I2P-Bote Manual



1. Introduction



I2P-Bote is an easy-to-use, highly anonymous secure e-mail application for I2P. It is a serverless, fully decentralized system that establishes/forms a peer-to-peer network built on top of state-of-the-art low latency anonymizing network I2P; adding to it an optional mixminion-like high-latency transport and thus avoiding the shortcomings of low-latency networks.

Therefore, I2P-Bote makes full use of the anonymity provided by I2P, plus it generates its own anonymity by adding another anonymizing layer (overlay network).

This concept of layered anonymity is what makes I2P-Bote so flexible:

You can configure it to be extremely anonymous and slow or less anonymous but faster/more efficient. In any event, I2P-Bote always provides a very good anonymity for both, sender and receiver, as well as end-to-end encryption*.

I2P-Bote offers the option to make your communications even more anonymous, by enabling the high-latency mail routes – at cost of performance, however. Users that want their anonymous e-mails to arrive as quickly as possible, will want to disable the mail routes and use 'direct' sending through I2P. It is guaranteed that you will never be less anonymous than the anonymity provided by standard I2P connections.

In order to achieve high usability, we have enabled it to be used with standard mail clients such as Thunderbird, Evolution or Kmail, without having to worry about what extra information these applications send in their headers. [YET TO BE IMPLEMENTED] Furthermore there is a web interface that lets you send and read e-mails or manage your settings and identities.

I2P-Bote is easy to use: If you're not yet using I2P, just install I2P from http://www.i2p2.de and then install the I2P-Bote plugin as described in this manual. Otherwise simply read on!**

Current version is 0.2.5.

*Unless you send e-mails to or receive them from the regular internet, ALL emails – the mail body, attachments and the header except recipient's address (subject, date, time, sender address, ...) are automatically and transparently end-to-end encrypted. The recipient's address is only visible for the mail route's last node that stores the packets into the kad network, and the respective storing nodes, but they cannot read the mail's content nor who sent it nor who will fetch it.



**Of course you can also compile from source.




2. Howto


2.1. Installation


In order to install I2P-Bote, go to the bottom of the I2P Client Configuration page at

http://localhost:7657/configclients.jsp

and enter:

http://tjgidoycrw6s3guetge3kvrvynppqjmvqsosmtbmgqasa6vmsf6a.b32.i2p/i2pbote.xpi2p

( http://i2pbote.i2p/i2pbote.xpi2p might work, too, if you have i2pbote.i2p in your address book or a subscription )

in the “Plugin Installation Download Url” line, then hit “Install Plugin”. Wait until your sidebar says plugin installed and started.


In order to update your I2P-Bote instance, click 'Update' under I2P-Bote on the I2P Client Configuration page at http://localhost:7657/configclients.jsp



2.2. Using I2P-Bote


On your router console http://127.0.0.1:7657/ click on SecureMail on the upper left (in the sidebar). Now you are on I2P-Bote's web interface.

After starting I2P-Bote (by default it is set to start automatically when your I2P router starts up) it takes a bit more than three minutes for everything to be up and running.

So have a look at 'Network Status' on the left. It should state 'Connected'.

If you want to use I2P-Bote for yourself, you first need to create an identity.



2.2.1 Creating an Identity


Click on 'Identities' on the left, then hit the “New Identity” button.

Enter at least a 'Public Name' and hit 'Create'. That's all that's needed to create an identity.

The public name is the name you see for this identity (useful in case you have different identities for different sets of users you communicate with or different purposes) and it will be sent as “sender's name” to the mail's recipient. There is no need for Public Name to be unique.

(As you can choose any name here – anyone could call himself HungryHobo there – it is not suited to be used by the recipient for telling if two mails come from the same sender. This is why the name saved in the local addressbook (there can only by one name per destination key) is displayed, if there is any, and you will see a green mark in the “Know” column, stating it is the locally known name. If there is no entry for a destination in local addressbook, the name specified by the sender will be displayed with a prefixed [UNK] in the mail clients). [POP3 NOT YET IMPLEMENTED]


You can also fill out the other fields, if you like:

Description – this field is kept locally. It's just for your convenience: If you want to add some additional information for yourself about that identity, you can enter it here.

Email Address – this field is not used yet.

Choose from one of the given encryption algorithms. If in doubt, stick to the defaults.

You click on the name of one of your identities and copy the long key displayed under 'Email Destination'. This is your I2P-Bote e-mail address. If you want anybody to be able to send you a bote mail, he need to be given this long key.

Now you can send and receive I2P-Bote mails.

But you should also have a look at your I2P-Bote settings and see if they fit your needs.

(You can also create various identities and assign different settings to each of them.)



2.2.2 Sending and Receiving E-Mails


You need to have the I2P-Bote e-mail destination key of the user you to whom you want to send a bote mail.

In order to send a message, click on 'New', choose your own sender identity or 'Anonymous' under “From” and enter the recipient's e-mail destination key or alternatively an address in the “To:” line.

Alternatively, you can hit the “Addr. Book” button right under this very line, in order to chose from e-mail dests stored locally in your address book: Mark the user(s) to which you want your mail to be sent and hit the “Add Recipients” button.)

You can add several recipients and change the 'To:' to 'CC:' or 'BCC:'.

The “+” button adds additional recipient lines.


Now write your bote mail and hit 'Send' for sending it, or 'Save' in order to store it as a draft into your 'drafts' folder or any user-defined folder. [not yet implemented]

Hitting “Send” will place your e-mail into the Outbox folder and you can go on using I2P-Bote, e.g. writing another e-mail, or simply do other things. I2P-Bote is now sending your e-mail. Once it is sent, it's automatically removed from Outbox and stored into your Sent folder. This means, your mail is entirely on the way to its destination (unless you have set a delay time, which is disabled by default).

In I2P-Bote e-mails are automatically signed (unless send without any sender identity).
You can also send e-mails without specifying any sender identity/destination/address, just select “Anonymous” in the scroll-down menu “From:”.


In the default settings I2P-Bote will automatically check for new mails, and all you need to do in order to see if you got e-mails is look into your Inbox (link 'Inbox' on the left).
You can force a manual check by clicking the 'Check Mail' button. This is a global checking, that tries to fetch new mails for all of your identities, except for those you have excluded from global checking. [not yet implemented]


The number of unread e-mails is shown in parenthesis next to the folder's name in the sidebar.

Click on “Inbox” to have a list of received e-mails displayed. You will see two columns with x's or green checks. Those show you if a mail contains a valid signature and is thus authentic (Sig) and if the sender's e-mail destination key is locally known, i.e. in your addressbook (Know). Hence, two green checks next to a mail entry mean that you already know that e-mail identity and that the mail is signed by that identity.

If you have a certain name in your address book and you get a mail from an identity with that name, yet Know is not displaying a green check, then it is a different destination that sent and signed this mail; he simply has chosen the same name you have chosen for one of your contacts.

Is there a green check mark for “Sig”, then the mail is correctly signed by the sender and you may add it to your addressbook under a different name, which now will be displayed as the sender.

Of course, a mail without sender destination (“Anonymous” is displayed as sender) will have two x's.

Clicking one of the e-mails displayed in your inbox will open the mail.

The same applies to all other folders.


(Due to the distributed nature of I2P-Bote, sending as well as checking for and retrieving e-mails takes a few minutes. With mail routes activated respectively more. But you need not keep the browser open for that, simply leave I2P-Bote running as a background process – this is also benefits your anonymity)



2.2.3 Local Address Book


If you have the I2P-Bote e-mail key from somebody you want to write to more frequently, it is handy to store that key locally into your address book (link on the left), specify a name of your own choosing for this contact and paste his mail destination in the corresponding line, then save.

You should normally save destinations to your addressbook, so that next time you get a mail from the same sender it will be shown to be from the same, locally known sender (“Loc” is checked) and a mail sent by someone else who is just using the same user name will be marked as NOT known locally (an x in web-UI's 'Know' column or [UNK] before the sender address in POP3), so you know it's a new/different one.



2.2.4 Settings (and what they mean)


Under settings you can choose the I2P-Bote interface's language (currently English or German) and decide whether even with a non-English language setting everything that will be automatically added to an e-mail when replying will nonetheless stay in English, so that the recipient does not know your I2P-Bote is set to a different language.
Otherwise the recipient could guess about your nationality which would decrease your anonymity.

Here you can also adjust the interval for automatic checking of e-mails and decide whether or not to send any time stamp with your mails, indicating date and time when the mail was sent. The time stamps are always in UTC.

(When using mail routes, the timestamps are automatically disabled.) [not yet implemented]


automatic checking for e-mails:

For more comfort there is the “Check for mail every XX minutes“ option.

Here you can specify how often your I2P-Bote app should try to fetch unread mails for your identities. This can be set on a per-identity basis [not yet implemented]

If you specify a random offset, then it will not check _exactly_ every XX minutes, but rather every (XX+-offset*XX)minutes, i.e. after a randomly chosen time between (1-offset)XX minutes and (1+offset)XX minutes. [not yet implemented]

You can also totally disable the automatic checking for a given identity.

(If you are not sure about these settings, the defaults should be ok for you.)



Mail routes are chains of I2P-Bote nodes acting as relays/routers for other peers and obeying to per-hop delays, thus providing the high-latency transport for increased anonymity.

You can specify the number of nodes (here called hops) that should be chained to form a mail route. Then each of the e-mail packets sent by the identity that has mail routes enabled will go through a mail route of n hops before being stored. You can set a delay for each hop individually, as no hop should know the time a packet will wait at the next hop, making the timing unpredictable. [individual per-hop and per-identity setting of delays not yet implemented]

As delay you can specify a time frame (e.g. 60-600 minutes) – then a random wait time between the two values will be chosen for the packet at that hop – or a fix time, then the packet will be forwarded at that fix time, e. g. noon UTC, no matter when it arrived. [fix time not yet implemented]

(When using mail routes, the timestamps are automatically disabled. [not yet implemented])


Under “mínimo en el bote” (minimum threshold number of relay packets that will be sent) you can specify a threshold. As your node can only act reliably as a mix, if there are enough foreign packets to mix and to blend own packets with, it will accumulate messages who's delay time is over until reaching this lower limit. Only when it is surpassed, your node starts sending them out in random order. [Not yet implemented]

exclude identity from global checking [Not yet implemented]

If you enable this option for one of your identities, then this one will not be affected by the global manual checking for mails nor by any global automatic mail checking.



2.2.5 E-mails to and from the Internet [NOT YET FULLY IMPLEMENTED!]


In order to be able to send bote mails to the internet and to receive e-mails from the internet with your I2P-Bote application, you must first register with an appropriate mail gateway. Currently there is only one: postman.


1) First, go to: http://hq.postman.i2p/?page_id=16 and register an account. If you already have an account or if you have just created one as described, proceed with #2.


2) For an existing account you can add your I2P-Bote mail destination, so that e-mails coming from the internet are forwarded to your I2P-Bote app. To do so go to: http://hq.postman.i2p/?page_id=74 and provide the requested information.

Now all e-mails sent to that address (name@i2pmail.org from the outer internet or name@mail.i2p for mails from other postman subscribers) will be forwarded via the I2P-Bote network to your I2P-Bote app.

(N.B. When using the name@mail.i2p or name@i2pmail.org addresses instead of the long addresses, e-mails are no longer end-to-end encrypted. Therefore, it is recommended to exchange the I2P-Bote mail destination keys for communicating within the network. Postman has offered high quality services in I2P for quite a while already, but be aware that it's a centralized point that might go offline one day, or worse be taken over by an evildoer that will manipulate mails. As for network-internal e-mail communication, I2P-Bote makes sure that if you use the address keys, nobody can tamper with the mails you send or receive.)

If you want not only to receive e-mails from the internet, but also enable sending e-mails from I2P-Bote to the internet, you must provide your I2P-Bote client with the gateway's mail destination key, so that your I2P-Bote knows where to send those mails to.
You can do this under “settings”.
This gateway will allow I2P-Bote users to communicate with the standard e-mail users on the internet as well as with users of postman's classical i2pmail service (@mail.i2p).

In order to fight abuse, there will be a limitation of the number of e-mails you can send out to the internet; just like for normal postman mail service users: If an I2P-Bote user exceeds the quota with outgoing e-mails, the additional e-mails will be sent back as bounce.




3. Considerations about Anonymity


Don't send identifying information about you (name, address, geographic location, time zone, age, websites you have just visited or blogged about, user names, ip numbers, I2P router id, I2P-Bote id, social security number, credit card number, …, copies of your passport, driver's license, home rental contract, photos – nude or with clothes –, documents that contain your username in author's settings, and many many more)!


If possible,


You can suppress the sending of date and time in the e-mails' header.

When you reply to an e-mail, certain markers, such as “Re: [subject of the mail you're replying to]” or “[username] wrote:”. Those are different for the languages you can chose from in your language settings. However, if you don't want the recipient to know what language you have set, you can suppress translation of these markers, so that they will be in English, no matter what you language setting is. In order to do so, mark “Use English for text added to outgoing email ('Re:', 'wrote:', etc.) “

Be careful with the contents you send! Don't include personal information or information that only you can possess. Don't write I'm going to bed now, it's late when including time stamps.
The language in which your write your e-mails, your style and formulations can also be of interest for an attacker.


I2P-Bote also offers the possibility to use different e-mail identities.
Suppose one of you contacts learns about your identity, as you forgot to erase identifying information in a secret document you have sent to him. Now if this e-mail's recipient was to collaborate with others you are in contact with, he could tell them the real world identity belonging to the Bote address he knows from you. Thusly, if you communicate with those others using the same Bote address, they will know who you are.
Not so, if you used a different address for sending mails to them.



4. Technical Concept


I2P-Bote is an end-to-end encrypted, network-internal, fully decentralized (i.e. serverless) e-mail system. It supports different identities and does not expose e-mail headers. Currently, it is still alpha software and can only by accessed via web console. It soon will have POP3 support, and it is planned to guarantee additional anonymity by providing a high-latency transport option. All bote-mails are automatically end-to-end encrypted, so that there's no need to set up extra e-mail encryption (though you can do that), and bote-mails will be authenticated automatically. As it is decentralized, there is no e-mail server that could link different e-mail identities as communicating with each other (profiling): Even the nodes relaying the mails will not know the sender and apart from sender and receiver, only the end of the high-latency mail tunnel and the storing nodes will know to whom (anonymous identity) the mail is destined. The original sender can have gone offline, long before the mail becomes available on the other side. This adds on the degree of anonymity that can be reached with I2P-Bote. For those who do not want high delays: All these settings are be user-adjustable, so each user decides on how much anonymity he wants.


I2P-Bote nodes store encrypted e-mails into a Kademlia DHT. Therefore, an e-mail can be sent through a number of other nodes (relays) for increased security, or directly to a set of storage nodes for faster delivery. The same applies to retrieving email.
(When using mail routes, timestamps are automatically disabled.)
[Retrieving via relays not yet implemented]


All nodes are created equal: There are no "supernodes" or designated relay/storage nodes. Everybody acts as a potential relay and storage node. The maximum amount of disk space used for relayed/stored email packets can be configured by the user.

Before an email is sent to a relay, it is broken up into packets and encrypted with the recipient's public key. These packets are stored redundantly in a distributed hash table (DHT).

They are kept for at least 100 days, during which the recipient can download them.

Relay packets also expire after 100 days or more.

If a node runs out of email storage space, and there are no old packets that can be deleted, the node refuses storage requests.

Furthermore, I2P-Bote sanitizes the mail headers and does not allow any unneeded information to be transmitted, thus allowing the use of e-mail clients without prior checks of what this client sends in the mail headers. [POP3 not yet implemented]

All the encryption, path choosing and profiling is done locally so that there is no trusted party involved.

Using I2P-Bote appropriately, that means keeping in mind the considerations given above and showing some common sense, nobody will be able to find out who or where you are. And if you are already being observed and your internet connection sniffed, the observer will not be able to find out what you send or receive or to whom you are sending to or receiving from or where your contacts are located.



Let's go a bit more into detail:


What I2P-Bote does hide:


I2P-Bote hides both, the identity and location of sender and receiver, as well as those of intermediary nodes (relays and storing nodes), the content of your mails, their size, the number of mails you send.

Only the recipient can know the sender's bote mail destination, and if he choses not to send his destination, not even the recipient will know it.

Even if you send time stamps, your time zone will not be disclosed.

Furthermore, I2P-Bote hides ...

    - the fact that you run I2P-Bote

    - the fact that you send a mail

    - the fact that you receive a mail

      and hence

    - the time you send a mail

    - the time you receive a mail

      and

    - the upper limit of number of mails an unknown user receives, - nota bene: an abstract
      user, no concrete one, just concluding its existence from the existence of the mail identity
    - as he could always have more than one e-mail identity; and the lower limit as an
      identity also sends out test and dummy messages



What I2P-Bote hides partially:


The I2P-Bote address of the recipient will only be known to sender and recipient(s).

In case of multiple recipients, each one will see all other recipients that the mail was addressed to via “To:” or “CC:”.

All entries that were under “BCC:” will only be visible to the sender and this very recipient.

The time an sent time will, if at all, only be visible to sender and recipient.



What I2P-Bote can hide optionally:



- If mail routes are use, the time a bote mail is sent

- If mail routes are used, the time a bote mail is fetched. [not yet implemented]

- If the sender suppresses timestamps only the sender himself will know when he sent a
mail.



What I2P-Bote cannot hide:


I2P-Bote cannot hide the frequency a given identity checks for new mails nor the number of mails a given identity receives.




Not even for bootstrapping I2P-Bote depends on a central node, as it uses Seedless.




5 Terminology/Glossary of Terms:


I2P-Bote (router/node) id:

This is the id an I2P-Bote router is known as. It is used for contacting this router, for storing, relaying and fetching mails, but also used in the hop-to-hop encryption and for simply contacting it via I2P, as it is at the same the I2P-Bote router's I2P tunnel destination. It is displayed to represent an I2P-Bote node in the stats.

So the router id corresponds to the I2P destination (the address of an I2P-Bote node on the I2P network - there is no need to know it unless you are having problems connecting to other I2P-Bote nodes.)


I2P-Bote e-mail destination:

The I2P-Bote e-mail destination (key) is an identifier by which somebody can be reached via I2P-Bote, so as the name states: an e-mail destination. Thus it is for I2P-Bote what an e-mail address is for standard e-mail system: The e-mail destination is the actual address for sending e-mails, for storing them into and for fetching them from the DHT.
At the same time it used for the end-to-end encryption of e-mails, header information and attachments.

An I2P-Bote e-mail destination is a Base64 string containing a public encryption key and a signature verification key. Example:

uQtdwFHqbWHGyxZN8wChjWbCcgWrKuoBRNoziEpE8XDt8koHdJiskYXeUyq7JmpG

In8WKXY5LNue~62IXeZ-ppUYDdqi5V~9BZrcbpvgb5tjuu3ZRtHq9Vn6T9hOO1fa

FYZbK-FqHRiKm~lewFjSmfbBf1e6Fb~FLwQqUBTMtKYrRdO1d3xVIm2XXK83k1Da

-nufGASLaHJfsEkwMMDngg8uqRQmoj0THJb6vRfXzRw4qR5a0nj6dodeBfl2NgL9

HfOLInwrD67haJqjFJ8r~vVyOxRDJYFE8~f9b7k3N0YeyUK4RJSoiPXtTBLQ2RFQ

gOaKg4CuKHE0KCigBRU-Fhhc4weUzyU-g~rbTc2SWPlfvZ6n0voSvhvkZI9V52X3

SptDXk3fAEcwnC7lZzza6RNHurSMDMyOTmppAVz6BD8PB4o4RuWq7MQcnF9znElp

HX3Q10QdV3omVZJDNPxo-Wf~CpEd88C9ga4pS~QGIHSWtMPLFazeGeSHCnPzIRYD


I2P-Bote router/node id and I2P-Bote e-mail destinations look similar, but are completely independent of each other.


E-mail address:

E-mail addresses in I2P-Bote are shortcuts for e-mail destinations.

The e-mail address <--> e-mail destination mappings are stored in two places: the local address book and the distributed address directory [the latter not yet implemented].


I2P-Bote e-mail identity:

The I2P-Bote e-mail identity is a set of an I2P-Bote e-mail destination key, the corresponding private keys and a name given to it by the user. This name will be sent with the destination key if you do not suppress sending information about the sender.

However it will only be displayed for the recipient in case he does not have a name for this destination in his local address book.

So technically speaking, an e-mail identity consists of four things:

* an e-mail destination (i.e. two public keys)

* two private keys for the e-mail destination

* a public name which can be shown to other people in e-mails

* a description which is not shown to anybody but you.

(It helps you remember which e-mail identity you use for which purpose.)

An e-mail identity is not required for sending emails (although then only "Anonymous" can be selected for the "sender" field).


Mail routes:

Mail routes are an additional high-latency transport for I2P-Bote. For this, a chain of I2P-Bote nodes is built, acting as relays/routers for packets and obeying to individual per-hop delays; [still no individual setting for delays implemented]


BEWARE!

If you choose this option - especially with many hops and / or long delay times, don't be surprised if your mail does not reach its destination too soon. It will, of course, take longer – up to several days!



6.  Credits

Idea & technical concept: HungryHobo, Mixxy

Implementation: HungryHobo

Plugin support: zzz, HungryHobo

User interface: HungryHobo

Seedless integration: sponge

German translation: HungryHobo

French translation: albat, Redzara, Mixxy

Spanish translation: Mixxy

Alpha testing: HungryHobo, Mixxy, Returning Novice, sponge, and many others



7. Technical Details

-- see techdoc.txt --





ENJOY THE BOTE FEELING!!