Geary

Geary is a free and open source (Software Libre) lightweight email client designed for the GNOME desktop. Its interface is based on conversations, so you can easily read an entire discussion without having to click from message to message. You can download it here: Geary download

Add your Riseup account

Geary currently only supports IMAP accounts. On first start you are asked to create a new account:

  1. For Service choose Other
  2. Enter a name and your Riseup email address
  3. Set the IMAP server mail.riseup.net, leave the port at 993. If you want to connect via Riseups Tor service, see below.
  4. Enter your Riseup username and password
  5. For IMAP and SMTP choose SSL/TLS Encryption
  6. Set the SMTP server mail.riseup.net, leave the port at 465
  7. Activate Use IMAP credentials, leave No authentication required unchecked
  8. Press Add

Geary will ask you for your GNOME keyring password to save your Riseup password. You can safely cancel this.

Enhance your email security

  • Don’t enable secure passwords or secure authentication. These are somewhat of a misnomer. These methods of specifying passwords require that the email server keep a cleartext copy of your password. We would consider this a security risk, so we don’t enable “secure passwords.” Because the connection to riseup.net is encrypted anyway, these are not needed.
  • Encrypt your mail! For enhanced message security use Шифрование электронной почты.
  • The secure connection may be of type TLS or StartTLS. For security reasons, we no longer support SSL. You should not use StartTLS. Instead, it is much better to use regular TLS. For added security, go to your account settings and change your connection type from StartTLS to TLS.
  • There are many vulnerabilities with how secure connections work. If you need high security, you should always connect to Riseup services using the Riseup VPN. This will prevent a long list of potential attacks against your communication.
  • To enhance connection security you can use Tor to connect to Riseup’s .onion services for IMAP and SMTP. Look for the according mail.*.onion and smtp.*.onion addresses on the linked page and replace mail.riseup.net for each server. Note: * SMTP port 465 is often blocked by exit nodes, but port 587 is less frequently blocked. If you have a problem sending mail, try port 587 or configure your client to use Riseup’s email hidden service in place of the regular mail.riseup.net domain. This is better than sending traffic through a Tor exit as it is MITM resistant, but it will generate certificate errors on the client side.

Verify SSL/TLS certificate

Apparently Geary does not provide an option to display used TLS/SSL certificate. If the certified domain name does not match the actual domain name, a warning is shown, but not the fingerprint (or any helpful info).

Message security

At the moment Geary does not support OpenPGP encryption, so it is necessary to de- and encrypt your messages with an external tool.

Note that while you are drafting new messages, Geary saves them without encryption on the server from time to time. To change this, open your account settings and disable Save drafts on server in the Composer section.

When you received an encrypted file attachment, you need to download it and decrypt it manually. Sorry.

Use Riseup’s .onion-Dienst

To enhance connection security you can use Tor to connect to Riseups .onion services for IMAP and SMTP. Look for the according mail.*.onion and smtp.*.onion addresses on the linked page.

To change your settings later, open the file .local/share/geary/[Your_Email_Address].net/geary.ini with your preferred text editor (eg. gedit).

  1. Search for imap_host=mail.riseup.net and smtp_host=mail.riseup.net.
  2. For both IMAP and SMTP replace mail.riseup.net with the .onion address from above page.

Due to a bug in Geary it is not possible to change your account details while you are connected. You need to recreate your account with the Tor servers from the beginning. In case this has been fixed in the future:

  1. From the Geary menu choose Accounts
  2. Select your Riseup account and click at the pencil symbol at the bottom of the screen.
  3. For both IMAP and SMTP replace mail.riseup.net with the .onion addresses from above page.

Great! You now use Tor to connect to Riseup!