-
Notifications
You must be signed in to change notification settings - Fork 7
deployment
Secure cables communication is bundled with Liberté Linux, but it is an independent project that you can deploy anywhere.
Here I will assume that you are setting up cables communication for user anon in group users, using default paths, on a Gentoo machine.
Libmicrohttpd is a run-time dependency. Procmail is utilized for message formatting and headers manipulation. Tor and/or I2P are needed to utilize the respective communication transports. Privoxy is also required at present (as a unified proxy to locally access Tor/I2P).
The Gentoo ebuild script explicitly lists all package dependencies (see RDEPEND variable).
I2P's i2p.jar library is needed to compile EepPriv.java — adjust the makefile accordingly, and put i2p.jar into lib if the jar is unavailable during build. Building eeppriv.jar is not necessary if you don't need the eepSite keypair generation functionality (just set NOI2P=1). The specific I2P bundle from which i2p.jar is extracted doesn't matter, since it is only used for resolving imports during compilation.
Installation paths can be customized during make install by overriding the variables DESTDIR (the staging directory) and PREFIX (the hard-coded paths prefix):
CFLAGS="-O2 -march=core2" LDFLAGS="-Wl,-O1,--as-needed" make
make DESTDIR=/tmp/cables-stage PREFIX=/usr/local install
Mail sender and cables daemon are supposed to be executed under cable:cable user credentials:
useradd -c "Cables Communication" -d /dev/null -s /sbin/nologin -r -U cable
The init service for the cables daemon (which works as-is in Gentoo) should be adapted for the local distribution and installed in appropriate location:
cp /usr/local/etc/cable/cabled /etc/init.d
Cable pathnames should be adjusted in profile:
nano /usr/local/etc/cable/profile
You don't have to stick to the tree structure in profile, which assumes that you want to keep all persistent data in user anon's directory. A more traditional setup would be to have all CABLE_… directories relative to user cable's home, and a separate delivery process from CABLE_INBOX to user's inbox.
The CABLE_INBOX and CABLE_QUEUES/(r)queue directories should exist, and be writable by cable, e.g.:
gpasswd -a cable users
chmod g+x /home/anon
sudo -u anon mkdir -m 710 /home/anon/persist{,/cables,/mail}
sudo -u anon mkdir -m 1770 /home/anon/persist{/cables/{,r}queue,/mail/inbox}
Tor and/or I2P should be configured to redirect HTTP traffic to cables daemon. I.e., in torrc, add:
HiddenServiceDir /var/lib/tor/hidden_service/
HiddenServicePort 80 127.0.0.1:9080
and in i2ptunnel.config's httpserver section, set:
tunnel.X.privKeyFile=eepsite/eepPriv.dat
tunnel.X.targetHost=127.0.0.1
tunnel.X.targetPort=9080
The user needs to execute gen-cable-username, gen-tor-hostname and gen-i2p-hostname once. Note that CABLE_CERTS must be readable by cable:
sudo -u anon mkdir -m 710 /home/anon/persist/security{,/cable}
sudo -u anon mkdir -m 700 /home/anon/persist/security/{tor,i2p}
sudo -u anon gen-cable-username
sudo -u anon gen-tor-hostname
sudo -u anon gen-i2p-hostname
and then propagate Tor and I2P keypairs to the respective transports:
rsync -rp --chmod=u=rwX,go= /home/anon/persist/security/tor/hidden_service /var/lib/tor/
rsync -rp --chmod=u=rw,go= /home/anon/persist/security/i2p/eepsite /var/lib/i2p/
chown -hR tor:tor /var/lib/tor/hidden_service
chown -hR i2p:i2p /var/lib/i2p/eepsite
(keypairs may be also propagated in the opposite direction — however, the user will need to create …i2p/eepsite/hostname manually, if I2P support is desired).
Cabled should be then configured to start at boot:
rc-update add cabled default
Test that user's address(es) are live:
username=`sudo -u anon cable-id user`
torhost=`sudo -u anon cable-id tor`
i2phost=`sudo -u anon cable-id i2p`
curl http://localhost:9080/${username}/request/ver
sudo -u anon cable-ping ${username}@${torhost}
sudo -u anon cable-ping ${username}@${i2phost}
The output should be “LIBERTE CABLE 3.0” for the three commands if the proxies are correctly set, and both Tor and I2P have been configured (which doesn't need to be the case). Note that the new hidden service address will likely take some time to be recognized by the Tor network, whereas I2P short-circuits the route to the local eepSite.
Next, test the complete message lifecycle:
cable-send <<EOF
From: <${username}@${torhost}>
To: <${username}@${torhost}>
Subject: Test
Test
EOF
Follow the system log, CABLE_QUEUES/(r)queue/* and CABLE_INBOX directories contents during the message delivery process. After the process is complete, two messages should be delivered in CABLE_INBOX: the original message, and its delivery confirmation. CABLE_QUEUES should be restored to its original state (no work directories under (r)queue).
User anon needs to configure the email client with CABLE_INBOX as an MH inbox (for Claws-Mail, the parent directory should be set as an MH folder).
The email client also needs to be configured to send emails by piping messages to the email sender for each message — this is a sudo wrapper for the actual sending script, see comments inside for suggested sudo setup. The email address to configure can be retrieved by running the cable-info applet, also available as a desktop menu entry. Liveness of remote addresses can be checked with cable-ping.