If the host has been encrypted, it doesn’t make any sense to even use it. Furthermore, the method offered by VBox hasn’t been audited.

For Windows, FDE via VeraCrypt is recommended over any implementation of LUKS.

Yes, that should be the case. Though it is always recommended to start with a fresh image, to ensure that you don’t take any mistakes with you, you did before via accident and aren’t even aware of.

Have a nice day,

Ego

Thank you Ego,

My idea was if adversary gets access to my host in its unencrypted stage (e.g. wake up from sleep mode, (which I know is not recommended…)) then Whonix and everything inside Whonix is easily accessible. That’s why I’d like to somehow encrypt the WS .vmdk file.

I have tried VeraCrypt a few months ago, and I had two issues with it.

1. It did not support FDE for Win10 OS and partition.
2. The mounting of containers took pretty long (even in v1.17, when it was said mount time cut by half). TC did the mounting in a blink of an eye.

So I’m still unsure if I should try LibreCrypt or other LUKS implementations, or live with VeraCrypt’s discomforts.

Back to email issue, I’m trying to migrate my Windows Thunderbird profile to Whonix Icedove. I have set my account in Icedove and I have copied my Win thunderbird profile to Whonix desktop to start. I have studied https://fosswire.com/post/2008/03/migrate-your-thunderbird-emails-from-windows-to-linux/ and http://kb.mozillazine.org/Moving_from_Windows_to_Linux, and both of it say the linux thunderbird/icedove profile should be in home directory, but I can’t find it there. I have enabled showing hidden files there.

Where to copy my “profile” folder (originally from Win Thuderbird) with all emails to migrate them into Icedove?

Thanks

Good day,

For this kind of situation, the VBox encryption should keep an adversary at least bussy for some time. Seems to go by proven standards, so should be fine, as long as you don’t rely on it alone.

Windows 10 seems to be supported now: https://veracrypt.codeplex.com/wikipage?title=Supported%20Systems%20for%20System%20Encryption

Never faced that. I’m also not sure wether LUKS on Windows will be faster than something specifically designed for Windows, you’d have to try that.

The thing is, while the person who designed LUKS tried to create a solution which would work independent of any encryption standard, LUKS in its original form is still heavily dependent on dm-crypt and its integration in the Linux kernel. So I can’t really tell you anything about the solutions for Windows and its security or stability. That’s why I’m always hesitant to recommend any solution which isn’t backed by a huge community.

Have a nice day,

Ego

My icedove profile is located in ~/.icedove
Maybe it’s not created until initial launch.

correct, I was wrong. Now as I remember, I couldn’t do FDE because I have UEFI and not BIOS. What a shame.

true, now it’s there. Thank you.