.\" $Id: mixminion.1,v 1.7 2005/12/02 18:24:35 nickm Exp $ .\" Copyright (c) 2004 Nick Mathewson -- see LICENCE for licensing information .\" "man mdoc.samples" for information on how to tag the document. .\" Type nroff -mdoc mixminion.1 | less .Dd March 7, 2004 .Dt MIXMINION 1 Anonymity .Os GNU/Linux .Sh NAME .Nm mixminion .Nd Type III anonymity client .Sh SYNOPSIS .Nm mixminion .Bro Cm benchmarks | clean-queue | decode | flush | generate-surb | help | .Cm import-server | inspect-queue | inspect-surbs | list-fragments | .Cm list-servers | ping | purge-fragments | queue | reassemble | send | .Cm shell | testvectors | unittests | update-servers | version Brc .Op Ar command_options .Op Ar command_args ... .Pp .\" XXXX Is there a better markup than this .ti 2 business? .ti 2 Sending Messages: .Nm mixminion Cm send .Bk -words .Op Fl h | Fl \-help .Op Fl v | Fl \-verbose .Op Fl Q | Fl \-quiet .Op Fl D Ar {yes|no} | Fl \-download-directory= Ns Ar {yes|no} .Op Fl f Ar file | Fl \-config= Ns Ar file .Op Fl P Ar path | Fl \-path= Ns Ar path .Op Fl i Ar file | Fl \-input= Ns Ar file .Op Fl \-queue | Fl \-no-queue .Op Fl \-subject= Ns Ar str .Op Fl \-from= Ns Ar str .Op Fl \-references= Ns Ar str .Op Fl \-in-reply-to= Ns Ar str .Op Fl \-deliver-fragments .Bro Fl t Ar addr | Fl \-to= Ns Ar addr | Fl R Ar file | \ Fl \-reply-block= Ns Ar file | Fl \-reply-block-fd= Ns Ar n Brc .Ek .Nm mixminion Cm queue .Bk -words .Op Fl h | Fl \-help .Op Fl v | Fl \-verbose .Op Fl Q | Fl \-quiet .Op Fl D Ar {yes|no} | Fl \-download-directory= Ns Ar {yes|no} .Op Fl f Ar file | Fl \-config= Ns Ar file .Op Fl P Ar path | Fl \-path= Ns Ar path .Op Fl i Ar file | Fl \-input= Ns Ar file .Op Fl \-subject= Ns Ar str .Op Fl \-from= Ns Ar str .Op Fl \-references= Ns Ar str .Op Fl \-in-reply-to= Ns Ar str .Op Fl \-deliver-fragments .Bro Fl t Ar addr | Fl \-to= Ns Ar addr | R Ar file | \ Fl \-reply-block= Ns Ar file | Fl \-reply-block-fd= Ns Ar n Brc .Ek .Pp .ti 2 Receiving messages: .Nm mixminion Cm decode .Bk -words .Op Fl h | Fl \-help .Op Fl v | Fl \-verbose .Op Fl Q | Fl \-quiet .Op Fl D Ar {yes|no} | Fl \-download-directory= Ns Ar {yes|no} .Op Fl f Ar file | Fl \-config= Ns Ar file .Op Fl F | Fl \-force .Op Fl i Ar file | Fl \-input= Ns Ar file .Op Fl o Ar file | Fl \-output= Ns Ar file .Op Fl \-passphrase-fd= Ns Ar n .Ek .Nm mixminion Cm reassemble .Bk -words .Op Fl h | Fl \-help .Op Fl v | Fl \-verbose .Op Fl Q | Fl \-quiet .Op Fl D Ar {yes|no} | Fl \-download-directory= Ns Ar {yes|no} .Op Fl f Ar file | Fl \-config= Ns Ar file .Op Fl P | Fl \-purge .Op Fl o Ar file | Fl \-output= Ns Ar file .Op Fl F | Fl \-force .Ar msgid ... .Ek .Pp .ti 2 Queue Management: .Nm mixminion Cm flush .Bk -words .Op Fl h | Fl \-help .Op Fl v | Fl \-verbose .Op Fl Q | Fl \-quiet .Op Fl D Ar {yes|no} | Fl \-download-directory= Ns Ar {yes|no} .Op Fl f Ar file | Fl \-config= Ns Ar file .Op Ar server ... .Ek .Nm mixminion Cm list-queue .Bk -words .Op Fl h | Fl \-help .Op Fl v | Fl \-verbose .Op Fl Q | Fl \-quiet .Op Fl D Ar {yes|no} | Fl \-download-directory= Ns Ar {yes|no} .Op Fl f Ar file | Fl \-config= Ns Ar file .Ek .Nm mixminion Cm clean-queue .Bk -words .Op Fl h | Fl \-help .Op Fl v | Fl \-verbose .Op Fl Q | Fl \-quiet .Op Fl D Ar {yes|no} | Fl \-download-directory= Ns Ar {yes|no} .Op Fl f Ar file | Fl \-config= Ns Ar file .Op Fl d Ar days | Fl \-days= Ns Ar days .Op Ar server ... .Ek .Nm mixminion Cm list-fragments .Bk -words .Op Fl h | Fl \-help .Op Fl v | Fl \-verbose .Op Fl Q | Fl \-quiet .Op Fl D Ar {yes|no} | Fl \-download-directory= Ns Ar {yes|no} .Op Fl f Ar file | Fl \-config= Ns Ar file .Ek .Nm mixminion Cm purge-fragments .Bk -words .Op Fl h | Fl \-help .Op Fl v | Fl \-verbose .Op Fl Q | Fl \-quiet .Op Fl D Ar {yes|no} | Fl \-download-directory= Ns Ar {yes|no} .Op Fl f Ar file | Fl \-config= Ns Ar file .Ar msgid ... .Ek .Pp .ti 2 SURB Management: .Nm mixminion Cm generate-surb .Bk -words .Op Fl h | Fl \-help .Op Fl v | Fl \-verbose .Op Fl Q | Fl \-quiet .Op Fl D Ar {yes|no} | Fl \-download-directory= Ns Ar {yes|no} .Op Fl f Ar file | Fl \-config= Ns Ar file .Op Fl P Ar path | Fl \-path= Ns Ar path .Op Fl lifetime= Ns Ar days .Op Fl o Ar file | Fl \-output= Ns Ar file .Op Fl b | Fl \-binary .Op Fl n Ar n | Fl \-count= Ns Ar n .Op Fl \-identity= Ns Ar name .Op Fl \-passphrase-fd= Ns Ar n .Op Fl t Ar addr | Fl \-to= Ns Ar addr .Ek .Nm mixminion Cm inspect-surbs .Bk -words .Op Fl h | Fl \-help .Op Fl v | Fl \-verbose .Op Fl Q | Fl \-quiet .Op Fl D Ar {yes|no} | Fl \-download-directory= Ns Ar {yes|no} .Op Fl f Ar file | Fl \-config= Ns Ar file .Ar file ... .Ek .Pp .ti 2 Directories and Servers: .Nm mixminion Cm ping .Bk -words .Op Fl h | Fl \-help .Op Fl v | Fl \-verbose .Op Fl Q | Fl \-quiet .Op Fl f Ar file | Fl \-config= Ns Ar file .Op Fl D Ar {yes|no} | Fl \-download-directory= Ns Ar {yes|no} .Ar server ... .Ek .Nm mixminion Cm list-servers .Bk -words .Op Fl h | Fl \-help .Op Fl v | Fl \-verbose .Op Fl Q | Fl \-quiet .Op Fl f Ar file | Fl \-config= Ns Ar file .Op Fl D Ar {yes|no} | Fl \-download-directory= Ns Ar {yes|no} .Op Fl F Ar feature_list | Fl \-feature= Ns Ar feature_list .Op Fl J | Fl \-justify .Op Fl T | Fl \-with-time .Op Fl r | Fl \-recommended .Op Fl s Ar str | Fl \-separator= Ns Ar str .Op Fl c | Fl \-cascade .Op Fl C | Fl \-cascade-features .Op Fl \-no-collapse .Ar server ... .Ek .Nm mixminion Cm update-servers .Bk -words .Op Fl h | Fl \-help .Op Fl v | Fl \-verbose .Op Fl Q | Fl \-quiet .Op Fl f Ar file | Fl \-config= Ns Ar file .Ek .Nm mixminion Cm import-server .Bk -words .Op Fl h | Fl \-help .Op Fl v | Fl \-verbose .Op Fl Q | Fl \-quiet .Op Fl D Ar {yes|no} | Fl \-download-directory= Ns Ar {yes|no} .Op Fl f Ar file | Fl \-config= Ns Ar file .Ar file ... .Ek .Pp .ti 2 Miscellaneous: .Nm mixminion Cm version .Nm mixminion Cm help .Nm mixminion Cm unittests .Nm mixminion Cm benchmarks .Nm mixminion Cm testvectors .Sh NOTE This is a testing alpha release. You will probably only want to use it if you are technically inclined, curious, and interested in helping the Mixminion development effort. Do NOT use this release if you require strong anonymity. It has known deficiencies, including some that make it possible for an adversary to trace your message through the system. See BUGS below. .Sh DESCRIPTION Mixminion is a software suite that lets you send and receive very anonymous mail. The .Xr mixminion 1 client is a command-line interface to this suite. .Pp If you want to send anonymous messages right now without reading all of this documentation, skip right to the EXAMPLES section below. .Pp .Ss Overview (This is a basic introduction. For more information, see REFERENCES below.) .Pp When you send regular email, it is trivial for an eavesdropper to learn your recipients. Even if you use end-to-end encryption such as PGP or S/MIME, you are only stopping eavesdroppers from learning what you are saying: they can still tell whom you are saying it to. .Pp Mixminion uses a \fImix network\fP architecture to provide strong anonymity, and prevent eavesdroppers and other attackers from linking senders and recipients. Volunteers run servers (called "mixes") that receive messages, and decrypt them, re-order them, and re-transmit them toward their eventual destination. Every message passes through several mixes so that no single mix can link message senders with recipients. .Pp When you send an anonymous message, .Nm mixminion breaks it into uniform-sized chunks (also called "packets"), pads the packets to a uniform size, and chooses a path through the mix network for each packet. The software encrypts every packet with the public keys for each server in its path, one by one. When it is time to transmit a packet, .Nm mixminion sends it to the first mix in the path. The first mix decrypts the packet, learns which mix will receive the packet, and relays it. Eventually, the packet arrives at a final (or "exit") mix, which sends it to your chosen recipient. Because no mix sees any more of the path besides the immediately adjacent mixes, they cannot link senders to recipients. .Pp If you want to conceal the timing of your messages, .Nm mixminion can hold a group of packets in a \fIqueue\fP until you are ready to transmit them. Packets will also be queued if the chosen servers are temporarily unavailable; you will need to retransmit these packets manually. .Pp To choose good paths, .Nm mixminion must learn about all the available servers in the mix network. It does this by automatically downloading a \fIserver directory\fP once every day it is used. You can examine this directory by hand, or with the .Nm mixminion Cm list-servers command. You can also specify your own paths by hand. .Pp Mixminion supports \fISingle-Use Reply Blocks\fP (or \fISURBS\fP) to allow anonymous recipients. A SURB encodes a half-path to a recipient, so that each mix in the sequence can unwrap a single layer of the path, and encrypt the message for the recipient. When the message reaches the recipient, the recipient can decode the message and learn which SURB was used to send it; the sender does not know which recipient has received the anonymous message. .\" XXXX Say that recipients generate SURBS. .\" XXXX Say that mixes can't tell forward msgs from reply msgs. .Pp When you receive an anonymous message with .Nm mixminion Ns , it may not be in plaintext. There are three kind of encoded messages: .Bl -enum -compact .It Binary messages. .It Anonymous reply messages send to SURBs addressed to you. .It Single packets ("fragments") from large anonymous messages that span multiple packets. .El .Pp The software handles each type differently. Binary messages are trivially decoded; anonymous replies are decrypted with your SURB key; and fragments are stored until enough fragments are available to reconstruct the entire message. .Sh INVOKING MIXMINION The .Nm mixminion interface wraps several commands, as listed below. To invoke a specific command, call .Ic mixminion Ar command_name . Each command takes its own list of options. .Ss Commands Here is a brief description of each .Nm mixminion command: .Bl -tag -width ".Cm version" .It Cm send Break a message into packets, encode the packets, and send them into the mix network. By default, the message is read from standard input; type "control-D" when you are done ("control-Z" on Windows). To read the message from a file, use the .Fl i Ar filename . If any encoded packets can't be delivered, they will be stored in the queue until you flush them. .Pp .Nm mixminion Cm send requires a destination; you can specify an address with the .Fl t flag, or use one or more SURBs with the .Fl R flag. .Pp By default, the exit server will choose its own values for the outgoing message headers. You can override its selections with .Fl \-subject , .Fl \-from , .Fl \-references , and .Fl \-in-reply-to . .Pp By default, Mixminion will check whether you have a recent server directory and download a new one as necessary, before it encodes or sends your message. You can force a download (or prevent one) with .Fl D . .It Cm queue Break a message into packets and encode them. Delivery is not attempted until you call .Nm mixminion flush . Using this command is equivalent to calling .Bk -words .Nm mixminion Cm send Fl -queue . .Ek .It Cm decode Extract the contents of an encoded message. If the message fits in a single packet, its contents will be printed out immediately; if the message is fragmented into multiple packets, the packets will be stored until the whole message has been received, at which point you can retrieve the original message with .Nm mixminion Cm reassemble . If the packet is encrypted to a reply block, you will be prompted for a passphrase. .Pp By default, .Nm mixminion Cm decode reads from standard input and writes decoded messages to standard output; you can override input with the .Fl i flag and output with the .Fl o flag. .It Cm generate-surb[s] Create one or more single-use reply blocks so that others can reply to your anonymous messages. By default, SURBs are written to standard output; you can override this with .Fl o Ar filename . .Pp You may specify your address on the command line with the .Fl t Ar addr option, or in your configuration file (see .\" XXXX The Ns here may confuse some NetBSDs. How to fix? .Xr mixminionrc 5 Ns ). .It Cm flush Op Ar server ... Try to flush packets from the queue. By default, .Nm mixminion Cm flush tries to deliver every packet it can. If you only want to flush packets to a given set of mixes, you can list their names on the command line. You can also limit the number of packets flushed by using the .Fl n Ar num option to pick .Ar num packets at random from the queue. .Pp Any packet that can't be delivered is left in the queue. .It Cm clean-queue Op Ar server ... Remove pending packets from the queue. By default, only very old packets are removed. You can use .Fl d Ar days option to remove packets older than a certain number of days. To remove packets for specific servers, specify their names on the command line. .It Cm reassemble Ar msgid Reassemble a fragmented message, and display its contents. By default, messages are written to standard output; you can override this with .Fl o Ar filename . Use .Nm mixminion Cm list-fragments for a list of messages that can be reconstructed. Note that the packets reconstructed messages are not automatically deleted from disk: to do so, either use .Fl \-purge , or the .Nm mixminion purge-fragments command. .It Cm list-fragments Display a list of the messages currently being reconstructed, and the number of packets remaining until each it ready. .It Cm purge-fragments Ar msgid ... Remove fragments for a pending message. Use this command either after you have successfully reconstructed a message, or if you do not expect to receive any remaining fragments for the message. .It Cm inspect-queue List the number of packets in the queue for each server, and the maximum age of each. .It Cm inspect-surbs Ar filename ... Examine a file containing a bunch of reply blocks. Lists how many have already been used, and when the others will expire. .It Cm ping Ar servername ... Open a dummy connection to one or more named servers, to determine whether they are currently online. .Pp .Sy NOTE: Using this command has dangerous anonymity implications; see the output of .Nm mixminion Cm ping for more information. .It Cm update-servers Download a fresh directory from the directory server, whether the current directory is out of date or not. .It Cm list-servers Op Ar servername ... Display a list of current servers in the directory. By default, all servers are listed; you can narrow the list by using .Fl r to see only servers that the directory recommends, or by listing specific servers on the command line. .Pp The default output lists one server per line, along with a summary of its capabilities and a note about whether the directory recommends it. You can change the contents of this display with .Fl F Ar feature_list , and the format with .Fl c , .Fl C , .Fl T , .Fl s Ar sep, and .Fl J . .It Cm import-server (Is anyone using this? I'm thinking of deprecating it to make my life simpler.) .It Cm help Print a command summary and exit. .It Cm testvectors Print a list of test vectors for Mixminion's cryptographic primitives. You may find this useful if you're trying to develop a compatible client. .It Cm unittests Run mixminion's internal self-tests. .It Cm version Print the version of the current software. .It Cm benchmarks Run mixminion's internal timing tests. .It Cm shell Open a mini command-line interpreter for interactive operations. This is the default action on Windows when no command is provided. .El .Ss Options Here we describe the options supported by .Nm mixminion , along with a list of which commands (shown in .Brq braces Ns ) support each one: .Bl -tag -width "Ds" .It Fl b | Fl \-binary .Brq generate-surb Write surbs in a terser, binary format. By default, SURBs are printed with ASCII armor. .It Fl c | Fl \-cascade .Brq list-servers List each server's name on a separate line from its validity dates and features. Especially useful in combination with .It Fl \-no-collapse. .It Fl C | Fl \-cascade-features .Brq list-servers List each server feature on a separate line. Useful when you have specified a long list of features. .It Fl d Ar days | Fl \-days= Ns Ar days .Brq clean-queue Only delete packets that are at least .Ar days days old. The default is 60. .It Fl D Ar {yes|no} | Fl \-download-directory= Ns Ar {yes|no} .Brq general Override the directory download behavior. By default, Mixminion downloads a fresh server directory if the current directory is older than midnight, GMT. If .Fl D Ar yes is specified, then the software downloads a directory, even if it has a recent one. If .Fl D Ar no is specified, then the software uses the current directory, even if it is old. .It Fl \-deliver-fragments .Brq send, queue By default, mixminion sends (non-reply) fragmented messages to the last server in your path, and asks that server to reconstruct them before delivery. This way, users can receive large messages, even if they don't have the software to reconstruct it. .Pp The .Fl \-deliver-fragments option overrides this behavior, and sends the fragments directly to the recipient. This is useful if your message is large, and your recipient is running mixminion or a compatible client. .It Fl f Ar file | Fl \-config= Ns Ar file .Brq general Override the default location for your configuration file. See the .Ev MIXMINIONRC environment variable, and the .Xr mixminionrc 5 format. .It Fl F | Fl \-force .Brq decode, reassemble Mixminion compresses messages before sending them. Thus, a malicious person might try to mailbomb you by sending you highly compressed single packet that contained up to 28MB of compressed zeroes. By default, mixminion doesn't uncompress any file that has a compression ratio of higher than 20:1. The .Fl F option overrides this behavior. .It Fl F Ar feature_list | Fl \-feature= Ns Ar feature_list .Brq list-servers Tells .Nm mixminion Cm list-servers to display a group of features other than server capability and status. This list of servers is separated by commas. The default value is "caps,status". See "Server Features" below for a list of interesting features. .It Fl \-from= Ns Ar str .Brq send, queue Override the default value for the "From:" field in an outgoing message. Most exit servers let you replace the name portion of the message, but not the mailbox portion. For example, if you specify .Fl \-from= Ns Alice , the outgoing mail might have the line: 'From: "[ANON] Alice" '. .It Fl h | Fl \-help .Brq general Print usage information for a given command. .It Fl i Ar file | Fl \-input= Ns Ar file .Brq send, queue, decode Read input from a provided filename instead of standard input. .It Fl \-identity= Ns Ar name .Brq generate-surb Generate SURBs associated with a particular \fIidentity\fP. Later, when you receive replies to a given SURB, you will be able to tell which identity the SURB was generated for. .Pp Using this option can thwart so-called "identity blending attacks". For example, suppose that Alice is carrying on two pseudonymous conversations with Commissioner Bob, one as "Bruce Wayne" and one as "Batman". If Bob suspects that "Batman" and "Bruce Wayne" are really the same person, he can confirm this by using one of Bruce Wayne's SURBs to send a message addressed "Dear Batman". If "Batman" answers the message, then Bob's suspicion is confirmed. To prevent this, Alice should use separate identities for each of her pseudonyms, so that when "Bruce Wayne" receives the message, she can reply "I'm sorry, but you've send me one of Batman's messages." .It Fl \-in-reply-to= Ns Ar str .Brq send, queue Sets the "In-Reply-To:" header of an outgoing message. .It Fl J | Fl \-justify .Brq list-servers Align the columns of list-server's output nicely. .It Fl lifetime= Ns Ar days .Brq generate-surb Generate SURBs to be used within the next .Ar days days. The default lifetime is .Va SURBLifetime setting in your configuration file. .It Fl n Ar n | Fl \-count= Ns Ar n .Brq generate-surb Generate exactly .Ar n SURBs. The default is 1. .Pp .Brq flush-queue Flush no more than .Ar n packets. By default, all packets are flushed. .It Fl \-no-queue .Brq send If the packets can't be sent immediately, do not queue any failing packets. .Op Fl \-no-collapse .Brq list-servers If a server has multiple keys valid over different ranges of time, display those ranges separately. .It Fl o Ar file | Fl \-output= Ns Ar file .Brq decode, generate-surb, reassemble Direct output to .Ar file instead of standard output. .It Fl P Ar path | Fl \-path= Ns Ar path .Brq send, queue, generate-surb Use .Ar path for the path of the packets/surbs being generated. The default is to use a randomly chosen path of about 4 mixes; you can override this in .Xr mixminionrc 5 . .It Fl Fl P | Fl \-purge .Brq reassemble After reassembling the message, delete all its fragment packets from disk. .It Fl \-passphrase-fd= Ns Ar n .Brq decode, generate-surb Instead of reading the passphrase from the terminal, take it from a given file descriptor. This is useful when embedding mixminion. .It Fl Q | Fl \-quiet .Brq general Suppress all logging messages that don't correspond to real errors. .It Fl \-queue .Brq send Do not actually send any packets; generate and queue them instead. .It Fl r | Fl \-recommended .Brq list-servers Only list servers that the directory recommends. By default, all known servers are listed. .It Fl R Ar file | Fl \-reply-block= Ns Ar file .Brq send, queue Send packets via the SURBs listed in .Ar file . The file must contain one or more SURBs. Once a SURB has been used, it will automatically be ignored in the future. .It Fl \-references= Ns Ar str .Brq send, queue Set the "References:" header in the outgoing message. .It Fl \-reply-block-fd= Ns Ar n .Brq send, queue Read reply blocks from the file descriptor .Ar n instead of from a file. This is useful when integrating mixminion in other applications. .It Fl \-subject= Ns Ar str .Brq send, queue Set the "Subject:" header in the outgoing message. .It Fl s Ar str | Fl \-separator= Ns Ar str .Brq list-servers When listing multiple features per line, separate them with the provided string. By default, a tab is used. .It Fl t Ar addr | Fl \-to= Ns Ar addr .Brq send, queue, generate-surb Send messages or generate SURBs for the provided address. The address may be an email address (such as "somebody@example.com"), or a generalized address as described in "Specifying Destinations" below. .It Fl T | Fl \-with-time .Brq list-servers Include the validity time ranges of each server when listing. .It Fl v | Fl \-verbose .Brq general Display internal debugging messages when running the selected command. .El .Ss Specifying Destinations Although email delivery is Mixminion's current principal application, the client allows you to send messages to other destinations, such as newsgroups (not yet implemented), drop-boxes on given servers, or other protocols not yet specified. To do so, just provide a generalized address in place of an email address. The following address formats are supported: .Bl -tag -width ".Cm drop" .It Ar email_address Sends an ordinary email message to a chosen email address. .It Cm smtp Ns : Ns Ar email_address A verbose equivalent to sending email to .Ar email_address . .It Cm drop Send a dummy message into the message; the last mix in the path will discard it. When using this destination, no message body is needed. .It Cm mbox Ns : Ns Ar mailbox_name Ns Cm @ Ns Ar server Send a message to a named 'mailbox' configured at a specific mix. The chosen mix must support mbox delivery, and the name must be that of a valid mailbox. .It Cm 0x Ns Ar routing_type For developers: manually send a message with a given 2-byte, hexadecimal routing-type field. .It Cm 0x Ns Ar routing_type Ns Cm : Ns Ar routing_data For developers: manually send a message with a given 2-byte, hexadecimal routing-type field and a given routing_data field. .El .Pp Note that not all servers support all exit types. Currently, mixminion only detects whether your chosen exit server supports smtp, exit, and drop delivery. You must use other means to detect whether other protocols are supported by a given server. .Ss Specifying Paths When you send a message or generate SURBs, mixminion ordinarily picks a series of mixes as your path. It tries to choose a sequence of about five mixes, such that every mix is recommended by the directory; no mix appears twice in a row; and the last mix is configured to deliver messages to your chosen destination. .Pp You can override this default behavior on the command line using the .Bk -words .Fl P Ar path or .Fl \-path= Ns Ar path .Ek options, or in your configuration file. To specify a path for one of these options, provide a comma-separated list of: .\" XXXX This next part may also confuse NetBSD man. .Bl -tag -compact .It ~ Ns Ar number Insert approximately .Ar number randomly chosen recommended servers. .It * Ns Ar number Insert exactly .Ar number randomly chosen recommended servers. .It ? Insert a single randomly chosen recommended server. .It Ar server_name Insert a single server by name. .It Ar file_name Insert a server whose descriptor is stored in a separate file. .El .Pp For example, .Ic mixminion send -P A,B,C ... sends a message through a path containing the server named A, the server named B, and the server named C. Running .Ic mixminion send -P ~2,A,?,C ... uses a path containing approximately two randomly chosen servers, the server named A, another randomly chosen server, and the server named C. .Pp The software tries to never use the same server twice in a row, and never uses an un-recommended server unless such a server is specifically requested. .Pp All forward paths must have at least two servers; all reply and SURB paths must have at least one. In practice, longer paths are recommended. .Pp .Sy Advanced: For a forward path, you can specify a swap point by hand by replacing a single comma with a colon. If you don't know what a swap point is, you probably don't want to do this. .\" XXXX For some reason, NetBSD may overbold thisnext line. .Ss Server Features When you use the .Fl F option for .Nm mixminion Cm list-servers , you can specify a list of server features. These features take the format of .Ar section Ns Cm : Ns Ar entry , where .Ar section is a section in a server descriptor, and .Ar entry is a key within that section. (For more information on server descriptors, see "http://mixminion.net/dir-spec.txt".) If the key is unique within all sections, then you may omit the .Ar section Ns Cm : portion of the feature. .Pp .\" Mention that the others aren't useful. A few useful features include: .Bl -tag -width ".Cm software" .It caps The server's "capabilities", such as 'smtp', 'mbox', and 'frag'. This pseudo-feature is generated on the fly, and is not part of the server's descriptors. .It status The string "(ok)" if the server is recommended, and "(not recommended)" if it is not. .It contact An email address to contact the server's administrator. .It contact-fingerprint A PGP fingerprint for the server's administrator, if available. .It server:comments A description of the server's status and policies. .It software The Type III remailer software (and version) used by the server. .It secure-configuration / why-insecure Secure-configuration is true if the server is running in a believed-to-be-secure operating mode. If not, why-insecure explains what is insecure about the server's configuration. (Right now, all servers are believed-to-be-insecure, since the software is in alpha.) .It hostname The server's hostname. .It delivery/mbox:maximum-size The largest message in KB (before compression) that the server is willing to deliver via mbox. .It delivery/smtp:maximum-size The largest message in KB (before compression) that the server is willing to deliver via email. .It delivery/smtp:allow-from This value is true if the server supports client-selected from addresses. .It maximum-fragments The largest message size (in packets) that the server is willing to reassemble. .El .Sh ENVIRONMENT Mixminion recognizes the following environment variables: .Bl -tag -width ".Ev MIXMINIONRC" .It Ev MIXMINIONRC The default configuration for your .Xr mixminionrc 5 configuration file. Defaults to .Pa $HOME/.mixminionrc on Unix and Mac OS X, and \fIDocuments\ and\ Settings\\mixminionrc\fP on Windows. You can also override this default with the .Fl f flag. If you try to start mixminion without a configuration, one is created. .It Ev http_proxy If you use a proxy to access the web, you should set this variable so that mixminion can use HTTP to download its directory. .It Ev MM_NO_FILE_PARANOIA If set, don't check file permissions on private files. .El .Sh FILES Mixminion uses files as described below. Note: some of these filenames are given relative to a directory called "$BASE". This defaults to .Pa $HOME/.mixminion/ , but you can override this with the .Va UserDir setting in your .Xr mixminionrc 5 . .Bl -tag -width ".Pa $HOME/.mixminionrc" .It Pa $HOME/.mixminionrc Configuration options for .Nm mixminion , as documented in .Xr mixminionrc 5 . .It Pa $BASE/cache A cached representation of the most recently downloaded directory, to speed server startup. .It Pa $BASE/dir.gz The most recently downloaded directory, compressed with gzip. .It Pa $BASE/keys/ Secret keys used to decode messages sent to your SURBs. These keys are encrypted with your passphrase. .It Pa $BASE/queue/msg_* An outgoing packet in the queue, awaiting delivery. .It Pa $BASE/queue/meta_* Metadata for a single queued packet. (This includes the address of the first hop for a given queued packet, and the day on which the packet was generated.) .It Pa $BASE/queue/rmv*_* A packet that has been successfully delivered, and is waiting to be overwritten and removed. .It Pa $BASE/fragments/ A directory of fragments for messages waiting reassembly. .It Pa $BASE/fragments_db A database describing which fragmented messages have been reassembled and/or purged. Future fragments for these messages will be automatically discarded. .It Pa $BASE/imported/ A directory of server descriptors imported with .Nm mixminion Cm import-server .It Pa $BASE/surbs/log A database of digests for SURBs which have been used already, to prevent repeat use. Entries are removed from this database once the corresponding SURBs are expired. .El .Pp Note: the only one of these files you should ordinarily be modifying is .Pa .mixminionrc . .Sh EXAMPLES Send a message to an email address: .D1 Ic mixminion send -t -i Send a message to an email address, reading from standard input: .D1 Ic mixminion send -t Send a message to an email address, with a chosen "From" and "Subject" line: .D1 Ic mixminion send -t --from=Alice --subject="A subject" Send a message to an email address, using the servers frell, noisebox, and moria: .D1 Ic mixminion send -t -P frell,noisebox,moria Send a message to an email address, using about 5 randomly chosen servers, ending at moria: .D1 Ic mixminion send -t -P '~5,moria' Send a message to an email address, starting at tonga, taking exactly three random steps, and ending at iabervon: .D1 Ic mixminion send -t -P 'tonga,*3,iabervon' Send a message to an email address, starting at a random server, followed by totoro1, followed by a random server, followed by frell: .D1 Ic mixminion send -t -P '?,totoro1,?,frell' Send a large message to be reassembled by the recipient (by default, the last server reassembles): .D1 Ic mixminion send -t --deliver-fragments Reload the server directory immediately: .D1 Ic mixminion update-servers Send a message to an email address, without reloading the directory: .D1 Ic mixminion send -D no -t Send a dummy packet: .D1 Ic mixminion send -t drop Queue a message to an email address for later delivery: .D1 Ic mixminion queue -t Queue a dummy packet for later delivery: .D1 Ic mixminion queue -t drop Test whether totoro1 is running: .D1 Ic mixminion ping totoro1 List all packets waiting in the queue: .D1 Ic mixminion inspect-queue Try to flush all the packets in the queue: .D1 Ic mixminion flush Try to flush no more than 16 packets from the queue: .D1 Ic mixminion flush -n 16 Remove packets that have been waiting in the queue for more than 7 days: .D1 Ic mixminion clean-queue -d 7 Decode a message you have just received, reading from one file and sending the output to another: .D1 Ic mixminion decode -i -o . Decode a message you have just received, reading from standard input and writing to standard output: .D1 Ic mixminion decode -i - Generate a single SURB, writing it to standard ouput: .D1 Ic mixminion generate-surb -t Generate 10 SURBs, writing them to a file: .D1 Ic mixminion generate-surb -n 10 -t -o surbs.txt Generate a single SURB, using three randomly chosen servers then ending at frell: .D1 Ic mixminion generate-surb -t -P '*3,frell' Generate a SURB that will only be valid for 2 days: .D1 Ic mixminion generate-surb -t --lifetime=2 Send a reply message to a user for whom we have a supply of SURBs stored in a file: .D1 Ic mixminion send -R surbs.txt Examine the SURBs stored in a file: .D1 Ic mixminion inspect-surbs surbs.txt List the servers currently running: .D1 Ic mixminion list-servers List all the servers that are running Mixminion 0.0.7: .D1 Ic mixminion list-servers -F software | grep 'Mixminion 0.0.7' .Sh REFERENCES Mixminion's design is described and justified in more detail in the design paper: .Bl -bullet -compact .It .Rs .%A George Danezis .%A Roger Dingledine .%A Nick Mathewson .%B Proceedings of the 2003 IEEE Symposium on Security and Privacy .%D May 2003 .%T Mixminion: Design of a Type III Anonymous Remailer Protocol .%O http://mixminion.net/minion-design.pdf .Re .El .Pp A byte-level specification of the Type III ("mixminion") remailer protocol, is available in the protocol specifications: .Bl -bullet -compact .It .Rs .%A George Danezis .%A Roger Dingledine .%A Nick Mathewson .%T MIX3:1 Type III (Mixminion) Mix Protocol Specification .%O http://mixminion.net/minion-spec.txt .Re .It .Rs .%A George Danezis .%A Roger Dingledine .%A Nick Mathewson .%T MIX3:2 Type-III Remailers: End-to-end Encoding and Delivery .%O http://mixminion.net/E2E-spec.txt .Re .It .Rs .%A George Danezis .%A Roger Dingledine .%A Nick Mathewson .%T MIX3:3 Type III (Mixminion) Mix Directory Specification .%O http://mixminion.net/dir-spec.txt .Re .El .Pp The path syntax is documented in .Bl -bullet -compact .It .Rs .%A Nick Mathewson .%A Peter Palfrader .%T MIX3:path Type III (Mixminion) Path Generation .%O http://mixminion.net/path-spec.txt .Re .El .Pp There are also tentative specifications for an API and a nymserver, but this software implements neither. For more information, see the Mixminion website at http://mixminion.net/ .Sh SEE ALSO .Xr mixminionrc 5 , .Xr mixminiond 8 .Sh AUTHORS George Danezis, Roger Dingledine, and Nick Mathewson did the first Mixminion protocol design, which was later adopted for the Type III remailer protocol. Nick Mathewson wrote most of the software, with help from (many!) others. .Pp .An Nick Mathewson Aq nickm@freehaven.net wrote the first version of the documentation (a README file); .An George Danezis Aq George.Danezis@cl.cam.ac.uk did the first version of the manpage; and then Nick revised it again. Any inaccuracies or omissions are probably Nick's fault. .Sh ACKNOWLEDGMENTS The Mixminion software is by Nick Mathewson, with contributions by Roger Dingledine, Brian Fordham, Lucky Green, Peter Palfrader, Robyn Wagner, Brian Warner, and Bryce "Zooko" Wilcox-O'Hearn. .Sh BUGS Future releases will probably break backward compatibility with this release at least once or twice. .Pp Windows support is not as well-tested as it should be. .Pp You shouldn't trust Mixminion with your anonymity yet, for the following reasons: .Bl -enum -offset indent -compact .It The code is under development. There may be unknown bugs that could compromise your anonymity. (We do not know of any such bugs.) .It In order to test the code, many servers are running in configurations that could harm your anonymity. For example, some servers are configured to log verbosely. Others are configured to use the "timed-pool" mixing algorithm rather than the more robust "timed dynamic-pool" mixing algorithm. While these configurations help us debug Mixminion, they also make it easier for an eavesdropper or a compromised server to trace your messages. The final Mixminion release will not support these configurations. .It Some features that are necessary for high security, robustness, anonymity are not yet implemented. These include: .Bl -bullet -compact .It Distributed directories. (The current centralized directory is a single point of failure.) .It Automatic generation of dummy messages. .It Built-in network reliability testing ("pinging"). .El .El .Ss Reporting bugs To report bugs, please use the Bugzilla pages at http://bugs.noreply.org/. For other correspondence, please email . For help in debugging, please try to send a copy of: .Bl -bullet -offset indent -compact .It What command you were running. .It The complete error you got, including stack trace (if any). .El .Pp If your error occurred on a running server, please make a copy of your log--it might be helpful.