How to use fetchmail with Tor email services

tags: tor, mail, fetchmail

This post describes how to fetch mail from the Tor mail services such as cock.li via POP3.

Used tools are:

• tor
• iptables
• fetchmail

Tor

I’ve added the following lines to my /etc/tor/torrc

TransPort 9051 IsolateClientAddr IsolateClientProtocol IsolateDestAddr IsolateDestPort
DNSPort 9053
VirtualAddrNetwork 127.127.0.0/16
AutomapHostsOnResolve 1

This causes Tor to open UDP port 9053 and listens for DNS requests. Tor’s DNS resolver handles A, AAAA, and PTR requests only.

When you perform a DNS lookup of the .onion domain against Tor’s DNSPort, Tor creates a temporary internal mapping, linking random IP address from the 127.127.0.0/16 range to that .onion hostname.

Example:

dig +short A protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion -p 9053  @127.0.0.1

127.127.125.54

iptables

To allow applications transparently connects to Tor services, redirect all traffic to 127.127.0.0/16 to TransPort 9051 defined in /etc/tor/torrc:

iptables -t nat -A OUTPUT -d 127.127.0.0/16 -p tcp -j REDIRECT --to-ports 9051

TLS certificates and fingerprints

Get mail server certificate and put it into cert.pem:

echo | openssl s_client \
    -servername mail.cock.li \
    -connect mail.cock.li:995 2>/dev/null \
| openssl x509 -text \
| sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p' > cert.pem

Get certificate MD5 finger print

openssl x509 -in cert.pem -noout -md5 -fingerprint

fetchmail

.fetchmailrc

poll xdkriz6cn2avvcr2vks5lvvtmfojz2ohjzj4fhyuka55mvljeso2ztqd.onion with proto POP3
    user 'example@firemail.cc' there with password c00lp055w0rd
    is 'vasiok' here
    options ssl
    sslfingerprint "DC:78:45:BE:CF:DE:5C:BA:71:7F:66:50:D6:EC:CD:64"
    sslcommonname mail.cock.li

fetch mail

fetchmail -v