What is OnionMail
OnionMail is an open source SMTP/POP3 compatible mail server with some functions designed for Tor hidden services. OnionMail use filesystem cryptography and some extended functions. This server also allows you to use the email in the tor network without losing the ability to communicate with the Internet.

«In the future, maybe we will implement the anonymous coffee!
Today, only OnionMail
;) »

OnionMail functions:

  • Multiple instances of server. (multiple indipendent hidden services).
  • Native PGP integration for subscriprion and server`s message.
  • Subscription via PGP encrypted email.
  • VMAT Protocol (can use normal mail address without .onion).
  • SSL cryptography by default. (STARTTLS 2048 bits)
  • Multiple encryption everywhere, RSA + AES +  RSA + AES with salt.
  • Support unicode password (UTF-8 password and 2048 bits keyfiles).
  • Inhibition of store any message in relay server.
    (Only direct connection is allowed without multiple connections).
  • Metadata protection. NSA or GCHQ can't read your metadata.
  • SMTP Compatibility.
  • Internet normal email compatibility.
  • AntiSpam, blacklist and realtime filters.
  • Decentralized trust system for SSL certificate and public keys and exit list.
  • Native mailing list support.
  • Garbage collector to remove automatically old messages.
  • Clock and time zone spoofing.
  • Server services and operations:
    Add / Remove mail address or mail server in blacklist.
    Mailing list Subscribe / Unsubscribe.
    Request of server "rulez". (Server help).
    (All via mail message to the server directly "server@ xyz... .onion ")
  • JAVA Implementation for all platform.
  • Native version compiled with GCJ.
  • Localhost control port and server API.
  • Protected server password and keys (optionaly not saved).
  • IP BlackList
  • Onion BlackList
  • RSA Server and Tor connection authentication.
  • Connections via Tor Network.
  • Enter/Exit server to connect Tor to Internet and viceversa.
  • Statistics in csv format.
  • TorDNSLocalProxy to work with Exim4 and transprent SOCSK4A Tor Proxy.
  • Strong cryptography (RSA 2048 bits, AES 256 + AES 256 + AES 256 ).
  • Password key derivation via multiple keyfiles and passwords.
  • Deleting files with wipe by default.
  • Message headers filtering to hide informations and sigint.
  • POP3 TLS Access.
  • SMTP TLS Access.
  • User's parameters.
  • Exit node selection to connect to internet.
  • M.A.T. Protocol to connect correctly Internet, Tor, email and OnionMail.
  • Server identification request via email to obtain the ssl certificate fingerprint.
  • Self headers rebound to verifiy the client's mail headers and OnionMail filtering.
  • AntiSpam system.
  • And much more.....
Why OnionMail
The real question is: «Why not???».
OnionMail defends the right to confidentiality of communications.
OnionMail prevents clandestine espionage “otherwise democratic” governments.
How it works?
Usually other mail systems all mail messages pass through different SMTP servers often the connection is not encrypted.
With OnionMail the connection is always encrypted and the server does not saving data to disk. Only the recipient's server stores the messages.

The message files into the server are encrypted with asymmetric key, which is encrypted with the password of the user and the server keys. In the event of theft, the system does not reveal any sensitive data.
It always advisable to use PGP or GPG to encrypt e-mail messages.
When a message is sent from the Internet it passes through the server Enter / Exit. These servers are the entry and exit nodes of Tor for e-mail. The user can choose which node to use to communicate to the internet.
Spam is short-lived because there are the custom blacklists. So each user can set their own spam filters.
All servers are federated to create a check system for SSL server certificates.
With systems like this X-Keyscore and similar technologies have big problems to intercept your mail messages.

Rules of Use
  • Messages with multiple recipients are allowed.
  • There aren't Delivery Status Notification. If there are any problems email client responds with an error directly.
  • The message headers are filtered.
  • The hostname and ip addresses in the mail headers will be deleted or replaced with [].
  • It compulsory to use TLS. (STARTTLS, SSL 2048 bits).
  • You can manage the Blacklist and block individual addresses or entire hidden service to block spam.
  • The messages are automatically deleted after a number of days even if unread.
  • You can request services and information to the server by sending a message to the server@xy ... z.onion
  • Always follow the rules of the server. For more information please send a message with subject RULEZ to your server.
  • The SysOp, admin or root user can't read your private email messages. 
  • You can use anorma mail address via VMAT subscription to the exit/enter OnionMail server.
How to use
To use OnionMail you must use a Tor connection. We suggest to use Tails and GPG or PGP to encrypt your email messages.

There aren't any webmail to use your OnionMail. To read your email use the POP3 with TLS protocol.
(ClwawsMail and Thunderbrid supports this protocol).

When you send an email to the internet your address is changed by the M.A.T. (Mail Address Translator) protocol.
The onion address in moved before the character "@" and is append after"@" an intenret domain name of the exit/enter node.
If your mail address is: test@123456789abcef.onion
The exit node is: onionmail.info
The address will automatically translated: test.123456789abcef.onion@onionmail.info

When you actviate a VMAT subscription your mail address is changed automatically to a normal Internet mail address without .onion tld.

To use the servers services, send an email message to your server.
The address of server is "server" and all the same before character "@" of your OnionMail address.
If your mail address is: test@123456789abcef.onion
Your server is: server@123456789abcef.onion

The SysOp is the owner/administrator of the server. The address of sysop is "sysop" and all the before character "@" of the server address.
Your SysOp mail address: sysop@123456789abcef.onion

To use the server's services send an email message to the server, the subject of the messages is used to select the function.
If you want tho read the server rules send a message to your server (example server@123456789abcef.onion) with the subject "RULEZ"
The server will reply to you with the rulez file.
How to Setup OnionMail (Step by Step)
Follow this guide.
To install to debian use this package.
How to activate an OnionMail account quickly
  • Create your PGP public key.
  • Send a message to the server ( server@address.onion or server.address.onion@onionmail.info ) with subject NEWUSER followed by the username. If the username is ANONYMOUS (uppercase) the server will generates a random username. Put your PGP public key into the body of the message.
  • You will receive an encrypted message and account informations.
How to activate VMAT address widthout 16 characters.onion
Send a message to your server with subject VMAT. Put into the body of the message a line contains the new address of an exit domain with word register:
From: MyAddress@123456789abcdef.onion
To: server@123456789abcdef.onion
Subject: VMAT

REGISTER test@example.org
The server will reply the account data to you.
How to activate an OnionMail account into the OnionMail's project deep network
  • Generate a PGP key associated to an email or an existent OnionMail address.
  • Go to this page.
  • Paste your PGP public key and enter your email (or current OnionMail) address.
  • Select the server. We suggest “ridot”.
  • Choose the username.
  • Click on the button “subscribe” and wait for 150/200 seconds. Do not leave the page.
  • Read your email. You will receive an encrypted message and account informations.
Server Functions
As described in the previous section, to use the server's functions send a message to your server.
  • Get server informations:
    Send a message to the sever width subject: IDENT
    The server will reply to the SSL and server informations.
  • Manage your SPAM filters:
    To read the SPAM filters senda a message to the server width subject: SPAM LIST
    To add an address the subject is: SPAM ADD maildaddress@xyz.onion
    To add an entire server the subject is: SPAM ADD *@spamexample.onion
    To remove an entry, read the number from SPAM LIST. The subject is: SPAM DEL (number)
  • Subscribe to a mailing list:
    Send a message to the mailing list's server (server@ all the same after "@" of list address).
    The subject is: LIST example.list@serverlist.onion SUBSCRIBE
  • Unsubscribe to a mailing list:
    Send a message to the mailing list's server (server@ all the same after "@" of list address).
    The subject is: LIST example.list@serverlist.onion UNSUBSCRIBE
  • Get the exit node list:
    The subject is: EXIT LIST
  • To set the default exit node:
    The subject is: SET EXIT exitnode.example.org
  • To get help, rules and manuals:
    The subject is: RULEZ
  • Tho get the rulez file of a mailing list:
    Send a message to the mailing list's server (server@ all the same after "@" of list address).
    The subject is: LIST example.list@serverlist.onion RULEZ
  • To check your headers:
    The subject is: REBOUND HEADERS

How to activate a server

To activate an OnionMail server you must use Tor and Java.
We suggest to install cpulimit to prevent server CPU trouble when OnionMail generates the keys.
Don't create any exit server if don't know what you are doing:
An OnionMail enter/exit server can associate the hidden service onion address to the internet address.
Do not create any user into the enter/exit server.
  • The first step is: Create an hidden service:
    Create a directory, for example /home/onionmail/hiddenServiceDir
    Edit the /etc/tor/torrc file to add an hidden service:
    HiddenServiceDir /home/onionmail/hiddenServiceDir/
    HiddenServicePort 25
    HiddenServicePort 110
  • Download OnionMail and extract it, for example in /home/onionmail
  • Create the user and group for onionmail and set the files permissions.
  • Restart tor and wait for the completion of tor bootstrap.
  • Read the content of the file hostname into the hiddenServiceDir. This is your .onion address.
  • Edit the OnionMail configuration:
    Edit the file servers.conf ( /home/onionmail/etc/servers.conf )
    Modify the line "SMTPServer example {", after the word SMTPServer replace "example" with a nickname of the server.
    Modify the parameter "Onion". This is the address of the hidden service (put the content of the file hiddenServiceDir/hostname ).
    Modify the parameter "MailDir". This is the root directory of the server, use an absolute path and do not create the directory. ( For example /home/onionmail/maildir ).
    Change the passwords: Parameter PassWD.
  • Don't forget to modifiy the root password into the configuration file control.conf ( /home/onionmail/etc/control.conf ).
  • If you want tho create an exit/enter OnionMail server:
    Set the MX record of the enter/exit internet domain name of the server.
    Modify the file servers.conf into OnionMail config directory.
    Set the parameter "ExitRouteDomain" tho the internet domain name of the server.
    Set the parameter "ServerType" to "exit".
    Set the parameter "SMTPPort" to 25. This is the SMTP port. (Listen
    Don't forget to set: HiddenServicePort 25 into the torrc file. ( /etc/tor/torrc ).
  • Don't forget to modify the ssl infomations (SSLInfo) into the servers.conf file.
  • How to create multiple servers:
    Modify the /etc/tor/torrc to create more hidden service and hiddenServiceDir (directory).
    (Do not reuse the same ports).
    Add multiple server block into the servers.conf ( /home/onionmail/etc/servers.conf).
    (Copy and paste the first server block and change the copy).
  • Generate the server:
    java -jar onionmail.jar --gen-servers
  • Copy the files keyblock.txt and sysop.txt in a secure place (not into the server machine!). Do this for each OnionMail server.
  • Start the OnionMail server:
    java -jar onionmail.jar
    Paste the contents of keyblock.txt and server keyblock password (read sysop.txt).
    The content of keyblock.txt end with a line "."
    You can also use a little trick to daemonize OnionMail:
    Wipe the files keyblock.txt and sysop.txt. Create a single password file.
    java -jar onionmail.info < passwordfile &
  • How to control the server:
    You can use the PHPOnionMail package or the API directly.
    To use the API connect via telnet:
    telnet 9100
  • How to create a user manually:
    telnet 9100
    server nickname serverpassword
    addusr username
  • The SysOp account:
    The user logon informations are into the sysop.txt

Warning: To enable the VMAT protocol in your server
Add these lines to the servers.conf configuration file (in your EXIT server section)
VMATAllow {
Without this policy the server recjects all VMAT subscription by default.
Enable PGP/GPG integration
1) Create a GPG keypair via gpg for sysop user:
gpg --gen-key
Create a RSA key (from 2048 to 4096 bits) for sysop@hostname.onion
(Where hostname is the hostname of the server).
gpg --edit-key keyid
Add some subkeys (RSA 2048 sign, encrypt etc...)
Add the OnionMail Wrapper: sysop.hostname.onion@onionmail.info
2) Create a GPG keypair via gpg for server user: (for each server)
gpg --gen-key
Create a RSA key (from 2048 to 4096 bits) for server@hostname.onion
(Where hostname is the hostname of the server).
gpg --edit-key keyid
Add some subkeys (RSA 2048 sign, encrypt etc...)
Add the OnionMail Wrapper: server.hostname.onion@onionmail.info
3) Export the sysop's public key in ASCII format into an text file ( /home/onionmail/sysop.asc )
4) Export the server's public and private key in ASCII format into another text file ( /home/onionmail/server.asc )
5) Edit the file /home/onionmail/etc/control.conf ad put the full path of ASCII key file for sysop user to the PGPRootUserPKeyFile parameter.
PGPRootUserPKeyFile /home/onionmail/sysop.asc
6) Run onionmail with parameter --set-gpg in command line (after server generations).
java -jar onionmail.jar --set-gpg
7) Enter the path of server's ASCII keyfile and passphrase.
8) Don't forget to delete via wipe the ASCII keyfiles!

The servers save the sysop.txt encrypted in GPG. You will receive the boot message for sysop user in ecrypted GPG message.
The certificate of autodestruction (KCTL) will be ecrypted in GPG message.
Don't forget to send your sysop key to the server via MYKEY command.

SysOp MailingList
If you open a new mail hidden service don't forget to register to the SysOp mailing list:

Tor address:
Internet address:
To subscribe send a message to server@ridotnp5m5lp22gw.onion with subject:
LIST sysop.list@ridotnp5m5lp22gw.onion SUBSCRIBE

Using NTU (Hybrid system)
If you don't want use tor for all your mail accounts, there is a little solution named NTU.
NTU (Network Termination Unit) is a little local proxy that connect some email accounts to OnionMail.
The usage is very simple:
  • Run tor
  • When you first run the program ntu enter data easily from the command line.
    NTU request to you only the number of hidden services and the .onion addresses.
    All configurations are automated.
  • NTU is a small implementation of TORDnsLocalProxy (without DNS server and with static SOCKS proxy).
  • NTU tell to you how to connect to the hidden services:
Service 1:
Service 2:
NTU can be used to reconnect hydden services via tor network to increase the anonymity of the hidden service.
Eample: ntu.conf
    NTU    20110    z373bxyt6zhmxepx.onion    110
    NTU    20025    z373bxyt6zhmxepx.onion    25
    NTU    20080    z373bxyt6zhmxepx.onion    80
The keyword NTU starts a new local SOCK proxy.
This line configure a proxy that rebounds all connections form to z373bxyt6zhmxepx.onion:80
    NTU    20080    z373bxyt6zhmxepx.onion    80
(CC) by OnionMail Project

Licenza Creative Commons  Contatore per siti