I just recently set up an MTA (OpenSMTPd) behind my Tor-ified network. Setting up an MTA behind Tor, especially when Tor is the authoritative DNS server on the network (as it should be in this setup), can be quite difficult to get right.
Tor’s built-in DNS server does not support MX record lookups and returns a zero-record DNS result with an rcode of 4 (NOTIMPL). This causes MTAs like Postfix and OpenSMTPd to freak out. If the DNS server returned an rcode of 0 (NOERROR), OpenSMTPd would have fallen back to a simple A/AAAA lookup.
I already had at my disposal a very special custom, modular DNS server that can perform any arbitrary action on a DNS request and on the corresponding response. I simply wrote a module for this DNS server that overwrote the response’s rcode to 0 if it was 4 prior to handing the response back to the originating client.
I set my resolv.conf to point to my custom DNS server. My custom DNS server was configured to point to Tor as its upstream resolver.
At that point, OpenSMTPd started working! I can now send emails to (almost) any domain, even other .onion servers. After sending some test emails, I found out that Google-hosted email services block MTAs behind Tor.
Wow, that’s a great writeup, thanks. The more I read about PF, the more I want install a BSD on my router…
Are you still using this torified web access? Do you manage to keep your sanity despite the captchas? I find Cloudfare and google really annoying when accessed though Tor.
I’ve been sitting 100% behind my Tor-ified setup both at work and at home for around a year now. I use the Privacy Pass extension to help with captchas.
This is a good article but I wish it would go into a bit more depth around how to write applications to avoid identifying information leakage, and harden existing ones.
Ask your favorite online service to provide an onion service!
Advocate for more onion services by asking those who provide the services that you use to make them available. They are easy to setup and maintain, and there is no reason not to provide them!
This seems unlikely, but I appreciate the sentiment. Unfortunatelyin a lot of people’s minds, Tor == pedo, which is incredibly unfair and undeserved but also understandable (My initial Tor explorations led me to bump into pedo more than once, including some kind of pedo bazaar IRC server :)
I just recently set up an MTA (OpenSMTPd) behind my Tor-ified network. Setting up an MTA behind Tor, especially when Tor is the authoritative DNS server on the network (as it should be in this setup), can be quite difficult to get right.
Tor’s built-in DNS server does not support MX record lookups and returns a zero-record DNS result with an rcode of 4 (NOTIMPL). This causes MTAs like Postfix and OpenSMTPd to freak out. If the DNS server returned an rcode of 0 (NOERROR), OpenSMTPd would have fallen back to a simple A/AAAA lookup.
I already had at my disposal a very special custom, modular DNS server that can perform any arbitrary action on a DNS request and on the corresponding response. I simply wrote a module for this DNS server that overwrote the response’s rcode to 0 if it was 4 prior to handing the response back to the originating client.
I set my
resolv.confto point to my custom DNS server. My custom DNS server was configured to point to Tor as its upstream resolver.At that point, OpenSMTPd started working! I can now send emails to (almost) any domain, even other .onion servers. After sending some test emails, I found out that Google-hosted email services block MTAs behind Tor.
Wow, that’s a great writeup, thanks. The more I read about PF, the more I want install a BSD on my router…
Are you still using this torified web access? Do you manage to keep your sanity despite the captchas? I find Cloudfare and google really annoying when accessed though Tor.
I’ve been sitting 100% behind my Tor-ified setup both at work and at home for around a year now. I use the Privacy Pass extension to help with captchas.
This is a good article but I wish it would go into a bit more depth around how to write applications to avoid identifying information leakage, and harden existing ones.
This seems unlikely, but I appreciate the sentiment. Unfortunatelyin a lot of people’s minds, Tor == pedo, which is incredibly unfair and undeserved but also understandable (My initial Tor explorations led me to bump into pedo more than once, including some kind of pedo bazaar IRC server :)
[Comment removed by author]