Couldn't you just use a dedicated VM and thunderbird, don't set up outbound 
in thunderbird?

On Tuesday, August 6, 2019 at 1:11:32 AM UTC-5, alex....@gmail.com wrote:
>
> Some time ago there was a post on reddit (
> https://www.reddit.com/r/Qubes/comments/9q76f2/splitmail_setup/) that 
> described setting up an offline mail vm. Just kill the "send" part there 
> and you'll get a mail black hole that receivs but never sends. Seems like 
> this is more or less what you want.
>
> On Tuesday, August 6, 2019 at 5:06:54 AM UTC+3, redd...@vfemail.net wrote:
>>
>> In Qubes, is it possible to set up a VM that can receive email, but not 
>> send information out, via email or otherwise?
>>
>> The motivation is: Many online accounts rely on an email address to reset 
>> passwords. However, the VM that handles inbound emails, processes a lot of 
>> untrusted input. If the VM gets compromised by an attacker, the attacker 
>> can then send password reset emails and read them. So to defend against 
>> this, I want to prevent the compromised VM from communicating out the 
>> contents of these password reset emails.
>>
>> Specifically:
>> 1. Assume the VM is compromised (can't rely on in-VM enforcement 
>> mechanisms).
>> 2. Assume the email provider is not compromised
>>
>> To further illustrate the problem, here are example setups and why they 
>> don't work:
>>
>> Setup 1: Use qubes firewall to restrict to the email provider's server 
>> and IMAP port. Block UDP requests using qvm-firewall.
>> Why it doesn't work: Attacker can create an account on the same email 
>> provider and connect to their account (the firewall rules will not prevent 
>> this). They can then sync emails containing any data, to their account.
>>
>> Setup 2: Like Setup 1, but use POP3.
>> Why it doesn't work: Attacker creates account at provider, transmits data 
>> via POP3 delete operations.
>>
>> Does anyone have a email setup with this inbound-only property, ideally 
>> that does not require running their own email server?
>>
>> Thank you.
>>
>>
>> -------------------------------------------------
>> This free account was provided by VFEmail.net - report spam to 
>> ab...@vfemail.net
>>  
>> *ONLY AT VFEmail!* - Use our *Metadata Mitigator*™ to keep your email 
>> out of the NSA's hands! 
>> $24.95 ONETIME Lifetime accounts with Privacy Features!
>> No Bandwidth Quotas!   15GB disk space! 
>> Commercial and Bulk Mail Options! 
>>
>>

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/9973f5d0-72a8-494f-bb6b-65124b247392%40googlegroups.com.

Reply via email to