National Electronic Mail Services
During the Ahmadinejad government (2005-2013), three national email services, Chapar, Iran Post Company, and Iran Dot IR were launched in Iran. While all
three of these email services are still operational, during Rouhani’s administration (2013-present), Iran Dot IR has become the main national email service and has been integrated into the government’s “Electronic Dashboard System,” a national portal where Iranians can access government services (including email), communicate with government agencies, and access state and national information.”
Announcing the news in November 2015, Reza Bagheri Asl, vice president of Iran Information Technology Organization said, “Currently we are launching the ‘Electronic Dashboard System,’ and the Iranian government’s national portal, in an effort to replace communications through email.” The system provides national email services through mail.iran.ir, which is controlled and monitored by the Ministry of Communications and Information Technology.
The Chapar email service remains active, although now it lists itself as a private company. The state-run Iran Post Company email service is also still available, but is no longer promoted by the government as the main national email service.
The boundaries between the services are blurred. For example, the Iran Dot IR email uses Chapar email software, as Chapar codes can be seen on both the server side and the client side of Iran Dot IR. In some cases, even public addresses on both sites are exactly the same. For example, the link to change user passwords on both email services is www.domain/Chmail/repassword. In another example, Iran Dot IR email uses Chapar’s public key. This means Chapar has access to the content exchanged on Iran Dot IR.
CHRI’s analysis of the SSL security certificates of both Chapar and Iran Dot IR provide another example of the questionable claim by the Iranian government that the NIN provides its users with superior security. For incoming emails, both services lack PFS Service, which adds a level of security to encryption. If encryption keys are stolen, PFS makes decoding the previous data impossible. But for outgoing emails, an invalid certificate has been used, which means the outgoing emails are not encrypted, resulting in the possibility of tapping the traffic of transmitted emails.
According to CHRI’s investigation and technical evaluation, as of March 2017, both Chapar and Iran Dot IR email services have also been using an outdated version
of email server and client software. Failure to use updated versions of software applications leaves the door open for hackers to carry out cyberattacks. In June 2016, hackers (from outside Iran) were able to hack several Iranian government websites, such as the Statistical Center of Iran, due to a security hole in an old version of DNN74 software, a program similar to WordPress used for designing and managing websites by Iranian government organizations and agencies.
The national email services store account information and content inside Iran on the state-controlled NIN. This means that the state, which has access to the NIN’s storage centers, can access and read the emails. To be sure, users can individually encrypt their content, but in general few people in any country context are familiar with email content encryption, as it is a technically complicated and cumbersome process for the average person. Without content encryption undertaken on the individual level, emails via the national email services in Iran are completely accessible to the state, without any judicial review or approval needed.