|
Home > Archive > Anonymous Servers > May 2005 > **How To: QS>Stunnel>Tor>SMTP & Hidden Service>NNTP/SMTP
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
**How To: QS>Stunnel>Tor>SMTP & Hidden Service>NNTP/SMTP
|
|
| herehere@aussiemail.com.au 2005-05-05, 7:45 am |
| Hello all,
I have been playing with these programs for a few weeks and I have
figured out how to use TLS SMTP via. QS > Stunnel > Tor.
I have used this setup to send SMTP(TLS) config. messages and it should
work fine for regular SMTP(TLS).
I'm sure most of you know this, but most newbies don't; hopefully they
can read this and won't bother regular posters to a.p.a-s.
I wanted to post this info here as everyone here helped me figure it
out.
Again, I hope no one is offended by my posting this how-to. I am not
sure if this makes me a Troll; I hope not as I don't want to be
concidered one. I just think this is usefull info and I haven't been
able to find it in one place; it took weeks of searching, testing (and
your help) to figure this out.
_______________________________
I know I messed up posting the incorret info in my *previous* How-To
for downloading NNTPS with QS > Stunnel > SocksCap > Tor.
However, I have made headway in the NNTPS dling of a.a.m from
mail.bananasplit.info:
I routed QS > FreeCap > Stunnel > SocksCap > Tor > NNTPS. This rout
isn't working correctly yet; but soon I'll get it (I hope). I can gain
access to ZAX's NNTPS and my news providers NNTPS but then my
connection closes due to some Socks error.
If only FreeCap and SocksCap spoke Socks4a things would be much
simpler; I think some e-mails are in order...
_______________________________
In a perfect world...FreeCap and SocksCap speak Socks4a, both Panta and
Banana offer NNTPS and SMTP(TLS) via. Tor Hidden Services on port 563 &
2525 (or other ports).
This way we could use NNTPS and SMTP(TLS) through QS > Stunnel > Tor >
Hidden Servies > NNTPS/SMTP(TLS).
Thus, haveing an encrypted end-to-end rout though Hidden Services
without an advasary knowing were using anything but the Tor network.
_______________________________
HOW-TO: QS > Stunnel > Tor > SMTP(TLS)
***Note: This setup works for posting message though any SMTP Host who
offers TLS and port 2525 (or other non-standard port), I chose ZAX's as
he helped me in setting up this rout and is a very nice person
This example is for a config. message; regular use of this SMTP(TLS)
rout should work fine.
This example details use SMTP(TLS) with a very high anonymity level
via. QS, Stunnel, SocksCap and Tor.
-------------------------------
Directions:
~~ QS Remailers Statics & Key Rings HTTP Web Proxy:
QS>Tools>Remailers>Proxy>
Proxy Host: 127.0.0.1
Port: 9050
Socks Level: Socks4a
~~ QS New Message Header Proxy Settings:
(When you are about to send the message)
No proxy
----------------------
~~ QS Header Template:
(When your about to send the message)
Tor: 127.0.0.1:9050,4a; write.what.you.want.here.com
Host: 127.0.0.1:2525
From: your nym here <your nym here@hod.aarg.net>
From: your nym here
Chain: banana,*,*,italy; copies=6
To: config@hod.aarg.net
Subject: test a
Pgp: sign= your nym PGP here ; encrypt= your nym PGP here
------------------------
~~ Stunnel.conf file settings for sending TLS SMTP via. Banana:
debug = 7
output = log.txt
client = yes
options = all
RNDbytes = 2048
RNDfile = bananarand.bin
RNDoverwrite = yes
[BANANA_SMTP]
protocol = smtp
accept = 2525
connect = mail.bananasplit.info:2525
delay = no
-----------------------------
~~ SocksCap settings:
SocksCap>File>Setup>
127.0.0.1:9050
Socks 5
Resolve all names remotely
-----------------------------
~~ Tor settings:
Default settings of current release
----------------------------------------
I haven't tried this rout for posting NNTPS (M2N) yet; I plan on doing
so later this week. I am going to use Banana's regular M2N and
Banana's munge M2N in my QS Headers along with the Host: 127.0.0.1:119.
I am going to use this setting for the stunnel.config file for posting
to Banana NNTPS:
[BANANA_NNTPS_GROUPS]
accept = 127.0.0.1:119
connect = news.bananasplit.info:563
delay = no
With this setup we could post through ZAX's NNTPS service
via. QS > Stunnel > Tor > M2N > NNTPS (hopefully)
---------------------------
***Note: I am unable to dl a.a.m messages from ZAX's
mail.bananasplit.info:563 using:
QS > Stunnel > NNTPS
QS > FreeCap > Stunel > NNTPS
QS > FreeCap > Stunnel > SocksCap > Tor > NNTPS
I think there is a conflict between FreeCap/Stunnel and QS/Stunnel. I
am able to connect to mail.bananasplit.info:563 and my news provider
Port 563 but then I get a Socks error in FreeCap (I think) and the
connection is closed.
I'm sure in time I'll figure it out...any ideas in the mean time?
_____________________________________
HOW-TO: Hidden Serivces SMTP/NNTP
Using a Tor Hidden Service to access SMTP and NNTP is very secure and
anonymous.
It seems to take considerably more time to use QS via. Panta's Tor
Hidden Services for SMTP & NNTP than it does using the QS > Stunnel >
Tor > SMTP rout.
Useing the Tor Hidden Service method *may* be more secure and anonymous
then using a rout of QS > Stunnel > Tor > NNTPS/SMTP(TLS). When you
use a Hidden Service the only thing an advasary knows is your on the
Tor network; not your using a remailer or dling messages from a.a.m.
Also, Hidden Services defeate D.O.S. Attacks...read more here:
<http://www.onion-router.net/>
***Note: This site is a US Navy website; the Navy was the first to
develope Onion Routing Generation 1.
----------------------
This example is for a nym config message via. Panta's SMTP Tor Hidden
Services; regular use of this Hidden Service SMTP route should work
fine.
I haven't tried this rout for posting NNTP (M2N) yet; I plan on doing
so later this week; but I believe Panta's NNTP doens't allow posting.
I am going to use Panta's no_spam M2N and Panta's hash_cash M2N in my
QS Headers along with the Host: rjgcfnw4sd2jaqfu.onion and the From
Header: foo@bar.com when I try NNTP posts.
--------------------
Directions:
~~ QS New Message Header Proxy Settings:
(When you are about to send the message)
Tick "Use Proxy"
Proxy: 127.0.0.1:9050
Socks4a
Tick use Tor box
~~ QS Headers:
(When you are about to send the message)
Tor: 127.0.0.1:9050,4a; make.something.up.com
Host: rjgcfnw4sd2jaqfu.onion
From: your nym here <your nym here@hod.aarg.net>
From: foo@bar.com
Chain: panta,*,*,italy; copies=6
To: config@hod.aarg.net
Subject: test a
Pgp: sign= your nym PGP here ; encrypt= your nym PGP here
~~ Tor settings:
Default settings of current release
--------------------------------------
This example is for dling on-topic NG's from Panta's NNTP Hidden
Services.
I know Panta supports these groups: a.p.a-s & a.p, I'm sure he hosts
more
of them but I don't which ones, yet.
Occasionally when I dl messages from Panta's Hidden NNTP I get an error
message from QS stating "1060 not a winsock err" (something to that
effect). This is caused by a problem with one of the Tor nodes (most
likley).
In this case wait 2 minutes then retry dling from the a.a.m. Every 60
seconds or so of inactivity Tor creates a new route which should allow
you access to the Hidden Services. If you still can't gain access to
the Hidden Services shutdown/restart Tor & QS; that should do the
trick.
***Note: You'll need QS's News (NNTP) plugin to use this feature
~~ QS NNTP Account Manager Setup:
QS>Tools>News Accounts>New>
News Server: rjgcfnw4sd2jaqfu.onion
NewsGroups & Subjects: alt.privacy.anon-server (among other NGs & Esub)
Proxy>
Proxy Server: 127.0.0.1
Proxy Port: 9050
Socks Level: Socks4a
--------------------------------------
Banana also offers a NNTP newsfeed via. Tor Hidden Services. ZAX's
NNTP hidden services are down right now but he's getting them up soon.
As far as I understand you can post & dl though Banana'a hidden NNTP
portal; also I believe it is a NNTPS portal :-). If so I will use
Banana's NNTP/S & SMPT(TLS?) Hidden Service Host url and Banana's M2N
and munge M2N.
I think the only way to use Banana's Hidden NTTPS Service is to use a
FreeCap type program that speaks 4a. That way we can rout QS > Stunnel
> Tor > Hidden Service > NNTPS...nice!
Here are the ZAX's old Banana Hidden Service NNTP/S & SMTP urls; he's
updating them soon:
NNTP/S:
jonkev3muxipgav5.onion:563
oatzd3n255ror75q.onion:563
oatzd3n255ror75q.onion:563
SMTP:
tyrndfbdb2x6g3vg.onion:25
------------------------------
***Important Security Note:
The rendezvous node of the Tor network is where you and the Panta or
Banana hidden service meet, IMHO the rendezvous node should be
verified; by default it is unverified.
See this url for more detailed info:
<http://tor.eff.org/tor-manual.html>
Edit rendezvous node tweak:
1. Open Torrc file
2. find the section "client options"
3. find the line labeled "AllowUnverifiedNodes middle,rendezvous"
4. delete this ",rendezvous"
5. save file and close
6. restart Tor
Now the rendezvous node must have it's PGP sig and Tor fingerprint
w/valid email on file with the Tor network (DirPort).
----------------------------------------
There is a *large* anonymity hole in the use of remailers and Tor
Hidden Services. When you use remailers (NNTP or SMTP) on Tor's Hidden
Service your real Host and IP can be leaked via. EHLO answer to the
entry and/or rendezvous node.
QS spoofs the EHLO answer (as does JBN2 Panta mod) and your Host and IP
are secure.
________________________________________
One question:
In your opinion what is more anonymous and secure:
routing QS > Tor > NNTP/SMTP
routing QS > Stunnel > Tor > NNTPS/SMTP(TLS)?
routing QS > Tor > Hidden Services > NNTP/SMTP?
routing QS > Stunnel > Tor > Hidden Services > NNTPS/SMTP(TLS)?
As far as I know the QS > Stunnel > Tor > Hidden Services >
NNTPS/SMTP(TLS) ins't possible right now; we need a proxy binding
program that speaks Socks4a ...but I'm no expert.
________________________________________
____
END NOTES:
1. Don't have Stunnel running in system tray when your using Hidden
Services and QS; this causesup QS to lock and give me "unable to wipe"
error message; requiring "hard" restart of QS.
2. Don't have too many messages in QS queue or you'll get the "unable
to wipe" error message and have to hard restart QS.
3. Do make sure that you
3. Do make a few QS Header templates of your own to play with in QS so
you can get the feel of the program.
4. List of good url's:
Panta Wiki:
<http://www.panta-rhei.dyndns.org/pantawiki>
Panta Hidden service info & JBN/Tor:
<http://www.panta-rhei.dyndns.org/pa.../HowToJbnAndTor>
Panta's website:
<http://www.panta-rhei.dyndns.org/>
Banana's website:
<http://www.bananasplit.info/>
Banana's TLS/SSL SMTP webpage:
<http://www.bananasplit.info/mailtls.html>
Banana's Stunnel How-To webpage:
<http://www.bananasplit.info/stunnel.html>
TLS@noreply:
<http://www.noreply.org/tls/>
QS website:
<http://www.quicksilvermail.net/>
QS qslist mailing-list:
<http://www.quicksilvermail.net/lists.html>
Tor website:
<http://tor.eff.org/>
Tor or-Talk Mailing-list:
<http://archives.seul.org/or/talk/>
Tor Wiki FAQ:
<http://wiki.noreply.org/noreply/TheOnionRouter/TorFAQ>
Tor Torrc file tweaks:
<http://tor.eff.org/tor-manual.html>
US Navy Onion Route site:
<http://www.onion-router.net/>
Forget Google; use Scoogle:
<http://www.scroogle.org/scraper.html>
Usenet:
Alt.privacy.anon-server
alt.privacy
comp.security.ssh
alt.test
alt.anonymous.messages
_______________________________________
Thats all I have right now,
I would really appreceate it if you all would read this over and ensure
I'm not posting bad advise...I have tested and checked and read and I'm
99.99% sure everything is correct.
Please be aware that I am *not* an expert or even formally educated in
these matters; I want everyone to be aware of that fact.
________________________________________
_
| |
|
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 5 May 2005 03:04:04 -0700, herehere@aussiemail.com.au wrote in
Message-Id: <1115287444.733011.17890@o13g2000cwo.googlegroups.com>:
> I routed QS > FreeCap > Stunnel > SocksCap > Tor > NNTPS. This rout
> isn't working correctly yet; but soon I'll get it (I hope). I can gain
> access to ZAX's NNTPS and my news providers NNTPS but then my
> connection closes due to some Socks error.
news.bananasplit.info listens on port 5563 as well as 563 for incoming
NNTPS connections. You might have more success with this port due to
it being above 1024.
Here are some guidelines that might help:-
Firstly, ensure Stunnel is working:
Config QS to talk to localhost:xyz (Where xyz is something over 1024)
Config STunnel to listen on port xyz (accept = xyz)
Config STunnel to connect to news.bananasplit.info:5563
(connect = news.bananasplit.info:5563)
You can validate the configuration by telneting to localhost:xyz and
checking you get a response from news.bananasplit.info
Next, make sure Tor is working:
Point your browser at it (or something else) and check it works
Now you need to Socks'ify Stunnel, after which you can route anything
through it and Tor (on different ports). You can do this using either
SocksCap or FreeCap. I think FreeCap has some spyware issues, whilst
SocksCap isn't open source. Oh well, life is never perfect. I don't
remember how to configure these apps, but you can get information from
http://privacy.li/security_faq.htm (See section 45).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iQEVAwUBQnoSY2oLu9HNUqmMAQraVQf+LMZkaF56
i02gDM+/Lg81gzMgtLtJLiZF
Cpm/7/ YxWAnQ5d5op0usqjYbTqiWBBnnm81p65eo5EHn8C
+PyIYYHqABJLm+Vrxe
v9aCnXuuri/KcVCD9RKr/ eg8n9LK7VWQkqcIqc2V60arwyTZmo9gHY2rUJ4xx
ASc
QLx/ vQXlL8hbgshWuKZ3hRY6w2RNrslVK7rxLt54Jj69
POLWUcLVbftHVNM16oxU
xPBglhLjKrwD7M97g70OHT3mUu/WpZSXKa+EfJXPsiV3rax1RbT43ZMTBJssp5fl
ipwiV+EII2PUcCm9A5fO67HrCCJTXiMCPG0frMRS
YUmT6cW+hUlrEQ==
=DhDk
-----END PGP SIGNATURE-----
--
pub 1024D/8ED57743 2003-07-08 Bananasplit Operator
Key fingerprint = 796F 67E0 E890 A0BB BDAE EBB4 94A6 7A09 8ED5 7743
uid Admin <admin.bananasplit.info>
| |
| Thrasher Remailer 2005-05-05, 5:46 pm |
| In article <d5d3p3$su8$1@snorky.bananasplit.info>
Zax <fleegle@bananasplit.info> wrote:
If you're connecting QS to Stunnel, you do _not_ want to Socksify QS
with Freecap. Stunnel is the only thing that needs to be socksified.
[vbcol=seagreen]
> news.bananasplit.info listens on port 5563 as well as 563 for incoming
> NNTPS connections. You might have more success with this port due to
> it being above 1024.
It shouldn't make a difference now. The default exit policy in tor was
changed a while ago to be more open. Instead of blocking everything
other than certain allowed ports, it now blocks certain ports and
allows everything else. 563 is not blocked so most tor exit nodes will
allow it.
> Now you need to Socks'ify Stunnel, after which you can route anything
> through it and Tor (on different ports). You can do this using either
> SocksCap or FreeCap. I think FreeCap has some spyware issues, whilst
> SocksCap isn't open source.
What makes you think FreeCap has spyware issues? It seems you fell for
their April Fools joke on their web page. They were just kidding ;)
| |
|
| On 5 May 2005 16:06:20 -0000, Thrasher Remailer wrote in
Message-Id: <2WM2W8SB38478.0043981482@reece.net.au>:
> What makes you think FreeCap has spyware issues? It seems you fell for
> their April Fools joke on their web page. They were just kidding ;)
Ouch, yes I did fall for it. I just glanced over it quickly and didn't
take much notice. Clever ploy that; display April fools joke in May.
Much more likely to suck people in. :-)
--
pub 1024D/8ED57743 2003-07-08 Bananasplit Operator
Key fingerprint = 796F 67E0 E890 A0BB BDAE EBB4 94A6 7A09 8ED5 7743
uid Admin <admin.bananasplit.info>
| |
| A.Melon 2005-05-24, 2:45 am |
| -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In <1115287444.733011.17890@o13g2000cwo.googlegroups.com>,
herehere@aussiemail.com.au wrote:
>Hello all,
>
[snip]
>
>I know I messed up posting the incorret info in my *previous* How-To
>for downloading NNTPS with QS > Stunnel > SocksCap > Tor.
>
I know this is late, but.... i'm catching up.
check out
ftp:ftp.quicksilvermail.net/pub/quicksilver/betas
grab the *BETA* version and check out it's proxy manager and TOR
integration..
this allows you to use:
QS > Tor and skip a few steps
QS will even spoof the EHLO to keep that from giving you away.
-----BEGIN PGP SIGNATURE-----
Version: N/A
iQEVAwUBQpKOrjzX1EYjC/u5AQL5pAf/ZEdTeE1XLvYDbzzuugiXo/kxMCiPpClH
4o4FfCkawqeXLdOdSyivYhG7kyjTh8b4tfOnifl/rDWCqhYwdnAk+DfWwGJuXfJH
GqLTOus2NB+bC5H105fqlr+ah5pAoMMqIBpcknv0
sGQ5PXXrlxfajwxYyu0f2qSs
+pm+1I1YEVGS6LfWDajdtJ/hXXA/jFj03TQRFjXbmMPCYa1SCGqNXrMPiVccotrL
mAN+weEaMt0qVVEF0aGs081CglUEdvDSj8Q4HlL8
UwjoRrW1M4lyuEssJ5PjqILc
h2qz53r+RfdSX4FeqQadST7g/WMulYbeFaJ9B1abEUOnXpexs2dGdg==
=N1UI
-----END PGP SIGNATURE-----
~~~~~~~~~~~~~~~~~~~~~
This message was posted via one or more anonymous remailing services.
The original sender is unknown. Any address shown in the From header
is unverified. You need a valid hashcash token to post to groups other
than alt.test and alt.anonymous.messages. Visit www.panta-rhei.dyndns.org
for abuse and hashcash info.
| |
| Nomen Nescio 2005-05-24, 2:45 am |
| In article < e86b2f052a746db5e34a0ad27ea28e98@melontr
affickers.com>
A.Melon <juicy@melontraffickers.com> wrote:
>
> grab the *BETA* version and check out it's proxy manager and TOR
> integration..
He or she already has this. They want to use SSL connections so
they have to use Stunnel, and so have to use Sockscap with it.
If you just want to connect through tor then yes you can just use
QS on it's own. If you want things like TLS then you need stunnel
and that needs to be socksified.
|
|
|
|
|