Raising the Shields – Part 15b – Email Privacy!

Back in 2013 I set out to decentralize and to end-to-end encrypt as much of my private communication as possible (see here how it all began and here for the overall history). It’s been the year of the Snowden revelations and I was (and still am) more than just a bit concerned. Since then I’ve come a long way. It started with installing the Off-The-Record (OTR) plugin in my XMPP desktop messenger, checking certificates with Certificate Patrol, making sure an encrypted connection is always used when I send emails, using TOR for especially sensitive web sessions, automatically deleting cookies when the browser closes, using Nextcloud (Owncloud back then) for file sharing and synchronizing contacts and calendars between my devices, installing my own XMPP messaging server at home, encrypting my frequent remote screen sharing sessions and I started using my own VPN server at home. Lately, Nextcloud talk has become available for voice and video communication, so I’ve also regained a secure and end-to-end encrypted voice and video channel. There are a lot of other small things I have also implemented over the years but one major service has so far only been inadequately protected: eMail! Well, I’ve finally got a fix for that as well.

Some might argue that email is a lost cause because end-to-end encryption is a mess and mail service providers store a copy of all incoming emails before they are retrieved by their clients. In addition, email providers are obliged by law to store metadata and provide it on request. The only way to escape all of this is to run an email server at home. And even then, it’s still a lost cause because pretty much everyone else is using a public email server, so there is still a weak link on the other side.

But be that as it may, we are using email in my family for a number of reasons to exchange documents. So far, that always had to go via a public service and this was really bothering me. Setting up an email sever at home is no trivial thing so this was pretty much the last piece of the puzzle I hadn’t put in place yet. But with all other things in place I consider important, it was time to tackle this as well.

After looking at a lot of different solutions I decided to set up a simple email sever just consisting of Postfix and Dovecot. As I only need the server for internal communication, I made sure that emails could not be sent from an internal account to external email addresses and also, that the server is not reachable from external domains. In practice that means that I haven’t set an MX record and other things required on the DNS server for external communication and I’ve moved the TCP ports I use for SMTP and POP3 away from their standard places. It’s a perfect setup for internal communication that is reachable from the Internet as it prevents accidental email exchange to and from our public email addresses with an error message the moment a wrong email address is used as sender or receiver address.

Most of the complexity of setting up an email server is to ensure the server is classified as a source of spam and to protect against spam and viruses. Fortunately I don’t have to worry about that at all and so the setup was straight forward. Here’s a great blog post that describes how this is done (in German, unfortunately).

On the email client side, I use Thunderbird and have ensured that SMTP and POP3 are only done over encrypted sessions protected by a Letsencrypt SSL certificate. You might wonder why I use POP3 instead of IMAP!? The reason for this is that I want that data off my server as soon as possible. Yes, my server is at home and all data is on an encrypted partition but still, it shouldn’t be there.

No more metadata about our private internal communication stored externally anymore and no private files stored in the clear on a server somewhere on the Internet until they are picked up. It feels really good!

So it’s been a 5 year voyage to get where I wanted to be with my privacy online. No time to become complacent, however, as security and privacy are not a feature, they are a process! But the main takeaway is that over the last 5 years a lot of tools have become available to better protect oneself from prying eyes and overreaching surveillance on the net!