[tor-talk] Towards a Torbutton for Thunderbird (torbutton-birdy)

Sukhbir Singh sukhbir.in at gmail.com
Mon May 14 19:09:58 UTC 2012


> /* instead of sending/leaking your local ip-address, add a word like
> "mailproxy" in helo/ehlo field */
> user_pref("mail.smtpserver.default.hello_argument", "mailproxy");


> /* when portable-thunderbird runs first time, then allow/partially-force
> to go via Tor-proxy. The "Polipo" will be needed when using lines which
> has port 8118, http or ssl. */
> user_pref("dns.nameserver", "");
> [...]
> user_pref("network.proxy.type", 1);


> /* To block auto connect to mozilla */
> user_pref("app.update.auto", false);


> user_pref("mail.shell.checkDefaultClient", false);

Not done. Please explain why do you think this is useful, that is,
what type of information can be leaked? :)

> /* to block auto check for emails when startsup, or when started for
> first-time */
> user_pref("mail.startup.enabledMailCheckOnce", false);

There is no concept of 'toggle' in the Torbutton for Thunderbird --
the only way to enable/ disable it will be by restarting Thunderbird.
So IMO this is not required.

> Noticed, pressing "re-test" during adding new email account causes
> Thunderbird to bypass Tor-proxy and use local network, thus leaking
> ip-address & location of that email, even though Tor-proxy was
> pre-specified or pre-configured.
> But using the "Create Account" button located inside new email adding
> window, did use Tor-proxy.
> To avoid such local-net leak/use during email creation, few generic user
> name based email accounts with major email service providers can be
> pre-added into "pref.js". And then Tor-fied Thunderbird users themselves
> can change "User1" in such "User1 at gmail.com" pre-existing emails into
> their actual email/user-name.
> Pre-existing email accounts with tor-proxy pre-configured in TB, does
> not leak dns or tcp.

We are aware of this issue (tagnaq's paper [0], Section 3.6.5 explains
this in detail). Because there seems to be no way to disable this from
within Thunderbird, we are currently working to skip the auto
configuration wizard by forcing the use of the manual account
configuration. I think we should have something ready soon.

> I Noticed, in older Thunderbirds, the imap, smtp server is
> "imap.gmail.com". In my test, that allows to receive emails, but not
> sending. And when changed into "imap.googlemail.com", then succeeds in
> both sending & receiving gmail emails.
> receive: imaps, 993, SSL/TLS.
> send : smtps, 587, STARTTLS.


Thanks for helping us test this out.

[0] - https://trac.torproject.org/projects/tor/attachment/wiki/doc/TorifyHOWTO/EMail/Thunderbird/Thunderbird%2BTor.pdf
[1] - https://support.google.com/mail/bin/answer.py?hl=en&answer=78799


More information about the tor-talk mailing list