Mail Gateways for Liberty: Can Government Filtering of Mail be Circumvented With Encryption?

A potential client approached me with this interesting question:

I would like to know if this software protects my clients from hackers and government censorship; in countries with high censorship how can the mail be retrieved? Can government filtering of mail be circumvented?”

I had to think about that a little bit, but I finally did produce an answer:

Yes and No. A filtering gateway in and of itself doesn’t necessarily protect you from censorship. Spam gateways or mail servers operate over standard ports, usually in clear text. The only way to prevent government snooping is to encrypt your mail traffic in one of two ways: either at the pipe (SMTP over SSL/TLS) or with full body encryption. modusGate does let you use SSL certificates with SMTP which means you could encrypt the traffic between you and your destination mail servers if you use modusGate as your outbound smart host. This being said, the mail server at the intended destination must also allow SSL/TLS for this to work otherwise, the mail will go out in the clear.

One thing you could do is deploy multi-layered gateways to have an external proxy … What I mean is, you could create a setup like this:

{ mail origination inside your country } <—–> { Rented virtual machine (VPS) in a free nation } <—-> { internet }

{ inside your country }

primary MTA -> all outbound mail to modusGate local with certificate, SSL forced on all outbound IPs, points all outbound to the rented server on non-standard port

{ rented virtual machine in North America }

modusGate with SSL certificate, listening on nonstandard port for traffic coming from your home gate, can send mail out to the internet in the clear. So yes, it’s possible to avoid people eavesdropping on your conversations, but it does require a bit of fiddling.

Here is where the issue becomes more complex; does your country block non standard ports at the primary firewalls/routers that lead out from your country?

You could always setup an encrypted vlan between your inside network and the virtual machine at the VPS hoster, which would be even better than setting up an external proxy. In this case, communications between your local Gate and the remote gate would be encrypted at Layer 2 – TCP/IP level – instead of Layer 7. This means that once the mail reaches the external gateway, it can then be transmitted out in the clear. Though this is similar to using TOR proxies to be able to visit websites in an uncensored fashion, it is not quite at the same level of sophistication.

Ultimately, it all boils down to how strict your national firewall is.