Couldn't you just use a dedicated VM and thunderbird, don't set up outbound in thunderbird?
On Tuesday, August 6, 2019 at 1:11:32 AM UTC-5, alex....@gmail.com wrote: > > Some time ago there was a post on reddit ( > https://www.reddit.com/r/Qubes/comments/9q76f2/splitmail_setup/) that > described setting up an offline mail vm. Just kill the "send" part there > and you'll get a mail black hole that receivs but never sends. Seems like > this is more or less what you want. > > On Tuesday, August 6, 2019 at 5:06:54 AM UTC+3, redd...@vfemail.net wrote: >> >> In Qubes, is it possible to set up a VM that can receive email, but not >> send information out, via email or otherwise? >> >> The motivation is: Many online accounts rely on an email address to reset >> passwords. However, the VM that handles inbound emails, processes a lot of >> untrusted input. If the VM gets compromised by an attacker, the attacker >> can then send password reset emails and read them. So to defend against >> this, I want to prevent the compromised VM from communicating out the >> contents of these password reset emails. >> >> Specifically: >> 1. Assume the VM is compromised (can't rely on in-VM enforcement >> mechanisms). >> 2. Assume the email provider is not compromised >> >> To further illustrate the problem, here are example setups and why they >> don't work: >> >> Setup 1: Use qubes firewall to restrict to the email provider's server >> and IMAP port. Block UDP requests using qvm-firewall. >> Why it doesn't work: Attacker can create an account on the same email >> provider and connect to their account (the firewall rules will not prevent >> this). They can then sync emails containing any data, to their account. >> >> Setup 2: Like Setup 1, but use POP3. >> Why it doesn't work: Attacker creates account at provider, transmits data >> via POP3 delete operations. >> >> Does anyone have a email setup with this inbound-only property, ideally >> that does not require running their own email server? >> >> Thank you. >> >> >> ------------------------------------------------- >> This free account was provided by VFEmail.net - report spam to >> ab...@vfemail.net >> >> *ONLY AT VFEmail!* - Use our *Metadata Mitigator*™ to keep your email >> out of the NSA's hands! >> $24.95 ONETIME Lifetime accounts with Privacy Features! >> No Bandwidth Quotas! 15GB disk space! >> Commercial and Bulk Mail Options! >> >> -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9973f5d0-72a8-494f-bb6b-65124b247392%40googlegroups.com.