9 votes

Host your own email server. I did.

I loosely followed this tutorial. It's actually easy.
http://www.youtube.com/watch?v=7SZcogPRXNk



Trending on the Web

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Nice explanation

I may have an alternative... an open source encryption algorythm that we are coming up with, so even if you have the algorythm you won't be able to crack the code, no keys passed between the two parties...a completely new way of encryption. A friend of mine and I are working this, an android app at first, for text messages and voice, and then possibly email, although that will actually be the most difficult.

Also, note on hosting your own email server, you may find that your outgoing emails are consistently rejected by other servers, or if the messages do arrive, they end up in the junk mail folder, especially if you are hosting it on a dynamic IP and don't have an MX record setup.

I host my own

that would happen if there's a problem with your reverse lookup in dns. If you have a static IP, many times your provider can add the correct entry. If your on a dynamic you can usually use your provider's outgoing smtp server as a relay or buy a cheap monthly relay. I personally use verizon's. They are a little tricky because you have to set your server to talk over TLS encryption and send a plain password but once it's set it works fine. I've had a Zimbra (free) server running for over 3 years and have never had a rejection.

"Endless money forms the sinews of war." - Cicero, www.freedomshift.blogspot.com

I would love to know more about this

Is there a link you could send me with more info on how to do this? I was under the assumption that major email providers block banks of IP addresses from known ISPs, even if you have a static IP from them.

ok

Since verizon requires authentication for their smtp http://forums.verizon.com/t5/FiOS-Internet/SMTP-relay/td-p/1....

use

For postfix or zimbra which also uses postfix, it's done by
http://wiki.zimbra.com/index.php?title=Outgoing_SMTP_Authent...

Zimbra has products for several Linux variants but you could run a similar underlying structure using postfix, dovecot or cyrus, and something like squirrelmail as a web interface.

for example:
http://www.howtoforge.com/virtual-users-domains-postfix-cour...

"Endless money forms the sinews of war." - Cicero, www.freedomshift.blogspot.com

Thanks for the info

I may give this a try

How does it work?

How does it work?

Not yet

Well I don't want to tell everything now, otherwise someone will copy it! We want to get a prototype out first, and then release the details of how it works!

You should be so lucky to be copied

Nobody is going to trust your amateur crypto. You're going to have to do a lot of talking about it before anyone cares. Even Zimmerman, author of PGP and designer of ZRTP (fully documented in an RFP with both his source code implementation as well as at least one open source implementation) has a hard time getting users to use silent circle because it's not open.

Are you using any existing cryptographic primitives? Do you have a better way of verifying key exchange besides finding a secure method to compare key fingerprints with the other side?

I do!

I am pretty sure I have a better way... people will trust it when they see how it works... as for people copying it, as long as they are using our standard, the more the merrier!

Yes, amateur... everyone's an amateur until they make something that nobody knows how it works, and then all of a sudden they are the expert... and then the "experts" hire them.

Not using existing cryptograhic primitives...primitive is right! Not using a key exchange, using something new that I came up with... it is still possible for people to come up with new things... humans haven't even scratched the surface on what can be done.

where do you plan to publish

where do you plan to publish it?

You mean the app or the code?

The app on Android markets, code probably on Github, but I'll probably announce something on Daily Paul when we have a tested working version.

what's the github link?

what's the github link?

What's with all the questions?

Here is an example of two apps that already do all the encryption for text and voice using traditional encryption methods: https://whispersystems.org/

The company also appears to offer free paid vacations to Hawaii if you'll work on their apps, and some of the encryption code is available on github. And they are owned by..drum roll... Twitter... so, I'm sure your communication will be really secure!

I know about them. Red phone

I know about them. Red phone implements ZRTP. In my opinion ZRTP is the best key exchange protocol available.

I'm curious about your system. I like to know about security software.

Do you think you have something that offers more usable security than ZRTP?

Best key exchange

Yes, I think so, as it doesn't require any kind of key exchange.

I think whatever this is will

I think whatever this is will be completely insecure or completely unusable, or both.

So many people claim to have thought of something new and better... yet none have suceeded since RSA. Time after time these ideas fail.

I hope you share your idea with experts before spending a lot of time polishing an app.

Looking forward to being proven wrong! :)

What does RSA secure?

If everything is being recorded, including the key exchange, what have you secured really? All the data is there, so if a new way of factoring primes is discovered, through math, or through quantum computing (assuming they don't have that already), or just brute force, what have you secured?

"time after time these ideas fail"... well that proves it then, you've convinced me... nothing new can ever be created... so glad you figured that out! Twain said it best: "there are three kinds of lies: lies, damned lies, and statistics"...

You know I was never alive before ever in the history of man... time after time, people were reproducing... never made a single one of me.... and then all of a sudden, there I was, with nothing to back me up... maybe I should consult an "expert" to see if I am really here? LOL.

of course communication is recorded

The whole point of crypto is to communicate over a monitored channel. If you have a secure channel then crypto is unnecessary.

No crypto is completely secure except the one time pad. The one time pad is of little practical use however. I have a hard time believing any crypto will be reasonably secure for 30 years. Look at DES. I'm sure AES256 will seem like DES in another 20 years.

RSA was the last really major development. Before it there were no asymmetric algorithms. It changed everything. True, it's vulnerable to SHOR, but that attack isn't practical now. And right now I feel safer with well studied algorithms than any of the new post quantum stuff.

A new advance is a big deal. A lot of really smart people are working on it in public. If you have a better way you would be best served by explaining it to anyone who will listen. It's the best way to really find out if you have something.

Billions and billions have been born. Being born is not improbable. Making a groundbreaking discovery in a well established feild of study is.

So why don't you just explain your idea already so I can have a shot at finding weaknesses in it?

Okay

Dolphins communicate with each other everyday... they have a proven language..they can communicate in the open, recorded, etc... uncrackable code.... try and figure out what they are saying to each other.

It is based on that concept (not specifically Dolphin speak).
Enjoy!

That technique is well known

That technique is well known and was popular before computers:

http://en.wikipedia.org/wiki/Code_(cryptography)

It's been effective before, most famously with the Navajo in WWII, however I seriously doubt that would work again. Codes are less secure and less usable than algorithms, which is why they're not popular any more. Dolphin language isn't uncrackable. (http://www.speakdolphin.com/) If the money and effort expended attacking diplomatic and military communication was directed at dolphin study then we'd know the nuances of every tone by now.

Code books have a few problems:

- Codebooks have to be distributed via secure channels
- Vulnerable to known plaintext attack
- Vulnerable to chosen plaintext attack
- Vulnerable to replay attack
- Lacks message authentication
- Lacks perfect forward secrecy
- Spelling anything out is vulnerable to frequency analysis
- Doesn't work well for arbitrary data (eg. sending files)

How do you plan to address these problems?

haha ha

I'm not using a code.. you seem intent on picking apart something that you don't know.

You can't even understand what I'm saying and now you are claiming that if you overheard two dolphins talking on a phone, you'd be able to know what they are saying... I'm here typing in PLAIN ENGLISH, and you still are getting what I am saying wrong.... I'm not using "dolphin language"... I'm going to type this real slow so you can get it... it is based on that. I'm not using a code book... I am not using dolphin language.

Yes, you can understand what dolphins are saying if you have a codebook, and/or if you have dolphins sitting around that you can experiment with. Try having a completely new language that only two people understand and only use once... and by new, I mean nothing in common.

I have taken care of authentication, frequency analysis, arbritrary data... I just haven't explained it to you how I am doing it... and I'm not going to. Clearly you think it can't be done, so go live in your world where everything that can done has been done.. thanks for your questions, but you are doing nothing but making me type more when I have important fun things to work on.

If you don't want to describe

If you don't want to describe it that's your call. I hope you prove me wrong.

PFS Perfect forward

PFS

Perfect forward security.

It does have key exchange, but each "connection" have a new key. My friend has a cell phone service that's 100% encrypted.

http://libertyprivate.net/

Blah.

It's perfect forward secrecy.

It's perfect forward secrecy.

PFS is common. It's supported by SSH, TLS, etc. It's still vulnerable to MITM so it's not enough on its own. It doesn't help you know if the initial public key you receive is trustworthy.

libertyprivate is selling voip phones. Overpriced at that. And most definitely less secure than a softphone with ZRTP. Deployment is inflexible, user has little visibility, users have to trust them to handle the keys upon which the security of the system rests. I see no cell service. I'm skeptical of your claims about fully encrypted cell service.

They are selling VOIP phones,

They are selling VOIP phones, they use a VPN network to make the calls.

I was wrong about "cell" service, the tablets/boxes do not connect to cell phone networks, because that is a problem for security.

Blah.

I think everyone needs to wake up

It does not matter WHO is hosting the email. It does not matter WHO is hosting the website. All that matters is WHO's routers the data passes through. And sorry to say - you have no contol over this part of it.

Quick lesson for those newbies. When you go to youtube and watch a video it goes something like this:
On your computer the network card sends out a bunch of packets(think of sending a letter - one sentence at a time using an envelope for eache sentence - instead of sending it as one letter in one envelope). Those packets go from your computer - to your router/modem in your house. They are then sent across either your cable or dsl line to a router on your ISP's network. When the packet hits that router - the router starts passing the packets all over the place on their way to youtube. Those packets may -MAY - stay on your isp's network for most of the journey - BUT - most likely they go from your isp's routers to SEVERAL companies routers along the way. This is how the web is connected - just like a spider web - many paths to and from any two points. The packets don't even have to take the same route -the same "letter" can take many routers over to youtube.
Now- those packets contain information allowing the pieces to be reasemmbled into one coherent letter at the other end. When youtube recieves the whole letter it sends back the video in the same exact way - little pieces going through all these routers. Understand this part now, it is important:Whatever "data" you are looking at on your computer - every piece of that data went across those routers.

Take email. Every single bit of that email was broken up and shipped in packets across many routers to get to the other person.

All I have to do to see all your data is to merely copy all the packets running through the routers - then just reasemmble them and I can see it all. I dont need the email server or your computer.

Now all of you DPing at work - guess what - your network engineer is doing the exact same thing on your company routerr - so get back to work.

Its good having access to routers - it is like being a fly on the wall -hehe.

So now lets dispell some myths.
1. Does it matter if youtube handed over the information? No. Why? Because that information went across many routers on the way back to you, so the need for the youtube information is redundant - all I would need was the packets - which went all over the web.

2. Will encryption save the day? No. Why - because all encryption does is basically give each side a secret decoder ring. The data is passed all garbled instead of in plain text(meaning - clear english - easily readable by humans). The problem is - all encryption is based upon math algorithms - and guess what - the NSA has entire teams of mathematicians just sitting their breaking the encryption algorithms. So, once they get the encryption algorithm - they just decrypt your email and read it. Sure - it makes it a littel more challenging - but when you consider the resources of the NSA - the sheer processing power, combined with the human talent - it wont take them long if they really want to break the encryption(of course - you forget something else - they could just strong arm whatever company did write the encryption and take it from them - saving lots of work).

For anyone more interested in this - simple google how to do a tracert - it will show you every router your information passes through on the way to say - the dp.

Sorry for the long post - and I know for those other techies - my explanation is not exactly perfect - but I am a bad teacher and I am trying to make it easier for lay people to understand. I feel the more they understand - the more they will realize just how BAD all this is.

to be technically accurate,

to be technically accurate, packets are only found at osi layer 4. frames are sent over the media (cable, dsl, fiber, etc)

Actually to be technically accurate

Anything in the network access layers(layer 1 or 2 of osi) is considered a frame. A frame encapsulates a packet for transport. The frame is stripped and added along the route as the media changes.

Anything in the network layer(layer 3 osi) is considered a packet. Packets are the data collected at layer 7 with headers added in subsequent layers depending on the protocol.

The packet is still found on the media - it is just in an envelope called a frame.

At least thats my understanding.

OSI is dead. It describes

OSI is dead. It describes nothing real. In the real world IP packets are encapsulated in protocols which themselves have varied features and complexity. IP packets don't go "on fiber"... they are in ethernet frames or ATM cells or whatever

I had rather

host it myself. At least it isn't setting on a google server just waiting to be looked at. As far as sniffing the wire, I don't think the ability exists to log all internet traffic on the routers at large ISPs, that is why the FEDs ask for the data from facebook and google etc. SSL can help hide the data, but it will only work if the FEDs do not have the key.