16232dd179e1bc43ba4415b4968b203d88c4165c — Amolith 2 years ago 4e72b0c
add content and config
5 files changed, 269 insertions(+), 0 deletions(-)

A docs/docs/clients.md
A docs/docs/privacy-and-opsec.md
A docs/index.md
A docs/stylesheets/extra.css
A mkdocs.yml
A docs/docs/clients.md => docs/docs/clients.md +52 -0
@@ 0,0 1,52 @@
title: Client Recommendations and Connecting To Them
description: Desktop client recommendations and connection instructions

For Linux/Windows desktop email clients, we recommend [Thunderbird
](https://www.thunderbird.net/)with [Enigmail](https://www.enigmail.net/) or
[aerc](https://aerc-mail.org/). They're both open source but fit different
situations; if you want a GUI and/or security is your main concern, use
Thunderbird and encrypt all of your emails with your GPG key. If you're looking
for a console client and encryption isn't as important but you do a lot of work
with Git, aerc might be the better option.

For mobile clients on Android, the only one we can really recommend is [K-9
Mail](https://k9mail.github.io/). It's open source, has a number of nice
privacy features, and is available in
[F-Droid](https://f-droid.org/en/packages/com.fsck.k9/) as well as [Google
Play](https://play.google.com/store/apps/details?id=com.fsck.k9). If possible,
we recommend using the latest beta build from F-Droid.

We don't know much about iOS or macOS but we've heard that Apple Mail is really
the best choice.

## Connecting to NixNet Mail

Regardless which email client you use, you'll need to know the following

* Incoming
    * Username: `user@example.com`
    * Hostname: `imap.nixnet.email`
    * Protocol: IMAP
    * Port: `143`
    * Encryption: STARTTLS
    * Authentication: Normal password
* Outgoing
    * Username: `user@example.com`
    * Hostname: `smtp.nixnet.email`
    * Protocol: SMTP
    * Port: `587`
    * Encryption: STARTTLS
    * Authentication: Normal password

Alternatively, if you would like to download your emails and delete them from
the server, you can also use the POP3 protocol:

* Username: `user@example.com`
* Hostname: `pop.nixnet.email`
* Protocol: POP
* Port: `995`
* Encryption: STARTTLS
* Authentication: Normal password

A docs/docs/privacy-and-opsec.md => docs/docs/privacy-and-opsec.md +108 -0
@@ 0,0 1,108 @@
title: Email Privacy & Operational Security
description: Transparency regarding general email privacy and security

## Plaintext email

Email is inerently insecure. By default, everything is sent in plaintext from
one server to the next with no encryption whatsoever. Servers can encrypt mail
in-transit by implementing SSL and TLS but that still leaves copies of your
data in plaintext on both servers. For example, see this [email I sent to
At the very bottom, the content of my email is shown in the file for anyone
with access to the server to see. At first glance, this may not seem like such
a huge deal. It does, however, become a big deal when you're conducting private
business over email. If we so chose, we could go to that directory and read
everything you're saying and there's nothing you could do about it. Any mail
provider has this capability: Gmail, Yahoo! Mail, Fastmail, the list goes on.
Unless special measures are taken to encrypt your emails at rest, this holds
true in every single case.

## Encrypted email

Providers like [Protonmail](https://protonmail.com/) and
[Tutanota](https://www.tutanota.com/) do exactly this and that is their main
draw. Mail to and from other users of the same platform (Protonmail →
Protonmail, Tutanota → Tutanota) is encrypted from end-to-end as well as at
rest so the only parties that can read it are the sender and the receiver; the
provider itself can't access them. However, the benefit of at-rest encryption
becomes absolutely meaningless the second you communicate with someone on a
server that doesn't implement it. Protonmail → Gmail is 100% insecure and
Google is free to perform whatever text analysis and user profiling they wish.
NixNet Mail will implement at-rest encryption in the near future but, even
then, there is no way to verify that that's actually the case unless we gave
everyone root access to our servers at all times (security and compliance
nightmare). The only viable solution is to take your privacy into your own
hands and encrypt emails yourself.

## GPG encryption

"GPG" stands for "GNU Privacy Guard" and is a libre implementation of "PGP" or
"Pretty Good Privacy", originally created by [Phil
Zimmerman](https://en.wikipedia.org/wiki/Phil_Zimmermann). PGP was eventually
bought by Symantec and became Symantec Encryption Desktop and GPG quickly
became the most widely used implementation of [OpenPGP
standards](https://tools.ietf.org/html/rfc4880). GPG integration is especially
common in open source email clients such as
[Thunderbird](https://www.thunderbird.net/) and
[Evolution](https://wiki.gnome.org/Apps/Evolution). It relies on [public-key
cryptography](https://en.wikipedia.org/wiki/Public-key_cryptography) and allows
users to encrypt their emails with another user's public key. The email would
then be decrypted using the receiver's private key. Take a look at this
[encrypted email I sent to
As admins of the server, that is literally all we can see. The text between
`BEGIN PGP MESSAGE` and `END PGP MESSAGE` is the email body and it just looks
like a block of random characters to us. To the person receiving the message,
however, after decryption, they'll be able to read it just like the plaintext
one linked in the first section.

If you want to learn more about GPG encryption and protecting your privacy when
using email, we recommend reading through [Email
Self-Defense](https://emailselfdefense.fsf.org/en/), a fantastic resource from
the Free Software Foundation.

!!! warning
    Encrypting an email *does not* encrypt the metadata. When you sign up for a
    new email service, send one to yourself and inspect the headers to see if
    they obfuscate identifying details.

## Metadata

Another thing to keep in mind with emails is metadata in the headers of the
emails. In Roundcube, you can view these by clicking `More` then `View source`.
In Thunderbird, just press `CTRL` + `U`.For other clients and web UIs, you'll
just have to look around for options to show headers, view source, download,
something like that. You can also take a look at [the email I sent

I'll break down some of the lines and explain what they are. Some of it is
irrelevant to this and will be skipped though.

`Return-Path: <amolith@nixnet.xyz>` 👉 Address your reply will go to

`Delivered-To: amolith@nixnet.email` 👉 Address the email was sent to

`To: Amolith <amolith@nixnet.email>` 👉 The *displayed* receiver

`From: Amolith <amolith@nixnet.xyz>` 👉 The *displayed* sender

`Subject: Email demonstration` 👉 Subject of the email

`Date: Sat, 23 Nov 2019 00:20:46 -0500` 👉 Timestamp at which the email was
sent.  This does include the timezone and can be used to identify you

`User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Thunderbird/68.2.2` 👉 Full user-agent the email application includes with the
email. In this case, it consists of the organisation, my display server, my
operating system and architecture, the HTML rendering engine, and the email
client and version. This can really be used to identify you.

The rest of it is server-side stuff that doesn't matter too much for this
document but will likely be discussed elsewhere in the future. Together, all of
this metadata can be used to identify people in a conversation. Timezone (vague
location), OS, email application, correspondents, and client version. That last
component could actually be useful for determining whether or not the client is
susceptible to certain malware attacks

A docs/index.md => docs/index.md +68 -0
@@ 0,0 1,68 @@
title: NixNet Mail
summary: Information about NixNet Mail and registration instructions

!!! warning
    We are not accepting new registrations at this time. Please check back in the
    future if you would still like an account here. In the meantime, take a
    look at [Migadu](https://www.migadu.com/) and

This mail server is fully usable, however, there is no registration frontend
and no support for custom domains; *until those features are present, consider
this an alpha-grade service*. In the meantime, if you would like an address at
any of [out domains](#domains), send an email to
[support@nixnet.services](mail:support@nixnet.services) or open a ticket using
the web interface at
[support.nixnet.services](https://support.nixnet.services/). Include your
desired username and domain in the form `user@example.com`. We will manually
create the account and send you a random password.

We also recommend reading [useplaintext.email](https://useplaintext.email) when
you have time. It explains how to be a good "netizen" and common email
etiquette that a lot of people don't think about. All of the things mentioned
there are default on our Roundcube instance except hard wrapping as it can be
quite off-putting for people who aren't used to it and may read emails on their

For webmail, [Roundcube](https://webmail.nixnet.email/) is available and
provides a rather nice experience, however, it does require JavaScript. If you
use Tor or simply disable JS, you may prefer
[Alps](https://simple.nixnet.email/). It is [actively being
developed](https://git.sr.ht/~emersion/alps) so there will likely be bugs.

[Roundcube](https://webmail.nixnet.email){: .md-button .md-button--primary }
[Alps](https://simple.nixnet.email){: .md-button .md-button--primary }

## Available domains

`.email` is a relatively new TLD and may be counted as invalid on some
websites. It's unlikely but possible. `.com` will work everywhere, however. The
numbered domains are only recommended for anonymous/throwaway/whatever accounts
when registering for services. The numbers correspond to letters as with the
3x4 keypads on mobile phones.

* nixnet.email
* nixnetmail.com
* pwned.life
* paranoid.network
* linux.monster
* 647630.xyz (*nixnet.xyz*)
* 3733366.xyz (*freedom.xyz*)
* 7748229.xyz (*privacy.xyz*)

## Planned features

!!! warning
    Aside for accessing webmail as a hidden service, these features are on hold
    until we have more time to work on the service. All of our efforts are
    currently focused on getting the rest of [NixNet](https://nixnet.services)
    to a stable position on new infrastructure. Once that is completed, we will
    continue working on improving NixNet Mail.

* Onion URL for webmail
* Local inbox encryption with user's password
* Support for sending/receiving mail to/from onion addresses

A docs/stylesheets/extra.css => docs/stylesheets/extra.css +6 -0
@@ 0,0 1,6 @@
:root {
  --md-primary-fg-color:        #7d4699;
  --md-primary-fg-color--light: #FFAD5C;
  --md-primary-fg-color--dark:  #007E52;
  --md-accent-fg-color: #6A5687;

A mkdocs.yml => mkdocs.yml +35 -0
@@ 0,0 1,35 @@
site_name: NixNet Mail
site_url: "https://nixnet.email/"
repo_name: "~amolith/nnmail"
repo_url: "https://sr.ht/~amolith/nnmail/"
  - Home: index.md
  - Docs:
    - Client Recommendations and Connecting To Them: docs/clients.md
    - Email Privacy and Operational Security: docs/privacy-and-opsec.md
  - Webmail: "https://webmail.nixnet.email/"
  - GPG Key: "https://nixnet.email/postmaster.txt"
  - Privacy: "https://nixnet.services/privacy"
  - admonition
  - attr_list
  - def_list
  - meta
  - pymdownx.highlight
  - pymdownx.superfences
  - pymdownx.emoji:
      emoji_index: !!python/name:materialx.emoji.twemoji
      emoji_generator: !!python/name:materialx.emoji.to_svg
  - toc:
      permalink: true
  - search
  - git-revision-date
  font: false
  name: material
    - navigation.instant
    - navigation.expand
  - stylesheets/extra.css