Jump to: navigation, search


This page contains changes which are not marked for translation.

Mozilla Thunderbird (called Icedove in Debian) with TorBirdy

Introduction and Threats[edit]

You can either use webmail through Tor Browser or Mozilla Thunderbird with TorBirdy.

None of the solutions is perfect. This is not a Whonix related issue. It is a general issue with e-mail over Tor.

Registering the e-mail address anonymously, i.e. not entering personal data and always accessing it over Tor is a must. To avoid messing up, ideally consider using an e-mail provider that you did not previously use non-anonymously.

The e-mail provider is always a single point of failure. If the provider gets pressured, forced or decides not to like your opinion anymore or feels like terminating the service for everyone, the e-mail account can be easily terminated in seconds. This can significantly slow down correspondence. Therefore it is always good to have a few backup e-mail address and alternative communication channels.

You must be careful when receiving attachments. To avoid being infected with malware, open attachments in a virtual machine that has no internet connection.

It is often recommended to use mail encryption (enigmail). Yes, that's good. Use it. Remember, as stated on the Warning page, subjects are always unencrypted. That's not everything however.

Even if subjects are random, hidden, just a dash (-), empty or misleading and the content is encrypted, the e-mail provider can still log valuable data. When and with whom you are in contact, when you logged in, how long, how often you fetch mail. That's quite a lot metadata, which may lead into (false) assumptions by an adversary.

Many webmail services require JavaScript, display web bugs[1] and JavaScript allows them to learn how fast you type, how long you read a message, which spelling mistakes you make and correct as you type, to which address mails are sent, when you receive mails, from which addresses and when. Therefore webmail especially when it requires JavaScript is discouraged. A browser is no safe environment to write stuff. Read more on the Surfing, Posting, Blogging page. The best compromise of usability and security is using Mozilla Thunderbird with TorBirdy with POP3 and SMTP. IMAP is to be avoided, because it leaks more metadata. [2]


E-mail encryption is recommended. Mastering e-mail encryption is not hard, but involves a learning curve. It is outside the scope of this guide, see external documentation.


KGpg [3] and GnuPG are pre-installed.

Icedove (Mozilla Thunderbird) with Enigmail + TorBirdy[edit]

Mozilla Thunderbird (called Icedove in Debian) together with the add-ons Enigmail and TorBirdy[4] [5] are installed by default in Whonix and can be used for easy GPG encryption and anonymous (or pseudonymous) e-mail messaging.

If you are using Qubes-Whonix, complete the following steps:

Qubes App Launcher (blue/grey "Q") -> Whonix-Workstation AppVM (commonly named anon-whonix) -> Icedove

If you are using a graphical Whonix-Workstation, complete the following steps:

Start menu -> Applications -> Internet -> Icedove

Enigmail's recommended setting.



To interact with keyservers, you have various options.

  • a) KGpg: To fetch contacts' GPG keys from the key server open KGpg and go to Key Server Dialog. Search for email addresses you want to communicate with and import the keys.
  • b) gpg command line: You can use it as usual.
  • c) Enigmail's keyserver interaction features.
    • Will not work out of the box. [6] [7]
    • You need to apply the following setting every time you restart icedove. [8] [9] [10]

Icedove -> Enigmail (from menu bar) -> Preferences -> Display Expert Settings and Menus -> Advanced -> Additional Parameters -> remove the following part --keyserver-options http-proxy= -> OK

High-Security Precautions

There have been bugs in email clients and Enigmail that lead to auto-saving of drafts as plaintext. [11][12] If you are in a life critical situation you may want to encrypt your emails in such a way as to not risk leaks.

Also it is always recommended to import private keys using Kgpg instead of directly with Enigmail to avoid unexpected behavior with message encryption.

1. Open KGpg and select the recipient key (if more than one then hold CTRL while clicking).

2. Go to: File -> Open Editor and write your message.

3. Encrypt message to ciphertext by clicking on the Encrypt lock icon and choose your private key in the prompt that comes up and OK.

4. Copy the ciphertext into the email client and send it as you would normally (don't include subject lines - those are not encrypted).


[13] [14] [15]

Remailer - Sending e-mails without registration[edit]

See Remailer.

E-Mail Provider Comparison[edit]


It has been asked whether I2Pmail is safer than tormail, riseup, gmail and so on. The Threats chapter above states "e-mail is always a single point of failure". It doesn't really matter, apart from privacy by policy, no e-mail provider can significantly improve privacy by design. The most important thing about e-mail providers you should ask about e-mail providers is: Will they tolerate me signing up by Tor and exclusively using the e-mail service over Tor? Will they suspend my e-mail account because I speak against someone and they get forced to suspend my account? The latter question applies more, if you run a project, movement or something like that and less for accounts, which barely anyone knows.

Other than privacy by design, privacy by policy is always a weak protection. An exception might be services, which are not classical e-mail and therefore incompatible, but e-mail alike services such as Usenet (see below), I2P-Bote (see below), RetroShare or Ricochet IM (See Chat).

A few frequently discussed mail providers are described above with some facts. There is no recommendation for or against any mail providers.


  • Not affiliated with The Tor Project.
  • Rumors about being hosted by a secret service. It doesn't really matter, you shouldn't trust mail providers anyway. Assume, anything they can log, they will log forever.
  • They technically can not even store Tor exit IP addresses (perhaps mail clients without TorBirdy, put aside) because it is a hidden service.
  • Does not work reliable for mailing lists. After a while the user gets unsubscribed because tormail bounces too many mails.
  • We haven't heard about any e-mail accounts which got suspended. (Well, we don't know about spam abuse, but that's another story.)
  • They are obviously Tor-friendly.
  • Things said in the Threats chapter still apply.

The Tor Mail service is now offline[16], as it was hosted on Freedom Hosting and was taken down by the FBI.[17]


  • Quoted from wikipedia I2P[18]: "I2P has a free pseudonymous e-mail service run by an individual called Postman. Susimail is a web-based e-mail client intended primarily for use with Postman's mail servers, and is designed with security and anonymity in mind. Susimail was created to address privacy concerns in using these servers directly using traditional email clients, such as leaking the user's hostname while communicating with the SMTP server. It is currently included in the default I2P distribution, and can be accessed through the I2P router console web interface. Mail.I2P can contact both I2P email users, via user@mail.I2P and public internet email users from a user@I2Pmail.org address."
  • Cleaning the mail header is nice, but TorBirdy can do the same.
  • It is technically impossible to encrypt mails to clearnet addresses [19], unless the sender and recipient are using end-to-end encryption such as OpenPGP.
  • Therefore it is no more/less secure than using riseup, tormail, etc.
  • Even though based on I2P, you can still use it in Whonix over Tor, see I2P for information how to tunnel I2P over Tor.
  • We haven't heard about any e-mail accounts which got suspended. (Well, we don't know about spam abuse, but that's another story.)
  • Things said in the Threats chapter still apply.


  • Works reliable on mailing lists.
  • Privacy by policy.
  • Tor friendly.
  • Servers hosted in the US.
  • We haven't heard about any e-mail accounts which got suspended. (Well, we don't know about spam abuse, but that's another story.)
  • Things said in the Threats chapter still apply.
  • Doesn't update warrant canary on a fixed, regular basis.
  • "Forgot" to update canary on multiple occasions.
  • riseup.net likely compromised


  • Mike Hearn from Google addressed this issue on tor-talk[20]:

Access to Google accounts via Tor (or any anonymizing proxy service) is not allowed unless you have established a track record of using those services beforehand. You have several ways to do that:

1) With Tor active, log in via the web and answer a security question, if any is presented. You may need to receive a code on your phone. If you don't have a phone number on the account the access may be denied.

2) Log in via the web without Tor, then activate Tor and log in again WITHOUT clearing cookies. The GAPS cookie on your browser is a large random number that acts as a second factor and will whitelist your access.

Once we see that your account has a track record of being successfully accessed via Tor the security checks are relaxed and you should be able to use TorBirdy.

  • Recommended against. Not Tor friendly. It would be very difficult to sign up using Tor and to exclusively use it over Tor. They most likely ask for phone verification and this is almost impossible to do without jeopardizing anonymity. [21]

Anonymity Friendly E-Mail Provider List[edit]

Another anonymity network provider (JonDos), maintains a list of their recommended e-mail providers. Whonix developer Patrick Schleizer does NOT check this list. Might still be useful. See list (w), look for "Recommended Mail Provider".

pretty Easy privacy[edit]

pretty Easy privacy (p≡p) is a pluggable data encryption and verification system, which provides automatic key management and a KeySync protocol (yet being tested, not activated already) to sync private key material across the devices you want to read the same messages on.[22] It is cross-platform, message protocol agnostic and p2p. It exists as plugin for mail clients (Thunderbird and Outlook) on all major desktop systems and also as a mobile app for Android and iOS. Its cryptographic functionality is handled by open source p≡p engine relying on already existing cryptographic implementations in software like GnuPG, a modified version of netpgp (used only in iOS) and (as of p≡p v2.0) GNUnet. A non-transferable copyright cross-licensing agreement has just been concluded to allow distributing of the GNUnet binary as part of pEp under non-GPL licenses on restrictive platforms like the Apple store.[23]

In its default configuration, pEp does not rely on a web of trust or any form of centralized trust infrastructure, but instead lets users verify each others' authenticity by comparing cryptographic fingerprints in the form of natural language strings, which the pEp developers have chosen to call "trustwords". If both sides are using pEp, it automatically uses the anonymous transport provided by GNUnet. With that technology, meta data is no longer readable for an attacker. pEp is fully peer to peer itself. And only you have the keys. However it can inter-operate with legacy mail to secure that whenever applicable (if the intended recipient has a GPG key).[24] The pEp project is guided by a foundation that supports libre software.[25] Enigmail announced its intention to integrate the pEp encryption scheme by October 2016.[26] pEp's code has been audited.[27]

For further information on the project's check their milestones pages.


Bitmesage might be another alternative to e-mail. Not yet tested by Whonix developers, because Bitmessage developers do not yet sign their their source code.


Freemail[28] is an email system implemented upon the anonymous data distribution network Freenet. It is most similar to I2P-Bote, another anonymous and distributed email solution.

Like most Freenet plugins, it makes use of an anti-spam mechanism called the Web of Trust[29] to block abusers. Attachment sizes are virtually unlimited. Users would upload files on Freenet and link to them in Freemail messages.

See recommended tips for Freemail.


I2P-Bote is a serverless, encrypted email plugin that uses I2P for anonymity. Messages are stored in the distributed hash table (DHT) for 100 days, during which the recipient is able to download them.

To back up I2P-Bote data, copy the i2pbote folder inside the I2P config directory (~/.i2p/i2pbote on Unix systems or /var/lib/i2p/i2p-config when running as a daemon).

Compartmentalize activities and only use the I2P-Bote/Susimail VM snapshot for this purpose. Generally, applications that run with a browser interface are vulnerable to a whole class of bugs, including cross-site request forgery (CSRF).[30][31]


  • A webmail interface.
  • A user interface translated into 15 languages.
  • One-click creation of email accounts (called email identities).
  • Emails can be sent either under a sender identity or anonymously.
  • 2048-bit ElGamal, 256/521-bit Elliptic Curve and NTRU-1087 encryption.
  • Transparent, automatic encryption and signing without relying on third-party software such as PGP/GnuPG.
  • Sending and receiving via relays with delay periods set by the user, similar to Mixmaster.
  • Theme support.
  • POP3 / IMAP / SMTP.
  • Cc and Bcc support.
  • Delivery confirmation.
  • Attachments.
  • Basic support for short recipient names.
  • Android support (via I2P's Android client).

Planned Features:

  • An outproxy to interoperate with clearnet mail servers.
  • Custom folders.
  • Multi-device identity syncing.
  • Support for short email addresses like myname@bote.i2p
  • HashCash as an anti-spam solution should it become a problem.
  • Lots of other small improvements.



Interesting parts of Usenet other than discussion, include alt.anonymous.messages, Nym servers and Nym server URL Retrieval.


alt.anonymous.messages is a public newsgroups supposed to be used to post encrypted and anonymous messages. Getting anonymity and encrypting the messages is up to the user.

It may sound like a disadvantage, but it is an advantage. In comparison, you can never know how many people are using an e-mail provider. Posting in alt.anonymous.messages everyone knows which messages got posted when, but when done right, no one knows who posted a message and what the content of the message is.

Do not use a web service to read individual messages in alt.anonymous.messages. Use an NNTP client (such as Icedove with TorBirdy). Subscribe to the whole newsgroup and download all messages including headers.

Posting to alt.anonymous.messages can be done using Mixmaster and when it is run inside Whonix-Workstation, its traffic gets routed through Tor beforehand. See the Mixmaster article for instructions on using Mixmaster.

Using alt.anonymous.messages could be suspicious by itself, but if you do it right, your adversary may not even know, that you are using it. Since the use of remailer is tunneled through Tor, no one should know, that you are aware of the existence of the remailer network at all.

Further information:

If you are serious about using it, you should study the work of De-Anonymizing Alt.Anonymous.Messages so you can prevent doing that same mistakes.

Nym server protected e-mail inbox[edit]

Nym server can illustrated as:

some@mail.sender sends an mail to alice@nymserver.com

alice@nymserver.com -> mail server A -> mail server B -> ... -> mail server Z -> final@inbox.com

It is a kind of protection, a proxy chain in front of an e-mail inbox.

Or in other words, a Nym server provides an e-mail address, where incoming mails are forwarded through a configurable chain of mail servers (Remailer), while not revealing the recipient's inbox to the sender.

This adds several advantages,

  • e-mails can be received, while the e-mail provider is protected from pressure or force of an adversary and
  • where the e-mail provider doesn't necessarily know, where the e-mail address has been published
  • the e-mail provider doesn't know the sender e-mail address and can only see that the recipient became a mail from a remailer

It is my understanding, that the sender's email address will not be known to the recipient, because the remailer will strip it. (Unless the sender specifies it in the text.) However, the one sender of an e-mail is responsible for their own anonymity.

Another question is, if today's remailer really improve security. [32]

Further information:

Quicksilver Lite in Whonix / creating a Mixmin nym[edit]

mirimir[33] posted a guide to wilderssecurity.com forum, see Installing Quicksilver Lite in Whonix and creating a Mixmin nym. If you need help, try asking in that forum thread.

Please note that Whonix developers cannot answer support requests related to Quicksilver. This possibility has just been pointed out and wasn't tested in practice. It is a whole different thing than Whonix and very technical, difficult with many stumble points. Please look for another way, if you need support. Setting up Nym is not Whonix specific. Success stories, use cases, comments, improved documentation etc. however is welcome.

Nym server URL Retrieval[edit]

Nym server URL Retrieval is a way to download a web page with high latency and especially when combined with Tor, in theory, safer than Tor alone. In practice, there may be no additional anonymity from today's high latency networks and you could end up being one of the very few people using such, in theory, great services. For explanation about high latency network anonymity see Anonymity Network article[34] Further information on the bottom of mixnym.net.

Further information:

Please note that, Whonix developer Patrick Schleizer can not answer support requests related to Nym servers. This possibility has just been pointed out and wasn't tested in practice. It is a whole different thing than Whonix and very technical, difficult with many stumble points. Please look for another way, if you need support. Setting up Nym is not Whonix specific. Success stories, use cases, comments, improved documentation etc. however is welcome.


Quoted from Usenet Wikipedia[35]: "Usenet is a worldwide distributed Internet discussion system." The Wikipedia article is worth reading as an introduction.

There are binary groups and non-binary groups. Whonix itself doesn't restrict access to any of those groups. However, the Tor network is banned by some NNTP servers. Binary groups are not covered here, it will be very unlikely to find a free open NNTP server, allowing access to binary groups.

News Reader[edit]

You can read news groups either using an NNTP client, such as Icedove (+ TorBirdy) or an online reader such as Google Groups. Posting to Usenet using Google Groups is not recommended, it is (almost) impossible or at least very difficult to create an anonymous google account, which is required for posting, because Google requires Tor users to use mobile phone verification, which is not available for anonymous users. Google bans sms to web services as well. I don't know if there are other online hosted NNTP readers, which allow posting for Tor users.

Mixmaster can be used to post to news groups. When it is in Whonix-Workstation following the instructions in the Mixmaster article, Mixmaster traffic will be even routed through the Tor network.

NNTP Server[edit]

An open news server is defined as allowing access to all news discussion groups.

It is difficult to find a free NNTP server even for discussion groups. And no, we are not looking for a trial. Use search terms like "free NNTP server". The nyx.net list may be worth checking, I didn't try any of the servers which require registration. Ideally, the news server supports SSL and does not require registration, such as aioe or is available as a hidden service. I haven't found any news servers hosted as hidden service, they were all down. While aioe allows reading news groups, it does not allow Tor users to post. I haven't found any open news server allowing Tor users to post. (Use Mixmaster over Tor, see above.)

I haven't got NNTPS (SSL encrypted connection to the NNTP server) to work. Maybe it is an upstream bug.[36] This shouldn't be of too much concern. Everything posted to newsgroups is open to the public anyway. An encrypted connection to the NNTP server would only prevent Tor exit relays and their ISP's to tamper with the traffic, well, and login data (username and password) for password protected NNTP servers could get stolen. The NNTP server is untrusted in this threat model anyway.

Footnotes / References[edit]

  1. https://en.wikipedia.org/wiki/Web_beacon
  2. For example, how long you run your mail client. And saving drafts on the server as you type is not great either.
  3. KGpg Homepage, KGpg wiki with screenshot
  4. TorBirdy Homepage
  5. TorBirdy Source Code
  6. It has been made fail closed by TorBirdy developers, otherwise there could be a DNS leak in setups not using Whonix.
  7. proposal on how to make keyservers in Enigmail in Whonix work out of the box: do not use keyserver-options in Whonix
  8. upstream bug report: Can't set custom http-proxy on GnuPG-settings, lost after restart
  9. Since enigmail just calls gpg, and since everything is torified in Whonix anyway, and since gpg is stream isolated (by uwt wrapper) anyhow, there is no need for this setting in Whonix.
  10. Forum discussion: https://forums.whonix.org/t/gpg-keyservers-from-within-whonix-workstation
  11. https://tails.boum.org/security/claws_mail_leaks_plaintext_to_imap/index.en.html
  12. http://sourceforge.net/p/enigmail/bugs/502
  13. TorBirdy is an equivalent of TorButton.
  14. There are no proxy settings required for Stream Isolation, because there is native Whonix support since TorBirdy 0.1.0.
  15. TorBirdy sets Socks Host to and Port to 9102, if the WHONIX variable is set, which is the default in /etc/environment since Whonix 0.5.5.
  16. http://www.democraticunderground.com/10023403890
  17. http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/
  18. https://en.wikipedia.org/wiki/I2P
  19. Such as gmail, riseup etc.
  20. https://lists.torproject.org/pipermail/tor-talk/2012-October/025923.html
  21. Because they are also aware of online phone and messaging services and blacklisting the for verification upon knowledge.
  22. https://news.ycombinator.com/item?id=12827020
  23. https://lists.gnu.org/archive/html/gnunet-developers/2016-12/msg00046.html
  24. https://pep-project.org/2014-09/s1410740156
  25. http://pep-project.org/
  26. https://en.wikipedia.org/wiki/Pretty_Easy_privacy
  27. https://pep.foundation/blog/press-release--pep-releases-first-code-audit-of-the-pep-engine/index.html
  28. https://github.com/freenet/plugin-Freemail/blob/master/docs/spec/spec.tex
  29. https://wiki.freenetproject.org/Web_of_Trust
  30. https://chaoswebs.net/blog/2016/12/01/Exploiting-I2P-Bote/
  31. https://chaoswebs.net/blog/2016/10/15/Stealing-Your-I2P-Email/
  32. See Dev/Anonymity Network for explanation.
  33. http://www.wilderssecurity.com/member.php?u=121604
  34. Dev/Anonymity Network.
  35. https://en.wikipedia.org/wiki/Usenet
  36. https://trac.torproject.org/projects/tor/ticket/8069


Liberte Linux Philosophy page Copyright (C) 2013 Maxim Kammerer <mk at dee dot su>
Whonix Anonymity wiki page Copyright (C) 2013 - 2014 Patrick Schleizer <adrelanos@riseup.net>

This program with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it
under certain conditions; see the wiki source code for details.

Random News:

Have you contributed to Whonix? If so, feel free to add your name and highlight what you did on the Whonix authorship page.

Impressum | Datenschutz | Haftungsausschluss

https | (forcing) onion
Share: Twitter | Facebook | Google+

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.

Whonix (g+) is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Libre Software license as Whonix itself. (Why?)