Tempests email guide -> Whonix wiki

Hi @tempest

I have created an empty (unpublished) Whonix wiki page entitled:

Encrypted Email with Thunderbird and Enigmail

(can be found in the wiki documentation search bar and populated)

Basically soonish I will start filling it up with your chapter 4.5 stuff & snapshot all the relevant photos.

Doesn’t matter about VFEmail problems, as it is excellent guide to how to properly use an .onion service, create PGP keys, set up Thunderbird correctly etc. so it is left to the user to find a suitable email provider alternative, or can be edited easily enough when the community here identifies one.



excellent, @torjunkie. would you like me to send you the email chapter of the libre office document that contains the images? may be easier to extract or copy the images from that rather than recreating snapshots.

Hi tempest - I’ll see how I go and be sure to ping you if that is necessary. Thanks for the offer! :slight_smile:

EmailProvider · Wiki · Legacy / Trac · GitLab

One possible option?

https://cadamail.com/web totally free and easy to register, pop3 + imap, unlimited inbox size, relatively fast, supports sending to most onion mails and works without javascript.

Also has v2 (yes, I found it) and v3 (supposedly) onions and no JS required for “CicadaMail Login”. Has a https certificate for the v2 onion.

With this service, you can have both multiple names with @cadamail.com and a darknet @cadamailgxsy6ykq.onion, plus you can also add multiple additional @othermail.other alias from other email services to manage from the same account.
With each cadamail account, you will get also a jabber/xmpp account with the same username, with a chat web-address, for example cadamail.com/username where people can chat directly with you, which will be convenient if you have some xmpp app in your phone.

Also (from website):


So you can manage everything from your email client, without the hassle to login each time.
This is very recommended for you to have even more safety so that you need to donwload and import our ssl certificate just once.
Client configuration:
Server is always the same cadamail.com (or cadamailgxsy6ykq.onion for darknet access), pop3 with ssl/tls on port 995, smtp with starttls on port 587.

You will have both accounts by default, with 30mb of storage.

you can manage multiple addresses, up to 3 cadamail accounts and up to 3 external addresses from other services of your choice, both clearnet or darknet (you have to make sure the other service allow pop3/imap/smtp, otherwise it will not possible to fetch/send your emails).

We will not ask any personal data in the registrations process.
The adverts that you will see are standard for all cadamail users, and we don’t collect any data from your emails, since we cannot even access the cleartext of your emails, by design. Anyway you are advised to always use PGP encryption to encrypt your messages, so you can be 100% private.

All your messages are stored encrypted.
How it works? for every account the system creates a pgp key, and your account password is the one needed for unlocking the pgp key.

You may receive some advertising emails, at most one email every week, no more. We don’t give away your email address to the sponsors, since all the adverts emails are sent by the cadamail admin.

This is a little dodgy though:

Supported by users
We are running javascript monero minners on our pages to help us on maitaining this service. If that bothers you just disabled javascript but please consider making us a donation!

Also, one area says “unlimited storage” but another says “30Mb limit”. Seems they can’t make up their mind…

Further, don’t see their v3 onion address advertised anywhere, which is strange.

Aside from all this, I’ll start populating that email wiki page with your stuff this week.


@tempest OK - working through your email guide and doing stuff for wiki preparation. To give you an overview, basically this is how it is/will be broken down.

The following instructions:

  1. Install the TorBirdy plugin for the Thunderbird email desktop client.
  2. Create an email account anonymously with a suitable provider via Tor Browser.
  3. Store the login credentials in KeePassX (optional).
  4. Setup the new email account:
    ** Thunderbird account settings.
    ** Install necessary extensions (add-ons).
    ** Enforce connections to the email provider’s Onion Service.
  5. Create an OpenPGP encryption key pair and revocation certificate:
    ** Use the Enigmail Setup Wizard; or
    ** TO DO. Via the command line.
  6. Encrypt and store the revocation certificate securely.
  7. Configure Thunderbird preferences for greater security and anonymity.
  8. Configure additional OpenPGP preferences via Enigmail.
  9. Key management: import GPG public keys.
  10. Export your public key to a GPG key server (optional).
  11. Prepare an email signature with your public GPG key ID and fingerprint (optional).
  12. Compose and send a test encrypted email to vfemail.net
  13. Open an encrypted email received in Thunderbird.
  14. Final warnings.


→ KeePassX is not installed by default in Whonix (at least not Qubes-Whonix). It does live in jessie & stretch repositories. But, I see also:

NOTE: KeepassX is no longer maintained. Use KeepassXC instead. by jonathancross · Pull Request #204 · keepassx/keepassx · GitHub

NOTE: KeepassX is no longer maintained. Use KeepassXC instead. #204


KeePassX – News

KeePassX 2.0.3 released
Posted by by Felix Geyer on 8. October 2016

(very old).

They suggest keypassxc fork, but of course it’s in buster, not stable and requires a ton of dependencies. See: Debian -- Details of package keepassxc in buster

So, what is the consensus on KeePassX - safe or not?

I’m not sure if those KeePassX steps get scratched for the wiki, unless you’re aware of a reasonable work-around or you think it’s safe considering the changelog (last security fix in jessie in Dec 15).

Or maybe alternative encryption steps for safe storage of revocation certificate etc is easiest?

I haven’t been following this discussion but wanted to throw this out in case you guys weren’t aware.

TorBirdy 2.3 encrypts subject lines but 2.1 is the version that made it into stretch. I wonder if it’s worth it trying to install from the Add-ons menu. I know doing so has caused breakage with dependencies in the past. (I’m assuming current guide still recommends install from debian repos). Sending subjects in the clear is a very easy way to shoot self foot.

1 Like


The scrolling banner text was also the link.

Would it be possible to include the KeePassXC AppImage with Whonix, until it makes it to stable?

It can be updated by the AppImageUpdater AppImage. If not internally.

Just a thought.

1 Like

@torjunkie decision on keepassx is simply because it’s an easy install from the current repos and a familiar interface. i’m not opposed to an alternative. btw, there is also this from the github link.

debfx commented Jan 30, 2018
I don’t have much time to work on KeePassX right now.
However I’m still maintaining it so at least important bugs (especially security issues) will get fixed.

@entr0py the guide is using version 0.2.3. the version from the debian repos is not used. a manual download for the current version is used.

wget https://www.torproject.org/dist/torbirdy/torbirdy-current.xpi

then, there are steps to hack it so enigmail can fetch keys. however, it does not encrypt subject lines with the config used in the guide because mime is not used. the reason mime is disabled is due to enigmail bugs in the past which involved exposure of unencrypted messages. with mime disabled, one will see the text of the message converted to the encrypted version before sending. when mime is enabled, this does not happen. with current set up, trade off is that, while subject is unencrypted, one can see that their message is actually encrypted before confirming to send it.

1 Like

btw, does anyone have any experience with this provider? http://tt3j2x4k5ycaa5zt.onion/mail/index.php

Following these instructions, I am unable to authenticate.

Sending of password for user did not succeed. Mail server cadamailgxsy6ykq.onion responded: Authentication failed.

Same situation for SMTP. My password is stored in BitWarden and backed up to KeePassXC. I can log in via RoundCube, through the web interface. But thunderbird will not authenticate in Whonix 14. Other email providers have no problem.

Sending of the message failed.
The message could not be sent using Outgoing server (SMTP) cadamailgxsy6ykq.onion for an unknown reason. Please verify that your Outgoing server (SMTP) settings are correct and try again[/quote]
1 Like

OK - I guess we trust that if it is in Debian stable, that is good enough.

Good info, thanks.

I understand the scurl command is safer than wget, so we can probably change that where necessary.

Thanks for the test in Whonix 14

Do you mind trying in Whonix 13 please? I gather this is not a Whonix-specific problem, but problems on their server.

Edit: Also note that depending on the service provider in use, they may or may not enable TLS/STARTTLS connection security for their Onion domain. The reason is because it is redundant, since end-to-end Tor encryption provides security properties for authenticating to the server. It is best to leave it turned on by default and only disable it if problems arise.

Check Thunderbird’s Outgoing Server (SMTP) settings.

I guess we’ll go with KeePassX in instructions since it is in Debian stable and meets their standards, and leave it up to advanced users to install KeePassXC if they want it badly enough.

I don’t.

Sending of password for user did not succeed. Mail server cadamailgxsy6ykq.onion responded: Authentication failed.

I can’t seem to find any combination of settings that work for Cadamail in Thunderbird, in Whonix. Did something need to be done with TorBirdy? I’m using Thunderbird As Is.

Using their instructions is the only thing that allows it to even connect. But once the connection is made, authentication fails.

SMTP is the same issue.

I am able to log in to cadamailgxsy6ykq.onion.


I’m a big fan.

1 Like

@tempest (@BubonicChronicWhonix for TorBirdy or other config issues/testing)

All the wiki text is done, I just have to get around to the 95 screenshots. Link to unpublished text →


I’ve modified it here and there for phrasing, Whonix wiki references, external references etc, but the material is clearly credited as coming from your guide, with permission.

Changed the numbering to fit with sections, thus we don’t end up with “Step 100” to intimidate users.

Once the pics are done, I’ll give this a run through to check everything is correct and working (at least with one email provider).

Then, when everyone’s happy with the text and pics, it can be published on the main documentation page (and I’ll clean up the email pages that already exist in that section).


1 Like

@torjunkie thank you. btw, do we need to specify a pw manager for this section? it could be any pw manager a user chooses, so long as they use a pw manager.

also, cadamail is working fine for me on the v3 onion, @BubonicChronicWhonix. here’s what may have been causing auth issues for you.

  • user names for both the pop and the smtp server must be full email address. "myaddress@cadamail.com"

  • smtp server must be set to starttls.

1 Like

Thank you so much for this. I’m about to try it. Have you tried using Username@v2.onion or Username@v3.onion?

i only tried the v3 onion for the servers. for the usernames, i only used the clearnet domain as the user name.

v3 for the server names is good + v2 for the username is good.

No need for any clearnet (cadamail.com).

Edit: Under further testing, this may not be working properly.

Will update as I test more. Need to send mail from other hidden service, to cadamail.

Please excuse my German but thats füken awesome! Great work!:smile:

There is an older thread that discusses adding a password manager by default.

If anyone is intersted.


Regarding Cadamail:

Username@Cadamail.com for username, on email and XMPP.

v3 server

Doesn’t seem like you can send IMs or emails to Username@v2.onion, or Username@v3.onion.