[guardian-dev] using K9 Mail

Nathan of Guardian nathan at guardianproject.info
Wed May 9 10:27:21 EDT 2012 


Rick Valenzuela <lists at rickv.com> wrote:

>Hi all --
>
>Considering that K9 Mail is the recommended email client, how are
>people
>connecting with it?

I use it with transproxying and TLS to my non-google IMAP and SMTP services.

>
>I'd been trying to use Orbot and SSHTunnel(Beta), with DroidWall to
>whitelist only those.

Orbot with transproxy and Droidwall do not get along well.

My mildly technical assumption with this was that
>I'd be covered with routing+anonymity as well as encryption. I would
>like to tunnel to a server I use in another country.

So you are tunneling SSH Droid through Tor via Orbot transproxying?

>
>I can connect with Orbot only, and in checking headers with another
>account, it does seem that Orbot routes this. But SSHTunnel(Beta) does
>not allow me; looking at K9 in folder view, I see some error messages
>under each folder after it fails to poll.

Either the transproxy iptables rules from Orbot are getting flushed by Droidwall or this is an issue with k9 being able to connect to localhost with all of the various routing going on.

Have you tried our new 1.0.8 rc1 yet? It has a fix related to localhost connections.

>
>I emailed the devs from K9 and Kaiten about this, and I got this back:
>"Kaiten like K-9 Mail doesn't support using a proxy server. But you
>should still be able to use an SSH tunnel if you set up a local
>endpoint
>that will forward all connections to your mail server using SSH."
>Although, I'm not sure how to do this.

So what is your sshtunnel configuration set to now?

>The K9 dev also gave a reminder/warning that Orbot would only provide
>anonymity, not encryption, which was the reason in the first place that
>I wanted to SSH tunnel to a SOCKS5 proxy. I do use SSL/TLS with my
>email
>provider, so this may be redundant. I guess that's why I'm asking for a
>'best practices' suggestion here.

well you have TLS already from K9 to your mail server. Tor does provide encryption from your device through to the tor exit node, which is good enough for most looking to evade local network surveillance or filtering. Adding the SSH tunnel will only assist in thwarting malicious tor exit nodes, which do exist now and then. They would have to actively MITM your TLS connection, which k9 should notice if they provide a bogus cert.

If you feel you are at risk for this type of attack, I would perhaps just run your own private Tor exit node on your box, and only allow it access to the sites you want. Then you can configure that in the Orbot preferences. You could also do this via a hidden service.

Adding SSH to the mix on your device just adds battery draining process.

Best,
  Nathan

More information about the Guardian-dev mailing list