unman: > On Fri, Sep 11, 2020 at 11:03:15AM +0000, taran1s wrote: >> >> >> unman: >> >> This is interesting. Can you be more specific in regards of settings you >> use? How do you set the tripwire for to run against network connected >> qubes? You also mentioned using mutt in an offline qube. Can you >> elaborate more on this too please? Is the mutt PGP friendly and more >> safer option than Thunderbird? >> > > This warrants a much more detailed answer than I have time for now. > > Tripwire - install in templates, store db in offline vault - I'm looking > for changes in /rw, as well as "normal" directory structures. > > Mutt - varies according to provider. I set this up when I was first > playing with Qubes. > I use 3 qubes: one disposableVM to pick up mail - either offline imap or > rsync mail dirs. That qube is minimal, connects over Tor, and is restricted > to mail provider. > If the sync is in Mbox format, you can use mb2md to convert to Maildir > format. > The mail dirs are synced in to my mutt qube which is offline. I use > qrexec for this. > > Mutt is a great MUA, and has good integration with PGP. I use split-gpg, > of course. I use notmuch integrated with mutt to keep on top of email. > > For sending mails I use msmtp. Actually I queue outgoing in the Mutt > qube, and rsync the queues (over qrexec) in to a sender disposableVM, > which has outgoing traffic restricted to SMTP host. Over Tor of course. > > So the fetch and send are done using disposableVMs, and the message > queues synced in and out of the offline mutt queue over qrexec. The > disposableVMs use minimal templates, have restricted network access, > and use different network routes. > The mutt qube is also based on a minimal template, and has a mailcap > that effectively loads almost all attachments in offline disposableVMs. > I have keyboard shortcuts to trigger the receive and send sides - I > suppose you could do this with cron jobs, but I prefer not to use > automatic processes. > > That probably raises a few more questions. If it does, ask and I'll try to > provide some specifics. >
Dear Unman, thank you for your explanation. It is very interesting topic and it could, if transformed into a guide, be a huge added value for "Qubes hardening" section, or even Active Defense approach, in the Qubes documentation. I understand that every advanced user, like you, has his/her own custom secure setup of Qubes and there is no Ring that rules them all. But for the users that would like to move forward to a more active defense approach, already present in the Qubes documentation, this would really be very much enlightening. As if one opens the door to a new area and move forward again. Do you think it could be possible that you share with us the guide so that we can move forward? There is so much to learn, and even if I didn't manage to make run the vpn over tor yet, your setup seems very interesting to try. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1c2c4175-6aee-4f22-c3f1-98f6c305c6db%40mailbox.org.
signature.asc
Description: OpenPGP digital signature
