In Qubes, is it possible to set up a VM that can receive email, but
not send information out, via email or otherwise?
The motivation is: Many online accounts rely on an email address to
reset passwords. However, the VM that handles inbound emails,
processes a lot of untrusted input. If the VM gets compromised by an
attacker, the attacker can then send password reset emails and read
them. So to defend against this, I want to prevent the compromised VM
from communicating out the contents of these password reset emails.
1. Assume the VM is compromised (can't rely on in-VM enforcement mechanisms).
2. Assume the email provider is not compromised
To further illustrate the problem, here are example setups and why
they don't work:
Setup 1: Use qubes firewall to restrict to the email provider's server
and IMAP port. Block UDP requests using qvm-firewall.
Why it doesn't work: Attacker can create an account on the same email
provider and connect to their account (the firewall rules will not
prevent this). They can then sync emails containing any data, to their
Setup 2: Like Setup 1, but use POP3.
Why it doesn't work: Attacker creates account at provider, transmits
data via POP3 delete operations.
Does anyone have a email setup with this inbound-only property,
ideally that does not require running their own email server?
This free account was provided by VFEmail.net - report spam to ab...@vfemail.net
ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the
$24.95 ONETIME Lifetime accounts with Privacy Features!
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To view this discussion on the web visit