Re: [qubes-users] Receive-only email VM

2019-08-07 Thread Steve Coleman 

On 8/2/19 1:24 PM, reddit@vfemail.net wrote:
In Qubes, is it possible to set up a VM that can receive email, but not 
send information out, via email or otherwise?


The motivation is: Many online accounts rely on an email address to 
reset passwords. However, the VM that handles inbound emails, processes 
a lot of untrusted input. If the VM gets compromised by an attacker, the 
attacker can then send password reset emails and read them. So to defend 
against this, I want to prevent the compromised VM from communicating 
out the contents of these password reset emails.


Specifically:
1. Assume the VM is compromised (can't rely on in-VM enforcement 
mechanisms).

2. Assume the email provider is not compromised

To further illustrate the problem, here are example setups and why they 
don't work:


Setup 1: Use qubes firewall to restrict to the email provider's server 
and IMAP port. Block UDP requests using qvm-firewall.
Why it doesn't work: Attacker can create an account on the same email 
provider and connect to their account (the firewall rules will not 
prevent this). They can then sync emails containing any data, to their 
account.


Setup 2: Like Setup 1, but use POP3.
Why it doesn't work: Attacker creates account at provider, transmits 
data via POP3 delete operations.


How about setup the firewall to black hole the entire IP range of the 
email service company, then set up a proxy on the firewall which you 
then control, and you set their email program to use the proxy. If need 
be you can black hole all the pop/smtp/imap ports for all Internet 
traffic forcing them to use the proxy for any email no matter what email 
program or provider they use. When they try to send any email the proxy 
simply closes that connection.


Controlling HTTP/s traffic might be more difficult, but if necessary you 
can proxy all that as well. If its just one service provider you care 
about then the black hole IP trick should do the job.


You put any custom logic for your specific requirements into the proxy 
which then controls their access accordingly. Basically its a default 
deny gateway which needs to match on the permitted rules before they are 
ever granted access. The downside is you will likely need to write your 
own proxy for this.




--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/bd97b81b-5b13-ff22-42b5-21505054e34c%40jhuapl.edu.

[qubes-users] Receive-only email VM

2019-08-05 Thread reddit . tor 
In Qubes, is it possible to set up a VM that can receive email, but  
not send information out, via email or otherwise?


The motivation is: Many online accounts rely on an email address to  
reset passwords. However, the VM that handles inbound emails,  
processes a lot of untrusted input. If the VM gets compromised by an  
attacker, the attacker can then send password reset emails and read  
them. So to defend against this, I want to prevent the compromised VM  
from communicating out the contents of these password reset emails.


Specifically:
1. Assume the VM is compromised (can't rely on in-VM enforcement mechanisms).
2. Assume the email provider is not compromised

To further illustrate the problem, here are example setups and why  
they don't work:


Setup 1: Use qubes firewall to restrict to the email provider's server  
and IMAP port. Block UDP requests using qvm-firewall.
Why it doesn't work: Attacker can create an account on the same email  
provider and connect to their account (the firewall rules will not  
prevent this). They can then sync emails containing any data, to their  
account.


Setup 2: Like Setup 1, but use POP3.
Why it doesn't work: Attacker creates account at provider, transmits  
data via POP3 delete operations.


Does anyone have a email setup with this inbound-only property,  
ideally that does not require running their own email server?


Thank you.


-
This free account was provided by VFEmail.net - report spam to ab...@vfemail.net

ONLY AT VFEmail! - Use our Metadata Mitigator to keep your email out of the 
NSA's hands!
$24.95 ONETIME Lifetime accounts with Privacy Features!  
15GB disk! No bandwidth quotas!
Commercial and Bulk Mail Options!  


--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20190802172417.Horde.M2A6oHRcxGgHKjm0legNGrC%40www.vfemail.net.