A docs/docs/clients.md => docs/docs/clients.md +52 -0
@@ 0,0 1,52 @@
+---
+title: Client Recommendations and Connecting To Them
+description: Desktop client recommendations and connection instructions
+---
+
+For Linux/Windows desktop email clients, we recommend [Thunderbird
+](https://www.thunderbird.net/)with [Enigmail](https://www.enigmail.net/) or
+[aerc](https://aerc-mail.org/). They're both open source but fit different
+situations; if you want a GUI and/or security is your main concern, use
+Thunderbird and encrypt all of your emails with your GPG key. If you're looking
+for a console client and encryption isn't as important but you do a lot of work
+with Git, aerc might be the better option.
+
+For mobile clients on Android, the only one we can really recommend is [K-9
+Mail](https://k9mail.github.io/). It's open source, has a number of nice
+privacy features, and is available in
+[F-Droid](https://f-droid.org/en/packages/com.fsck.k9/) as well as [Google
+Play](https://play.google.com/store/apps/details?id=com.fsck.k9). If possible,
+we recommend using the latest beta build from F-Droid.
+
+We don't know much about iOS or macOS but we've heard that Apple Mail is really
+the best choice.
+
+## Connecting to NixNet Mail
+
+Regardless which email client you use, you'll need to know the following
+information.
+
+* Incoming
+ * Username: `user@example.com`
+ * Hostname: `imap.nixnet.email`
+ * Protocol: IMAP
+ * Port: `143`
+ * Encryption: STARTTLS
+ * Authentication: Normal password
+* Outgoing
+ * Username: `user@example.com`
+ * Hostname: `smtp.nixnet.email`
+ * Protocol: SMTP
+ * Port: `587`
+ * Encryption: STARTTLS
+ * Authentication: Normal password
+
+Alternatively, if you would like to download your emails and delete them from
+the server, you can also use the POP3 protocol:
+
+* Username: `user@example.com`
+* Hostname: `pop.nixnet.email`
+* Protocol: POP
+* Port: `995`
+* Encryption: STARTTLS
+* Authentication: Normal password
A docs/docs/privacy-and-opsec.md => docs/docs/privacy-and-opsec.md +108 -0
@@ 0,0 1,108 @@
+---
+title: Email Privacy & Operational Security
+description: Transparency regarding general email privacy and security
+---
+
+
+## Plaintext email
+
+Email is inerently insecure. By default, everything is sent in plaintext from
+one server to the next with no encryption whatsoever. Servers can encrypt mail
+in-transit by implementing SSL and TLS but that still leaves copies of your
+data in plaintext on both servers. For example, see this [email I sent to
+myself](https://bin.nixnet.services/?f76b8366e6b7a7b0#95skPFhsptkfyMH3i1n25ENZeUzrmYEUHzDVezaToGn).
+At the very bottom, the content of my email is shown in the file for anyone
+with access to the server to see. At first glance, this may not seem like such
+a huge deal. It does, however, become a big deal when you're conducting private
+business over email. If we so chose, we could go to that directory and read
+everything you're saying and there's nothing you could do about it. Any mail
+provider has this capability: Gmail, Yahoo! Mail, Fastmail, the list goes on.
+Unless special measures are taken to encrypt your emails at rest, this holds
+true in every single case.
+
+## Encrypted email
+
+Providers like [Protonmail](https://protonmail.com/) and
+[Tutanota](https://www.tutanota.com/) do exactly this and that is their main
+draw. Mail to and from other users of the same platform (Protonmail →
+Protonmail, Tutanota → Tutanota) is encrypted from end-to-end as well as at
+rest so the only parties that can read it are the sender and the receiver; the
+provider itself can't access them. However, the benefit of at-rest encryption
+becomes absolutely meaningless the second you communicate with someone on a
+server that doesn't implement it. Protonmail → Gmail is 100% insecure and
+Google is free to perform whatever text analysis and user profiling they wish.
+NixNet Mail will implement at-rest encryption in the near future but, even
+then, there is no way to verify that that's actually the case unless we gave
+everyone root access to our servers at all times (security and compliance
+nightmare). The only viable solution is to take your privacy into your own
+hands and encrypt emails yourself.
+
+## GPG encryption
+
+"GPG" stands for "GNU Privacy Guard" and is a libre implementation of "PGP" or
+"Pretty Good Privacy", originally created by [Phil
+Zimmerman](https://en.wikipedia.org/wiki/Phil_Zimmermann). PGP was eventually
+bought by Symantec and became Symantec Encryption Desktop and GPG quickly
+became the most widely used implementation of [OpenPGP
+standards](https://tools.ietf.org/html/rfc4880). GPG integration is especially
+common in open source email clients such as
+[Thunderbird](https://www.thunderbird.net/) and
+[Evolution](https://wiki.gnome.org/Apps/Evolution). It relies on [public-key
+cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) and allows
+users to encrypt their emails with another user's public key. The email would
+then be decrypted using the receiver's private key. Take a look at this
+[encrypted email I sent to
+myself](https://bin.nixnet.services/?70f0ac93b8df9416#Fske8BYAVdoYzD76VgBb5AimRqm2yY8HgnpdcAzUwuD7).
+As admins of the server, that is literally all we can see. The text between
+`BEGIN PGP MESSAGE` and `END PGP MESSAGE` is the email body and it just looks
+like a block of random characters to us. To the person receiving the message,
+however, after decryption, they'll be able to read it just like the plaintext
+one linked in the first section.
+
+If you want to learn more about GPG encryption and protecting your privacy when
+using email, we recommend reading through [Email
+Self-Defense](https://emailselfdefense.fsf.org/en/), a fantastic resource from
+the Free Software Foundation.
+
+!!! warning
+ Encrypting an email *does not* encrypt the metadata. When you sign up for a
+ new email service, send one to yourself and inspect the headers to see if
+ they obfuscate identifying details.
+
+## Metadata
+
+Another thing to keep in mind with emails is metadata in the headers of the
+emails. In Roundcube, you can view these by clicking `More` then `View source`.
+In Thunderbird, just press `CTRL` + `U`.For other clients and web UIs, you'll
+just have to look around for options to show headers, view source, download,
+something like that. You can also take a look at [the email I sent
+myself](https://bin.nixnet.services/?f76b8366e6b7a7b0#95skPFhsptkfyMH3i1n25ENZeUzrmYEUHzDVezaToGn).
+
+I'll break down some of the lines and explain what they are. Some of it is
+irrelevant to this and will be skipped though.
+
+`Return-Path: <amolith@nixnet.xyz>` 👉 Address your reply will go to
+
+`Delivered-To: amolith@nixnet.email` 👉 Address the email was sent to
+
+`To: Amolith <amolith@nixnet.email>` 👉 The *displayed* receiver
+
+`From: Amolith <amolith@nixnet.xyz>` 👉 The *displayed* sender
+
+`Subject: Email demonstration` 👉 Subject of the email
+
+`Date: Sat, 23 Nov 2019 00:20:46 -0500` 👉 Timestamp at which the email was
+sent. This does include the timezone and can be used to identify you
+
+`User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
+Thunderbird/68.2.2` 👉 Full user-agent the email application includes with the
+email. In this case, it consists of the organisation, my display server, my
+operating system and architecture, the HTML rendering engine, and the email
+client and version. This can really be used to identify you.
+
+The rest of it is server-side stuff that doesn't matter too much for this
+document but will likely be discussed elsewhere in the future. Together, all of
+this metadata can be used to identify people in a conversation. Timezone (vague
+location), OS, email application, correspondents, and client version. That last
+component could actually be useful for determining whether or not the client is
+susceptible to certain malware attacks
A docs/index.md => docs/index.md +68 -0
@@ 0,0 1,68 @@
+---
+title: NixNet Mail
+summary: Information about NixNet Mail and registration instructions
+---
+
+!!! warning
+ We are not accepting new registrations at this time. Please check back in the
+ future if you would still like an account here. In the meantime, take a
+ look at [Migadu](https://www.migadu.com/) and
+ [Purelymail](https://purelymail.com/).
+
+This mail server is fully usable, however, there is no registration frontend
+and no support for custom domains; *until those features are present, consider
+this an alpha-grade service*. In the meantime, if you would like an address at
+any of [out domains](#domains), send an email to
+[support@nixnet.services](mail:support@nixnet.services) or open a ticket using
+the web interface at
+[support.nixnet.services](https://support.nixnet.services/). Include your
+desired username and domain in the form `user@example.com`. We will manually
+create the account and send you a random password.
+
+We also recommend reading [useplaintext.email](https://useplaintext.email) when
+you have time. It explains how to be a good "netizen" and common email
+etiquette that a lot of people don't think about. All of the things mentioned
+there are default on our Roundcube instance except hard wrapping as it can be
+quite off-putting for people who aren't used to it and may read emails on their
+phone.
+
+For webmail, [Roundcube](https://webmail.nixnet.email/) is available and
+provides a rather nice experience, however, it does require JavaScript. If you
+use Tor or simply disable JS, you may prefer
+[Alps](https://simple.nixnet.email/). It is [actively being
+developed](https://git.sr.ht/~emersion/alps) so there will likely be bugs.
+
+<center>
+[Roundcube](https://webmail.nixnet.email){: .md-button .md-button--primary }
+[Alps](https://simple.nixnet.email){: .md-button .md-button--primary }
+</center>
+
+## Available domains
+
+`.email` is a relatively new TLD and may be counted as invalid on some
+websites. It's unlikely but possible. `.com` will work everywhere, however. The
+numbered domains are only recommended for anonymous/throwaway/whatever accounts
+when registering for services. The numbers correspond to letters as with the
+3x4 keypads on mobile phones.
+
+* nixnet.email
+* nixnetmail.com
+* pwned.life
+* paranoid.network
+* linux.monster
+* 647630.xyz (*nixnet.xyz*)
+* 3733366.xyz (*freedom.xyz*)
+* 7748229.xyz (*privacy.xyz*)
+
+## Planned features
+
+!!! warning
+ Aside for accessing webmail as a hidden service, these features are on hold
+ until we have more time to work on the service. All of our efforts are
+ currently focused on getting the rest of [NixNet](https://nixnet.services)
+ to a stable position on new infrastructure. Once that is completed, we will
+ continue working on improving NixNet Mail.
+
+* Onion URL for webmail
+* Local inbox encryption with user's password
+* Support for sending/receiving mail to/from onion addresses
A => +6 -0
@@ 0,0 1,6 @@
:root {
--md-primary-fg-color: #7d4699;
--md-primary-fg-color--light: #FFAD5C;
--md-primary-fg-color--dark: #007E52;
--md-accent-fg-color: #6A5687;
}
A mkdocs.yml => mkdocs.yml +35 -0
@@ 0,0 1,35 @@
+site_name: NixNet Mail
+site_url: "https://nixnet.email/"
+repo_name: "~amolith/nnmail"
+repo_url: "https://sr.ht/~amolith/nnmail/"
+nav:
+ - Home: index.md
+ - Docs:
+ - Client Recommendations and Connecting To Them: docs/clients.md
+ - Email Privacy and Operational Security: docs/privacy-and-opsec.md
+ - Webmail: "https://webmail.nixnet.email/"
+ - GPG Key: "https://nixnet.email/postmaster.txt"
+ - Privacy: "https://nixnet.services/privacy"
+markdown_extensions:
+ - admonition
+ - attr_list
+ - def_list
+ - meta
+ - pymdownx.highlight
+ - pymdownx.superfences
+ - pymdownx.emoji:
+ emoji_index: !!python/name:materialx.emoji.twemoji
+ emoji_generator: !!python/name:materialx.emoji.to_svg
+ - toc:
+ permalink: true
+plugins:
+ - search
+ - git-revision-date
+theme:
+ font: false
+ name: material
+ features:
+ - navigation.instant
+ - navigation.expand
+extra_css:
+ - stylesheets/extra.css