Da die in Amnesia installierte Torbutton-Erweiterung nicht mit Icedove (Thunderbird) kompatibel ist, wird dem SMTP-Relay, das für den E-Mail-Versand verwendet wird, die echte IP-Adresse des Computers mitgeteilt.

Auswirkungen

Wenn Sie Icedove zum Versenden von E-Mails verwenden, wird die tatsächliche IP-Adresse des Computers an das SMTP-Relay weitergegeben, das sie in der Regel in die Kopfzeile "Received:" der ausgehenden E-Mail einträgt. Diese privaten Informationen werden daher offengelegt:

• the SMTP relay's administrators;
• anyone who is able to read such a sent email, including: anyone the email is sent to, various network and email servers administrators.

When using a NAT-ed Internet connection, the disclosed IP is a local network one (e.g. 192.168.1.42), which usually does not reveal too much. On the other hand, when connecting directly to the Internet, e.g. using a PPP or DSL modem and no router, the disclosed IP truly reveals the location of the amnesia user.

Solution

Upgrade to amnesia 0.4.1, that ships with Claws Mail instead of Icedove, and set the following preferences in ~/.claws-mail/accountrc for every account:

    set_domain=1
    domain=localhost

See #6119 for details.

Mitigation

Best is to avoid using Icedove (Thunderbird) in amnesia until fixed images are released. If not possible:

• Use amnesia behind a NAT-ed Internet connection, inside a LAN that uses widespread IP addresses.
• Verwenden Sie ein vertrauenswürdiges, datenschutzfreundliches SMTP-Relay, das die IP-Adresse des Kunden nirgends angibt, insbesondere nicht in den E-Mail-Kopfzeilen.

Note that using GnuPG does not fix this problem at all: GnuPG only encrypts the email body, the email headers being always kept in clear.

Affected versions

Any amnesia release until, and including, 0.3. amnesia 0.4 is not affected.