It’s Always Sunny in Reykjavik (or) How I NSA-Proofed my Email

{ Posted on Oct 17 2013 by Bill Zimmerman }

Revelations about the NSA’s mass internet surveillance has spurred interest in existing privacy tools and driven developers to build of a slew of new tools and services aimed at providing end-to-end encryption to users. With every major U.S.-based service provider implicated, these offerings are attractive to citizens who prefer not to have their private communications monitored from Gen. Keith Alexander’s Strangelovian “Information Dominance Center” or, more plausibly, by one of the half million-odd contractors with access to NSA data hordes who might not be able to resist the temptation to, say, spy on their love interest, or worse.

yes-we-scan

Most of the vast troves of data collected, indexed and stored indefinitely by the NSA is likely to be fairly mundane. However, it’s become a matter of principle; privacy is a basic human right. Here’s an old essay by Bruce Schneier if you need to read more about why privacy is so important.

Built to fail

So, you might be justly concerned about Google, Microsoft, Apple and Yahoo’s complicity in granting the NSA access your email. Unfortunately, so-called ‘secure’ email services aren’t any better. Secure email provider Lavabit, which had previously provided whistleblower Edward Snowden with an email address, closed its doors rather than comply with a secret government court order to grant access to their users’ content. Its owner left a message stating he’d been forced to choose between betraying the American people and shutting down. The next day, encrypted messaging company Silent Circle proactively shuttered its email service, announcing that, among other things, “email cannot be secure.”

Your options appear to be pretty limited—except, of course, hosting it yourself. After all, this is how e-mail was originally designed to work.

Jason Scott had this figured out way back in January 2009, in his prescient and colorfully-titled wake up call “Fuck the Cloud”:

This is about your data. This is about your work. This is about you using your time so that you make things and work on things and you trust a location to do “the rest” and guess what, here is what we have learned: Since the dawn of time, companies have hired people whose entire job is to tell you everything is all right and you can completely trust them and the company is as stable as a rock, and to do so until they, themselves are fired because the company is out of business.

He argues that the cloud, insinuated by marketers with soft fluffiness, grandeur and fuzzy meaninglessness is, in fact, a sucker’s game. If you are playing it, you are a sucker. Except the risk today isn’t so trivial as losing your data entrusted to a company that didn’t think to back up your data, was sunsetted by an acquiring company or has simply gone out of business.

Today, the stakes are considerably higher.

Beating the Big G

While my privacy concerns are very real, I’ve also found that Gmail’s speed and utility has degraded over the years, to the point where I have every reason to jump ship now. I won’t be ditching the cloud entirely, but rather self-hosting on vastly more secure servers with every connection under SSL/TLS for end-to-end encryption. As an added benefit, my personal email server will also be 100% carbon neutral.

I’ve entrusted more of my data to Google’s stack over the years, mainly because it (mostly) worked for me. So the thought of migrating a decade’s worth of some 50,000+ emails away from Gmail seemed daunting. And what about Gmail’s lauded spam protection, search, speed and ubiquity? As it turns out, email server software has continued to advance in a post-Google-apps world, and the current the state of self-hosted is better than ever.

Not only would I be back in control of my email, but it will actually better than Gmail, purely from a features perspective.

The Switzerland of bits

My first order of business was choosing a VPS hosting company. I’ve been a long time customer of Linode, but they’re ineligible for this task because they’re based in the States. The trouble is, just because a host is not in the U.S. doesn’t mean the company won’t hand over customer data at the request of the U.S. government or local government on their behest. If it can happen in uber privacy-conscious Germany, it can happen anywhere. Regrettably, there are very few countries that as a whole will defend your data.

One notable exception is Iceland.

Iceland places an exceptionally strong emphasis on privacy rights, such that what is now commonplace in the U.S. and parts of Europe would be unthinkable there. Recently, a group of journalists and political activists cherry-picked the best laws for media freedom and free speech from around the world with the aim of making Iceland the world leader. Their resolution, proposing the Icelandic Modern Media Initiative (IMMI), unanimously passed the country’s parliament. Iceland is essentially immune from the least friendly laws anywhere else.

internet-freedom

As an indication of how seriously Iceland takes media freedom and transparency, the former minister of the interior kicked out the FBI when they showed up unannounced to investigate the activist group Wikileaks and its leader, Julian Assange.

From a data privacy perspective, Iceland rocks. The country also benefits from loads of cheap, renewable energy. Practically 100% of it is generated by hydroelectric and geothermal plants around the country—more renewable energy per capita than any country in Europe by far. If you’re in the data center business, cooling is almost as simple as leaving the window open.

After surveying the landscape at bit, I settled on Icelandic startup Greenqloud‘s Amazon EC2-compatible service for my data hosting needs. Its servers are powered using only renewable energy, have been customized to reduce the amount of power they consume and are chilled in a data center cooled by Iceland’s nippy air.

My Greenqloud instance lives in the Thor facility, located just outside of Reykjavik. Thor sits on top of a bunker-grade plate more than two feet thick and the facility has high-grade air filters that are regularly cleaned and replaced to keep out volcanic dust.

With an instance running in Greenqloud, I was ready to tackle building a secure, green, self-hosted email server. Let’s roll up our sleeves and get to it.

Server setup

First, a quick overview of the features we’ll be getting from our modern email server:

  • Email storage is encrypted on the server.
  • Full encryption over the wire with TLS.
  • Server is locked-on-boot, SSH on reboots to unlock.
  • Better SPAM detection.
  • Lightning fast push support on all devices.
  • Full-text search that actually works.
  • Server software and all packages are open source.

We’ll get all this running on a truly carbon-neutral server in a jurisdiction with the strongest privacy laws on earth. Take that, Google.

I opted to spend just a little bit of money (domain names are cheap) and bought the personal domain Billz.to from the national registry of Tonga. Domain names are cheaper when you pay in advance, so if you’re considering this go for the full 5 year option, if you can afford it. This also saves the hassle of renewing each year. See this article for more thoughts on how you can get the most from a truly personal domain.

Our email server is built from a number of separate little projects that work together, including:

  • Postfix – the Mail Transfer Agent (MTA) that handles relaying mail between different servers. It decides what to do with email from the outside world, and whether a particular user is allowed to send email using your server. Postfix hands off local delivery (that is, the actual saving of the mail files on the server) to Dovecot. Postfix also lets Dovecot take care of authentication before users are allowed to send email from the server.
  • Dovecot – the Local Mail Transfer Protocol service (LMTP), in email lingo, it essentially runs IMAP to handle requests from users who want to authenticate and check their email. Dovecot’s LMTP service functions as the Mail Delivery Agent (MDA) by saving mail files on the server. Dovecot also handles all authorization. It checks users’ email addresses and passwords in the MySQL database before allowing them to view or send email.
  • EncFS – this is used to encrypt our email store.
  • OpenDKIM – DKIM digitally signs all messages on the server to verify the message actually was sent from the domain in question and is not spam or phishing.
  • MySQL – the database server stores lookup tables for domains, usernames and passwords, and aliases on the mail server.

If you’re new to configuring secure Linux servers on the internet, be sure to read my first 5 minutes on a server.

I’m comfortable doing many Linux administrative tasks via SSH, but had never built an email server from scratch. It’s a reasonably big project, but lucky for me I found this recipe by Drew Crawford using the above stack running on Debian. If Ubuntu is your preferred Linux distribution, you’ll find a similar guide here to get you started.

Drew concedes that it took him about two days to figure out the setup described in his blogpost, starting from knowing basically nothing about modern email servers. He estimates an implementation time of just two hours. In practice it took me a bit longer, mainly due to troubleshooting a common gotcha I’ll mention in closing. After the initial setup, this mail server truly is a “set it and forget it” affair.

Email migration and clients

With incoming mail working via IMAP, outgoing mail on SMTP and everything under TLS/STARTTLS, I turned my attention to migrating those emails. Here’s how I got my email out of Gmail and working with some outstanding clients:

  • Being a Mac user, I chose Airmail—a modern, slick-designed, fast and fully-featured email client that works perfectly with a standard IMAP account. Airmail supports all kinds of familiar Gmail features, from priority inbox to labels, conversations, contacts and proper archiving.
  • Downloaded ~50,000 emails from Gmail using Airmail and dragged-and-dropped the folders to my new server. This took awhile, but we’re talking machine time here—not human time. The process works the exact same way using an email client like Mozilla Thunderbird.
  • Deleted everything from Gmail. Google engineers assure me that after a few months, my data will really be gone.
  • Updated the web accounts I care about with my new self-hosted @Billz.to address.
  • On my Android phone (whoops…) I am using the excellent K-9 IMAP client. If you’re using an iPhone, you’ll be glad to know that push support will be restored, since Google discontinued push for iOS late last year.

delete-gmail

After a decade of using Gmail, I’m back to interacting with my email using Airmail and IMAP TLS. The process of setting up my own server, migrating my emails and getting used to these alternative systems was marginally uncomfortable at times, but I’m quite pleased with the end result.

Protips and caveats

Use SSL/TLS for all connections. Again, while it’s true that the NSA targets encrypted connections—and it may have explicit exploits against these protocols—you’re much better protected than if you communicate in the clear.

One minor snag I had during the server setup was neglecting to open the correct port for SMTP. Greenqloud’s default security for new instances is pretty tight, so it took me awhile diagnosing things with mail server logs before I realized that I needed to add a new ingress rule. Once this was done, everything worked fine.

If you’re running webmail, OwnCloud or another web-based app, it really should be under HTTPS. The good news is, you can switch to HTTPS for free by using StartSSL, the same certificate authority the EFF uses. Their individual certificates are available at no cost. If you’re OK with the command line and administering a web server you own, the process takes less than an hour.

The NSA has turned the fabric of the internet into a vast surveillance platform, but they are not magical. They’re limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible. In the words of Bruce Schneier:

Trust the math. Encryption is your friend. Use it well, and do your best to ensure that nothing can compromise it. That’s how you can remain secure even in the face of the NSA.

Finally, one of the fringe benefits of hosting in Iceland is that you get to go there to check out your data center. Reykjavik is great place to visit and Iceland’s countryside is beautiful.

I'm an engineer, ex-Microsoftie, founding board member of AfriLabs, co-founder of ActivSpaces in Cameroon and VC4Africa. Drawn to innovation, creativity & all things tech. More at splinter.me/billz

Comments

  1. […] near-meltdown in 2008-2009. Because the Icelandic government and culture place a high value on privacy rights, and because the country has very stable electric power generation and excellent international […]