Getting Started with Mixminion Peter Hendrickson June 22, 2004 License: This tutorial is in the public domain. 0. Introduction 1. Important Warnings 2. First Commands to Try 3. A Word for Long Time Mix Network Users 4. The Server List 5. Direct Forward Messages 6. Receiving Messages Anonymously 7. The Queue 8. More Sources of Information 0. Introduction Mixminion (http://mixminion.net) is a communication security application for electronic mail messages. Its purpose is to deny an adversary the ability to determine who is communicating with whom and to provide the closely related service of anonymous communication. It does this by sending messages through a series of servers. Messages going into and out of each server are encrypted. Each server keeps a pool of messages. When a message comes in it is placed in the pool. Messages sent out from the pool are difficult to correlate with the messages going in. This process is called "mixing." Each server reduces the ability of the adversary to determine the origin of a message. Chaining the servers further reduces this ability and contains damage caused by compromised servers. The chain of servers is chosen by the Mixminion software running on the user's machine. A full discussion of the Mixminion design with references to the large body of existing research will be found in [1]. This tutorial will get the reader started using Mixminion. It is not complete documentation and not every feature is covered. To use this tutorial, the reader will need a machine supporting outgoing SSL connections which has Mixminion installed and an electronic mail address for receiving test messages. Comfort using a command line interface is required. 1. Important Warnings Please do not put anything sensitive into test messages. Some examples use a small number of servers to increase performance. This makes it easier to try out Mixminion at the price of some security. At the time of writing, Mixminion is still only an alpha release at version 0.0.7. Bugs are still being found and the code is being actively modified and extended. The alpha code has features which are useful for debugging but which weaken the security of the system. Some alpha servers are logging their traffic. By default, the alpha code also mixes the messages in a way which is useful during development but is not as secure as the mixing algorithm to be used when the code is finally released. The reader is cautioned not to rely too much on the security of the system at this time. The future of Mixminion is bright. The design is the culmination of more than two decades of security research. There are many open theoretical questions, but it is likely that Mixminion will be more secure than all past similar systems. Keeping the above warnings in mind, the user is encouraged to try out the Mixminion system. More people are needed to shake out the remaining bugs. A larger user base increases the security of the system, so it is desirable to build a vibrant Mixminion community. 2. First Commands to Try The Mixminion program is called "mixminion". It has many subcommands. For example, this is how to check the version: > $ mixminion version > Mixminion version 0.0.7 > Copyright 2002-2004 Nick Mathewson. See LICENSE for licensing information. > NOTE: This software is for testing only. The user set is too small > to be anonymous, and the code is too alpha to be reliable. The next thing to do is to run the unit tests: > $ mixminion unittests > .....................................................................................................................[Generating DH parameters (not caching)... done.]..... > ---------------------------------------------------------------------- > Ran 100 tests in 30.107s > > OK > > Waiting for shred processes to finish. There should be no errors if Mixminion has been installed correctly. 3. A Word for Long Time Mix Network Users Other mixing systems use standard SMTP mail as a channel for delivering messages to servers. Mixminion, on the other hand, uses SSL connections between servers and for accepting mail from users. SSL connections permit easy authentication of the destination server, provide perfect forward secrecy, and prevent an eavesdropper from being able to identify particular messages being transferred. Direct connections give the servers the opportunity to manage their own queues, rather than being dependent on SMTP based mail systems which may not be under the operator's control. Direct connections also mean that message pile ups will affect only the Mixmaster network and not overflow SMTP mail spool directories. Long time mix network users may also be accustomed to a certain level of unreliability. As of this writing, Mixminion does not perfectly deliver all messages. However, reliability has improved dramatically over the systems of the past. 4. The Server List Mixminion needs to download a list of available servers every day. It is important to have all users using the same server list. Mixminion uses the server list to decide how to route messages. If an adversary is able to get some users to use one list and other users to use another list, it is possible to weaken the security of the system. Mixminion automatically downloads the server list every day. It is downloaded the first time you use a command which needs it. The "list-servers" command lists all the known servers: > $ mixminion list-servers > Mixminion version 0.0.7 > This software is for testing purposes only. Anonymity is not guaranteed. > May 07 08:05:23.001 -0800 [INFO] Downloading directory from http://mixminion.net/directory/Directory.gz > May 07 08:05:24.790 -0800 [INFO] Validating directory > aarg:smtp relay (ok) > almery:mbox relay (ok) > anize:mbox relay (ok) > antani:smtp relay (ok) > cassandra:relay (not recommended) > chicago:relay (ok) > cside:mbox relay (ok) > frell:mbox smtp relay frag (ok) > frell2:relay (ok) > futureworlds:relay (ok) > grove:mbox relay frag (ok) > gurski:mbox relay frag (ok) > hermes:mbox relay frag (not recommended) > Kisangani:relay (ok) > lakshmi:relay (ok) > liberty:smtp relay frag (not recommended) > mercurio:mbox smtp relay (ok) > metacolo:smtp relay (ok) > moria:relay (ok) > nixon:mbox relay (ok) > noisebox:relay (ok) > nowwhat:mbox relay (ok) > peertech:relay (ok) > POboxes:relay (ok) > psycocat:mbox relay (ok) > rot26:relay (ok) > rufus:relay (ok) > sgroi:relay (ok) > snorky:relay (ok) > squirrel:mbox smtp relay frag (ok) > stalker:relay (not recommended) > sushi:mbox relay frag (ok) > Tonga:smtp relay (ok) > totoro1:mbox smtp relay (ok) > totoro2:smtp relay (ok) > typhaon:smtp relay (ok) Each line shows the name of a server, followed by the features which that server supports. For example, the "relay" feature means that the server will take in messages and send them to other servers. The "smtp" feature means that the server will send outgoing electronic messages using the traditional SMTP mail network. The last field on each line states whether the server should be used or not. The "list-servers" command can list more fields than the default above. Mixminion commands may be modified with subsequent arguments. For example, this command will list the host name, contact electronic mail address, and the version of the software running for each server: > $ mixminion list-servers -F hostname,contact,software A number of other features may be listed and are described on the mixminion(1)[2] man page under "Server Features". The reader is encouraged to try listing other available features. 5. Direct Forward Messages A "direct forward message" is one which is sent through the Mixminion system to an electronic mail address. The sender knows where the message went. The receiver will not know where it came from. This tutorial uses the test address "foo@bar.wiredyne.com". The reader should use his or her own test address. The "send" command sends a message. The "-t" argument specifies where it should go. Mixminion chooses the series of servers used to relay the message. This is what sending a message looks like: > $ mixminion send -t foo@bar.wiredyne.com > Mixminion version 0.0.7 > This software is for testing purposes only. Anonymity is not guaranteed. > Enter your message now. Type Ctrl-D when you are done. > The world is all that is the case. > May 07 08:15:32.093 -0800 [INFO] Generating payload(s)... > May 07 08:15:32.278 -0800 [INFO] Selected path is rufus,nixon,grove,nowwhat:POboxes,moria,metacolo > May 07 08:15:32.705 -0800 [INFO] Packet queued > May 07 08:15:32.711 -0800 [INFO] Connecting... > May 07 08:15:40.063 -0800 [INFO] ... 1 sent By default, Mixminion expects a message to be typed to it directly and terminated with "Ctrl-D". In this example, the message was "The world is all that is the case." This is the list of servers chosen to deliver the message: rufus,nixon,grove,nowwhat:POboxes,moria,metacolo The colon shows where the "swap point" is. Swap points are a fundamental feature to the design of the system. They permit users to not only send mail anonymously and securely but also to receive it. Inside the encrypted Mixminion packets, there are two header fields which are swapped once during transit through the Mixminion network. The reasoning behind this design is complex and discussed in detailed in [1]. The message that arrives should look something like this: > To: foo@bar.wiredyne.com > From: incognita@mixminion.metacolo.com > Subject: Type III Anonymous Message (relayed by metacolo) > X-Anonymous: yes > Message-Id: <20040507162653.79BAD218@mixminion.metacolo.com> > Date: Fri, 7 May 2004 16:26:53 +0000 (UTC) > > -----BEGIN TYPE III ANONYMOUS MESSAGE----- > Message-type: plaintext > > The world is all that is the case. > -----END TYPE III ANONYMOUS MESSAGE----- Messages can also be piped into standard input: > echo "The world is all that is the case." | mixminion send -t foo@bar.wiredyne.com Mixminion can also send a message from a file using the "-i" option. If the message is placed in the file "world", it can be sent like this: > $ mixminion send -t foo@bar.wiredyne.com -i world Try sending several test messages. As of this writing, it can take over an hour for messages chosen with the default path lengths to arrive. If the message is not seen immediately it does not mean that the system or the Mixminion software isn't working. (Since mix networks rely on other traffic to mix a message, they have have the property that performance actually improves with greater usage up to a point. In the future, performance will improve as message traffic increases.) The "-P" option can be used to modify the server path choosing behavior of the program. For example, "-P '*10'" will choose a path of ten randomly selected servers. We want a short path so we can see a test message go through, so try sending a few messages with a path length of 2. (2 is the shortest path length that can be chosen.) > $ mixminion send -t foo@bar.wiredyne.com -i world -P '*2' > Mixminion version 0.0.7 > This software is for testing purposes only. Anonymity is not guaranteed. > May 07 08:27:58.829 -0800 [INFO] Generating payload(s)... > May 07 08:27:58.910 -0800 [INFO] Selected path is metacolo:Tonga > May 07 08:27:59.096 -0800 [INFO] Packet queued > May 07 08:27:59.102 -0800 [INFO] Connecting... > May 07 08:28:02.846 -0800 [INFO] ... 1 sent Try sending some test messages this way. As of this writing, messages sent through two servers will take on the order of 20 minutes, with a lot of variation on that time. For fun, try sending some messages through a long path. (The message has been changed so the long path messages can be identified.): > $ echo "Long path." | mixminion send -t foo@bar.wiredyne.com -P '*28' > Mixminion version 0.0.7 > This software is for testing purposes only. Anonymity is not guaranteed. > Enter your message now. Type Ctrl-D when you are done. > May 07 08:35:32.976 -0800 [INFO] Generating payload(s)... > May 07 08:35:33.429 -0800 [INFO] Selected path is mercurio,lakshmi,typhaon,rufus,frell,Kisangani,frell,grove,aarg,POboxes,psycocat,frell2,lakshmi,totoro2:nixon,rufus,typhaon,psycocat,metacolo,sushi,cside,frell,metacolo,aarg,rufus,cside,frell2,frell > May 07 08:35:34.456 -0800 [INFO] Packet queued > May 07 08:35:34.461 -0800 [INFO] Connecting... > May 07 08:35:43.515 -0800 [INFO] ... 1 sent As of this writing, messages sent through a path that long are going to take the better part of a day to arrive. You will probably see some messages dropped as it only takes one server in the chain to fail in order for the message to fail. Send yourself a bunch of test messages to get a feel for how often this happens with a long path. Path arguments can be used to choose specific routes through the Mixmaster network, to choose specific routes with sections of randomly selected servers inserted, or to choose routes of random servers of an approximate length. The mixminion(1)[2] man page documents these features. Paths can be up to about 15 hops before and after the swap point. A direct forward message can be up to about 30 hops. Each server takes up a different amount of header space, so the amount of space needed depends on the particular path chosen. Header space is limited and not all paths with the same number of hops can be used. It is also possible to send "messages" without content or any final destination. The purpose of this is to generate "dummy traffic", which many people believe increases the security of the system. Intuitively it seems this must be true, but it has not been well established. A dummy message is sent by specifying the destination "drop". The message will be "dropped" by the last server in the chain. Try sending some dummy messages: > $ mixminion send -t drop -P '*28' Some messages are too large to fit into a single Mixminion message. When this occurs, the message is automatically broken into fragments which are sent separately through the Mixminion network. The last server automatically reassembles the fragments and sends the complete message onward: > $ mixminion send -t foo@bar.wiredyne.com -i bigfile > Mixminion version 0.0.7 > This software is for testing purposes only. Anonymity is not guaranteed. > May 07 08:52:05.583 -0800 [INFO] Generating payload(s)... > May 07 08:52:05.736 -0800 [INFO] Selected path is lakshmi:squirrel > May 07 08:52:05.795 -0800 [INFO] Selected path is cside,grove:cside,squirrel > May 07 08:52:05.883 -0800 [INFO] Selected path is almery,anize,mixiwoarsnet:typhaon,sushi,squirrel > May 07 08:52:06.492 -0800 [INFO] Packet queued > May 07 08:52:06.496 -0800 [INFO] Connecting... > May 07 08:52:11.369 -0800 [INFO] ... 1 sent > May 07 08:52:11.530 -0800 [INFO] Packet queued > May 07 08:52:11.534 -0800 [INFO] Connecting... > May 07 08:52:16.957 -0800 [INFO] ... 1 sent > May 07 08:52:17.249 -0800 [INFO] Packet queued > May 07 08:52:17.260 -0800 [INFO] Connecting... > May 07 08:52:22.648 -0800 [INFO] ... 1 sent As of this writing, fragment delivery is somewhat unreliable. 6. Receiving Messages Anonymously Mixminion also supports the receipt of anonymous messages. This is achieved using "Single Use Reply Blocks" or "SURBs". A SURB is an encoded block of information which can be decrypted by the first server it specifies. That server will find inside another encoded message which tells it the next server to get the message. The last block inside tells the final server where to send the message. (See [2] for a complete description of how this works.) SURBs can only be used once. This is a security feature. Otherwise, a SURB could be used repeatedly to send messages back to the originator. This would give an adversary valuable clues. SURBs also expire. After a SURB has expired it should not be possible to trace it back. By default, SURBs expire in one week. To permit somebody to send mail, it is necessary to generate a SURB and send it to them. As of this writing, Mixminion is needed to respond. In the future, there will be SMTP gateways to the Mixminion network which will accept SURBs and mail from anybody. This is what a SURB looks like: > -----BEGIN TYPE III REPLY BLOCK----- > Version: 0.2 > > U1VSQgABQKAXgOUzyhuwvWgSPS7yY3U2/fM2JwegyWpwqBT1NSt7ZfBOjBioRrZU > t7e16lYxJVRHrZMtSmtpwPPbRECIukskQ9XqAjsQtNE7NC68rXhPiabnVjmOgUIs > 2OOe29+io/Rkks5jqVHFEDaMaUzEZb8uxMS0KNKdhj6UF8K943pLp9UtOdM5tzM+ > > ... > > p7HZAlW8U6ohkpDzJcaZghXLvL+hDMN8ff1ZknWstzVxck59cnr6pTkIMh21+RFB > e2dJBTExRacpyiClJDh/YEmiJK5Apad9W1X1iE03AlTz9itEHjybnaxUABoAAg7f > 7uUGsA1JRWy14Om6IonVknJgu+PJsdpHuI0uU97wnVKrXBO+Tbcrrw== > -----END TYPE III REPLY BLOCK----- The Mixminion command "generate-surb" creates a new SURB. (If you haven't generated one before, you will be asked to supply a pass phrase to be used for the keyring. If you have already created the keyring pass phrase, you will be asked for it.) It should look something like this: > $ mixminion generate-surb -t foo@bar.wiredyne.com > Mixminion version 0.0.7 > This software is for testing purposes only. Anonymity is not guaranteed. > May 07 08:58:48.945 -0800 [INFO] Selected path is POboxes,nowwhat,Tonga,typhaon > Enter passphrase for keyring: > -----BEGIN TYPE III REPLY BLOCK----- > Version: 0.2 > > U1VSQgABQKK6gDXXo99CMwqLzjTuQXET49fvuYmayi7DLpxXKoFHw2hCqP1YhJQo > 0TtILHqa16jmmVgegp3ZFFTqxuXklWnjs45uD4/R1iMD9zkqRwXRhGkedaIit1hm > ... Note that the selected path does not have a ":" indicating a swap point. The way SURBs work is that the person using the SURB routes the message to a swap point. At the swap point, the SURB takes over and directs the message to its anonymous recipient. The path above is the sequence of servers the message will go through after the swap point. This has the property that eavesdroppers cannot determine which SURB the user is responding to - or even if he or she is responding to a SURB at all. Keep in mind, however, that depending on how the SURB was received, the user may be known to the anonymous correspondent. SURBs are identifiable by their creator. The "-o" option specifies a file to put the SURB in: > $ mixminion generate-surb -t foo@bar.wiredyne.com -o surb.txt Normally the contents of surb.txt would be sent to somebody else. But, let's pretend that the SURB in surb.txt was actually sent to us by an anonymous correspondent. In order to reply to it we use the Mixminion "send" command, but with the "-R" option to specify a file holding the SURB rather than the "-t" option to specify a recipient. > $ echo "SURB Test" | mixminion send -R surb.txt > Mixminion version 0.0.7 > This software is for testing purposes only. Anonymity is not guaranteed. > Enter your message now. Type Ctrl-D when you are done. > May 07 09:00:36.763 -0800 [INFO] Selected path is POboxes,totoro2,snorky,mercurio,POboxes,aarg,almery,cybervalley,cside > May 07 09:00:36.769 -0800 [INFO] Generating packet... > May 07 09:00:37.365 -0800 [INFO] Packet queued > May 07 09:00:37.370 -0800 [INFO] Connecting... > May 07 09:00:42.304 -0800 [INFO] ... 1 sent Note again the absence of a swap point in the path chosen. This time the path refers to the servers up to the swap point. When it arrives, it will look something like this: > Date: Fri, 7 May 2004 12:46:58 -0700 > Message-Id: <200405072046.i458Hqn9006802@www.aarg.net> > To: foo@bar.wiredyne.com > From: nobody@aarg.net > Subject: Type III Anonymous Message > X-Anonymous: yes > > This message is not in plaintext. It's either 1) a reply; 2) a forward > message encrypted to you; or 3) junk. > > -----BEGIN TYPE III ANONYMOUS MESSAGE----- > Message-type: encrypted > Decoding-handle: XsFGTVxuqYCGrR5GzM/21bMy3Lo= > > bMupOFEZfHKbjraLsDJ3+CS16HrATOnA7MwCkKENd3nd4tXBIJlMbqsINZA5IwjE > 70JYX2wqHLpH5GlUcxr0jwNnNVIUk/HS3Xn9kWYVdU1S5FvDW/XS3ZiMRJCzHL3w > DjIpyEkYX4716DmkdpOjFrwU+ouD0kSUeQvH4dMmNUKP0YNvBmRSSthgVzki7Ml6 > > .... > > 8jcWJuDK3TH6tZR/1c0ve5lHRAFy9f2RJuhW6XIBkCsIWcEj1p6Z5pbyuEC9sYlm > HdjcTTKx+riZkJFsdZMPJRfkl2hJhu0A6exRNzxMb7piy17OYvvlmXVzvH9cyM7c > dkOFcNVvrNn0WtQItykXAB7j37e4K8Ww81ZP5KlVjMxn12UidL/ZeMADw9YjCK5s > R/10M0pHp6pM/2F+hdEGCw== > -----END TYPE III ANONYMOUS MESSAGE----- Put the message in a file like "surb-reply.cipher". The Mixminion command "decode" will decrypt it. The "-i" option specifies the input file: > $ mixminion decode -i surb-reply.cipher > Mixminion version 0.0.7 > This software is for testing purposes only. Anonymity is not guaranteed. > Enter passphrase for keyring: > > The world is all that is the case. The "-o" option specifies an output file: > $ mixminion decode -i surb-reply.cipher -o surb-reply.txt > Mixminion version 0.0.7 > This software is for testing purposes only. Anonymity is not guaranteed. > Enter passphrase for keyring: > $ cat surb-reply.txt > > The world is all that is the case. One use of Mixminion is to communicate with people anonymously. Each SURB can be associated with an "identity", which is just a made up name used to keep different sets of SURBs apart. When a reply comes in for a SURB associated with a particular identity, its name is displayed. The "--identity" option associates a name with a SURB when it is created: > $ mixminion generate-surb -t foo@bar.wiredyne.com --identity=Ludwig -o ludwig.0 > Mixminion version 0.0.7 > This software is for testing purposes only. Anonymity is not guaranteed. > May 07 09:05:34.386 -0800 [INFO] Selected path is grove,noisebox,lakshmi,totoro2 > Enter passphrase for keyring: Then send a message to that SURB: > $ echo "The world is all that is the case." | mixminion send -R ludwig.0 The decoded response should look something like this: > $ mixminion decode -i surb-reply-1.txt > Mixminion version 0.0.7 > This software is for testing purposes only. Anonymity is not guaranteed. > Enter passphrase for keyring: > May 07 09:08:14.776 -0800 [INFO] Decoded reply message to identity 'ludwig' > > The world is all that is the case. The identity feature of SURBs is more than just convenient, it's a security necessity. If the user doesn't know the identity for which a message was intended, then it is possible to be tricked into responding under the wrong pseudonym. This can be used to link identities. Try sending the above message to "Ludwig" again: > $ echo "The world is all that is the case." | mixminion send -R ludwig.0 > Mixminion version 0.0.7 > This software is for testing purposes only. Anonymity is not guaranteed. > Enter your message now. Type Ctrl-D when you are done. > May 07 09:14:08.806 -0800 [WARN] Skipping 1 used reply blocks > May 07 09:14:08.833 -0800 [ERROR] Not enough usable reply blocks found; all were used or expired. Since the SURB was already used, Mixminion does not let it be used again. Like direct forward messages, SURBs can have a path specified: > $ mixminion generate-surb -t foo@bar.wiredyne.com -o surb1.txt -P '*15' > Mixminion version 0.0.7 > This software is for testing purposes only. Anonymity is not guaranteed. > May 07 09:35:59.761 -0800 [INFO] Selected path is Kisangani,grove,Tonga,POboxes,snorky,Tonga,Kisangani,rufus,POboxes,sushi,chicago,lakshmi,gurski,nowwhat,Tonga > Enter passphrase for keyring: However, no more than about 15 servers can be specified. The reason for this is that there can be no more than 15 or so servers before or after the swap point. The SURB only specifies the servers after the swap point. 7. The Queue The examples above which sent messages transmitted them immediately. Mixminion also has a built in queue which can store messages for later sending. This obfuscates exactly when the messages were prepared. It also means that if a server is unavailable, the messages destined for it will be kept in the queue and can be retried later. The "inspect-queue" command shows the messages already in the queue. There should be no messages in the queue at this point: > $ mixminion inspect-queue > Mixminion version 0.0.7 > This software is for testing purposes only. Anonymity is not guaranteed. > (No packets in queue) The "--queue" command modifier instructs the "send" command to put messages in the queue instead of transmitting them at once. > $ echo "Queued message." | mixminion send --queue -t foo@bar.wiredyne.com > Mixminion version 0.0.7 > This software is for testing purposes only. Anonymity is not guaranteed. > Enter your message now. Type Ctrl-D when you are done. > May 07 09:42:26.966 -0800 [INFO] Generating payload(s)... > May 07 09:42:27.112 -0800 [INFO] Selected path is mixiwoarsnet,totoro2,typhaon:anize,aarg > May 07 09:42:27.452 -0800 [INFO] Packet queued Now there should be one message in the queue: > $ mixminion inspect-queue > Mixminion version 0.0.7 > This software is for testing purposes only. Anonymity is not guaranteed. > 1 packets for 'mixiwoarsnet' at mix.iwoars.net:48099 (oldest is <1 days old) Put a bunch more messages in the queue. Now there should be several more: > $ mixminion inspect-queue > Mixminion version 0.0.7 > This software is for testing purposes only. Anonymity is not guaranteed. > 1 packets for 'POboxes' at mixminion.poboxes.info:48099 (oldest is <1 days old) > 1 packets for 'anize' at anize.org:48099 (oldest is <1 days old) > 1 packets for 'mixiwoarsnet' at mix.iwoars.net:48099 (oldest is <1 days old) > 1 packets for 'snorky' at minion.bananasplit.info:48099 (oldest is <1 days old) > 1 packets for 'sushi' at dexter.gabuilders.com:48099 (oldest is <1 days old) The "flush" command transmits the messages in the queue: > $ mixminion flush > Mixminion version 0.0.7 > This software is for testing purposes only. Anonymity is not guaranteed. > May 07 09:47:04.444 -0800 [INFO] Flushing packet queue > May 07 09:47:04.617 -0800 [INFO] Found 5 pending packets > May 07 09:47:04.657 -0800 [INFO] Sending 1 packets to server at dexter.gabuilders.com:48099... > May 07 09:47:04.662 -0800 [INFO] Connecting... > May 07 09:47:09.358 -0800 [INFO] ... 1 sent > May 07 09:47:09.534 -0800 [INFO] Sending 1 packets to server at mixminion.poboxes.info:48099... > .... If all the servers were up, there should be no more messages in the queue: > $ mixminion inspect-queue > Mixminion version 0.0.7 > This software is for testing purposes only. Anonymity is not guaranteed. > (No packets in queue) Sometimes messages can't be delivered and have to be deleted from the queue. The "clean-queue" command does this. By default, it only deletes old messages, so to clean all the messages the "-d 0" option will be needed, meaning "delete all messages regardless of age." Queue up a few messages and try removing them: > $ mixminion clean-queue -d 0 > Mixminion version 0.0.7 > This software is for testing purposes only. Anonymity is not guaranteed. > May 07 09:54:52.015 -0800 [INFO] Removing 1 packets for server at privacy.outel.org:48099 > May 07 09:54:52.049 -0800 [INFO] Removing 1 packets for server at totoro.wangafu.net:48100 > May 07 09:54:52.115 -0800 [INFO] Removing 1 packets for server at typhaon.so36.net:48099 8. More Sources of Information [1] G. Danezis, R. Dingledine, and N. Mathewson "Mixminion: Design of a Type III Anonymous Remailer Protocol" Available at http://mixminion.net. [2] The mixminion(1) man page is available with the tarball and at http://mixminion.net.