DDMail

Development state: open alpha
Tor onion service address: ty6nw3vuckv4cwjwwljr32v2vv4btawi7oemx3ayivdknhcziaspwtad.onion
I2P eepsites address: lqvvhl4e5rtz75khof6iku5vbf7cgaghfoi36dbcyc2nlvdqm6ca.b32.i2p

Logged in on account: Not logged in
Logged in as user: Not logged in

About

Here you can find information regarding ddmail e-mail system/service.

What is DDMail

DDMail is a e-mail system/service that prioritizes security.

Our definition of privacy

Privacy is when someone knows who you are but doesn't know what you're doing. Privacy is about not disclosing your actions or data. For example your adversary knows that you are using ddmail to send and recive emails but they do not know the content of the emails.

Our definition of anonymity

Anonymity is when someone knows what you're doing but doesn't know who you are. Anonymity is about not disclosing your identity. For example your adversary knows the content of your emails but they do not know that it is you who sends or recives them.

Our definition of security

Security is design, implementation, measures and methods taken to protect you and your data regarding confidentiality, integrity, availability, privacy and anonymity from your adversary.

Privacy and anonymity

We try to protect our users privacy and anonymity. No personal information is needed during registration or usage. We do not track or monitor users activety. We do not serve ads. We do not use javascript. We do not save/log the users ip when using HTTPS or IMAPS. We do not in any way distribute nor sell the small amount of user data we have unless obligated by a court in Sweden. The service is avalible as a tor onion service(before known as tor hidden service). The service is avalible as a i2p service. Using our service including registration, regardless of how you use or access it (clearnet, vpn, tor, i2p) will not require any verification like phone number etc.

Security

We try to use the following design patterns/principle:
- less code, less attacksurface
- leased privileged
- default deny
- assume breach
The server configuration and application code is all open source and can be reviewed and used by anyone at https://github.com/drzobin. We see all input as evil. We use hard to crack password hashing with argon2. We autoupdate the server software every day. We use mod_security as web application firewall (WAF). We use apparmore as mandatory access control (MAC) in enforce mode. We use apparmore, namespaces and seccomp to sandbox processes. We do not provide any webmail interface nor do our website contains any javascript, images or videos.

Security regarding SMTP and DNS

We are using DNSSEC, SPF, DKIM, DMARC, CAA, MTA-STS and DANE/TLSA(311) to make the service more resilient to threats.

DANE/TLSA

We have DANE/TLSA 311 DNS records for the following services and ports:
SMTP mail.ddmail.se port 25 (with support for STARTTLS)
SMTP mail.ddmail.se port 587 (with support for STARTTLS)
SMTPS mail.ddmail.se port 465 (SMTP wrapped in TLS)
IMAPS mail.ddmail.se port 993 (IMAP wrapped in TLS)
HTTPS ddmail.se port 443 (HTTP wrapped in TLS)
HTTPS www.ddmail.se port 443 (HTTP wrapped in TLS)

Security regarding mail content

We use clamav, oletools with olefy and rspamd to fight malware, phishing and spam.

Default Encryption "at rest"

E-mail is always encrypted "at rest" using elliptic curve secp521r1 private and public key pair. The private key is password protected. The password is the email account password base64 encoded. This encryption/decryption is done seamlessly to the user on ddmail servers. Every email account(maildir) has different key pairs. The password protected private key is stored on ddmail servers.

Extanded Encryption "at rest" using OpenPGP

Incoming emails can be automatic encrypted using OpenPGP public keys. This means that incoming emails will be double encrypted "at rest" where the email accounts (maildir) will be encrypted with "default Encryption at rest" (above-mentioned) and individual emails will also be encrypted with OpenPGP. This is a opt-in feature where the user needs to upload the OpenPGP public key to ddmail servers and activate OpenPGP encryption on specific email account with a specific public key. Using this feature the users OpenPGP private key is not stored on ddmail servers. Encryption is done on ddmail servers but decryption is done on a user controlled device.

Encryption "in transit"

E-mail is encrypted "in transit" as offen as possible using TLS encryption. IMAP and HTTP is always encryptet using TLS 1.2 or TLS 1.3 with strong cipher suites, A+ rating on ssllab. SMTP traffic is encrypted using TLS 1.2 or TLS 1.3 with strong cipher suites when the counter part SMTP server supports it.

Features

Unlimited number of e-mails accounts. Unlimited number of aliases. Unlimited number of own domains. Avalible as Tor Onion Service. Avalible as i2p service. Protocol supported for getting emails is IMAPS(IMAP wrapped in TLS) and protocol supported for sendning email is SMTPS(SMTP wrapped in TLS) or SMTP with STARTTLS.

License

All code and server configuration is open source and licensed under GNU Affero General Public License (AGPL).

Where can i find the code

All development is done in the open using github. The code is located at https://github.com/drzobin.

For how long is backup saved

Backups are saved for 7 days. This means that if you remove you account, account user, email account or alias it takes 7 days before all the data is gone. This also means that when you change any password you need to save the old password for 7 days.

Where is it hosted

The system/service and all its data is hosted in Sweden.

Who is behind this

Code by Robin "drz/drzobin" Larsson from Sweden. The service is provided through my (Robin "drz/drzobin" Larsson) own company Kodord AB.

Happy mailing :)