NemoMail

NemoMail is an anonymous and optionally encrypted email service over Lokinet that hides your real IP address from email headers. When you must be anonymous for sending and receiving emails, NemoMail can help you accomplish anonymity with these features:

1. Anonymous purchase and renewal with cryptocurrencies
2. Anonymous account creation
3. Encryption of inbound emails with your PGP public key (optional)
4. Sending and retrieving email anonymously over the onion routed Lokinet via SMTP, IMAP4 & POP3.
5. Non-JavaScript webmail client Squirrelmail available
6. Normal business-sounding email domain names

NemoMail technical description:
– SMTP (587), IMAP4 (143) and POP3 (110) are open to Lokinet
– NO email access from clearnet (=the regular Internet) to make sure you don’t accidentally reveal your IP address
– Up to 3 GB of storage on the server per user
– We use Postfix for SMTP and Dovecot for POP3 and IMAP4
– Optional PGP encryption applied to all inbound emails via Postfix calling an external script to perform the encryption using the PGP Public Key provided by user.
– Squirrelmail available for webmail.
– No inbound or outbound spam filtering
– No logs (except occasionally for troubleshooting technical problems)
– No backups


FAQs
What problem does NemoMail solve?
How is NemoMail encryption different from other encrypted email providers?
What PGP encryption key types can I use?
Why aren’t system messages like welcome email and renewal emails encrypted?
– Should I use POP3 or IMAP4 to access my emails?
I can’t use Squirrelmail for viewing encrypted emails, and I know there is a PGP plugin available for Squirrelmail. Can’t you install it?
Why are you using the antiquated Squirrelmail?
Do you backup my emails?
What is your logging policy?
Messages in my Sent mail box are not encrypted.
I can see the subject line of an encrypted email, is this correct behavior?
I lost my PGP Secret Key and now I can’t see my emails in the inbox. What can you do?
My email client (Thunderbird, Outlook, etc.) warns me about lack of encrypted connections
Why do you ask me for my Session Messenger ID during the signup?
What does NemoMail mean?
Why do you have business domains to choose from, and not just nemomail.me or nemomail.io?


Q: What problem does NemoMail solve?
A: NemoMail will not expose your real IP address in email headers or server connections.
NemoMail fixes IP exposures by only allowing access to the mail server via Lokinet that onion routes your connections. So, email headers only have cryptic Lokinet addresses and RFC1918 private network addresses rather than true Internet IP addresses, and there is no way to access NemoMail outside of Lokinet, so you can’t accidentally expose your IP address.

Q: How is NemoMail encryption different from other encrypted email providers?
A: Most encrypted email providers require you to trust that they won’t use the secret key that they possess to look into your emails. NemoMail doesn’t have your secret key, so there is nothing to trust. We encrypt all inbound emails with your own, personal PGP Public Key so that the messages that are sitting in your mailbox at NemoMail’s server can’t be read by anyone other than you. The encryption happens at the NemoMail mail server by running every inbound email through a filter that encrypts them with your PGP Public Key. Encrypted emails in your inbox are only viewable to you as you are the only one who has the corresponding PGP Secret Key that can decrypt the messages.

Q: What PGP encryption key types can I use?
A: You can use RSA 2048, RSA 3072, RSA 4096 or ECC (Elliptic Curve) key types.

Q: Why aren’t system messages, like the welcome email & renewal reminder email encrypted?
A: We need you to be able to read those messages without a decryption key, so they won’t be encrypted. All other inbound messages will be encrypted.

Q: Should I use POP3 or IMAP4 to access my emails?
A: For best privacy please use POP3 and empty the mailbox every time you connect. IMAP4 is more convenient because all of the emails stay on the server, but it is less private.

Q: I can’t use Squirrelmail for viewing encrypted emails, and I know there is a PGP plugin available for Squirrelmail. Can’t you install it?
A: Installing the PGP plugin would require you to trust us that we won’t steal or misuse your PGP Secret Key. NemoMail is all about zero trust and anonymity. Therefore we won’t install it.

Q: Why are you using the antiquated Squirrelmail?
A: Squirrelmail is the only one we know that doesn’t use JavaScript. Please let us know if you know some other non-JavaScript webmail app that works better than Squirrelmail. We’re all ears: Session ONS is: PrivacyProShop and email is support@sutinen.com

Q: Do you backup my emails?
A: No, we won’t. We only backup system configurations to be able to restore the system in a disaster. HOWEVER, we may be compelled to backup your emails because of a court order, subpoena or warrant and be under a gag order and we can’t tell you about it. Therefore, please use POP3 to empty your mailbox. It’s never a good idea to trust anyone else with your emails.

Q: What is your logging policy?
A: We will only log for troubleshooting purposes. Otherwise we have logging going to /dev/null. HOWEVER, we may be compelled to log because of a court order, subpoena or warrant and be under a gag order and we can’t tell you about it.

Q: Messages in my Sent mail box are not encrypted.
A: We only encrypt inbound emails. Emails that your email client places via IMAP4 to the server are NOT encrypted. Please configure your email client to store sent messages in your own computer. Ultimately you should use POP3 rather than IMAP4 for best privacy.

Q: I can see the subject line of an encrypted email, is this correct?
A: Yes, we only encrypt the body of the message. Message subject line is not encrypted.

Q: I lost my PGP Secret Key and now I can’t see my emails in the inbox. What can you do?
A: We can disable or change the encryption public key for your mailbox under one of the two conditions:
1. If you know the account password and have the original or renewal order number & confirmation code you can change the encryption key change yourself: https://sn1.sutinen.com/update_nemomail_pgpkey.php
2. If you wish us to remove or change the key for you, we can do it if you have the original or renewal order number & confirmation code. Send those to us with Session to ONS: PrivacyProShop and we’ll process your request.
3. If you provided us with a Session ID when you signed up we can change the key or remove it for you. You can contact us from that Session ID at Session ONS: PrivacyProShop. Once we have verified that your Session ID matches the one you provided at signup we will perform changes to your account.

Q: My email client (Thunderbird, Outlook, etc.) warns me that you don’t have encrypted connections.
A: That is correct. Lokinet is already encrypted, so there is no need for additional in-transit encryption. Also, if in-transit encryption were employed for SMTP/POP/IMAP you would see errors pertaining to self-signed certificates as it is impossible to get a valid certificates for .loki addresses.

Q: Why do you ask me for my Session Messenger ID during the signup?

A: So that you have another method for resetting your password or performing other account maintenance functions. If you forget your password there are two ways to reset it: 1) Using the automated password reset feature that requires you to have your order number and confirmation code or 2) Sending a password reset request from the Session ID you supplied to us when you signed up for the account. Since we don’t ask for any other identification during the account signup, we’ll use that Session ID as an authenticator. You don’t have to give us your Session ID, but without it we won’t be able to help you reset your password or do any other account maintenance you may request.

Q: What does NemoMail mean?
A: Nemo is Latin for “no one” or “nobody”.

Q: Why do you have business domains to choose from, and not just nemomail.me or nemomail.io?
A: Anonymity can take many routes. Some prefer to have a generic email domain like nemomail.me that somewhat indicates that it is a mail service they are using. Others prefer to have an email address that sounds like it was coming from a business. We have selected domain names that were originally registered over 20 years ago, and at some point abandoned by their previous owners.