Getting Started with Mixminion

		 Peter Hendrickson <pdh@wiredyne.com>

			    June 22, 2004




License: This tutorial is in the public domain.

0. Introduction
1. Important Warnings
2. First Commands to Try
3. A Word for Long Time Mix Network Users
4. The Server List
5. Direct Forward Messages
6. Receiving Messages Anonymously
7. The Queue
8. More Sources of Information

0. Introduction

Mixminion (http://mixminion.net) is a communication security
application for electronic mail messages.  Its purpose is to deny an
adversary the ability to determine who is communicating with whom and
to provide the closely related service of anonymous communication.

It does this by sending messages through a series of servers.
Messages going into and out of each server are encrypted.  Each server
keeps a pool of messages.  When a message comes in it is placed in the
pool.  Messages sent out from the pool are difficult to correlate with
the messages going in.  This process is called "mixing."

Each server reduces the ability of the adversary to determine the
origin of a message.  Chaining the servers further reduces this
ability and contains damage caused by compromised servers.  The chain
of servers is chosen by the Mixminion software running on the user's
machine.

A full discussion of the Mixminion design with references to the large
body of existing research will be found in [1].

This tutorial will get the reader started using Mixminion.  It is not
complete documentation and not every feature is covered.

To use this tutorial, the reader will need a machine supporting
outgoing SSL connections which has Mixminion installed and an
electronic mail address for receiving test messages.  Comfort using a
command line interface is required.

1. Important Warnings

Please do not put anything sensitive into test messages.  Some
examples use a small number of servers to increase performance.  This
makes it easier to try out Mixminion at the price of some security.

At the time of writing, Mixminion is still only an alpha release at
version 0.0.7.  Bugs are still being found and the code is being
actively modified and extended.  The alpha code has features which are
useful for debugging but which weaken the security of the system.
Some alpha servers are logging their traffic.  By default, the alpha
code also mixes the messages in a way which is useful during
development but is not as secure as the mixing algorithm to be used
when the code is finally released.  The reader is cautioned not to
rely too much on the security of the system at this time.

The future of Mixminion is bright.  The design is the culmination of
more than two decades of security research.  There are many open
theoretical questions, but it is likely that Mixminion will be more
secure than all past similar systems.

Keeping the above warnings in mind, the user is encouraged to try out
the Mixminion system.  More people are needed to shake out the
remaining bugs.  A larger user base increases the security of the
system, so it is desirable to build a vibrant Mixminion community.

2. First Commands to Try

The Mixminion program is called "mixminion".  It has many subcommands.
For example, this is how to check the version:
> $ mixminion version
> Mixminion version 0.0.7
> Copyright 2002-2004 Nick Mathewson.  See LICENSE for licensing information.
> NOTE: This software is for testing only.  The user set is too small
>       to be anonymous, and the code is too alpha to be reliable.

The next thing to do is to run the unit tests:
> $ mixminion unittests
> .....................................................................................................................[Generating DH parameters (not caching)... done.].....
> ----------------------------------------------------------------------
> Ran 100 tests in 30.107s
>
> OK
>
> Waiting for shred processes to finish.

There should be no errors if Mixminion has been installed correctly.

3. A Word for Long Time Mix Network Users

Other mixing systems use standard SMTP mail as a channel for
delivering messages to servers.  Mixminion, on the other hand, uses
SSL connections between servers and for accepting mail from users.
SSL connections permit easy authentication of the destination server,
provide perfect forward secrecy, and prevent an eavesdropper from
being able to identify particular messages being transferred.  Direct
connections give the servers the opportunity to manage their own
queues, rather than being dependent on SMTP based mail systems which
may not be under the operator's control.  Direct connections also mean
that message pile ups will affect only the Mixmaster network and not
overflow SMTP mail spool directories.

Long time mix network users may also be accustomed to a certain level
of unreliability.  As of this writing, Mixminion does not perfectly
deliver all messages.  However, reliability has improved dramatically
over the systems of the past.

4. The Server List

Mixminion needs to download a list of available servers every day.  It
is important to have all users using the same server list.  Mixminion
uses the server list to decide how to route messages.  If an adversary
is able to get some users to use one list and other users to use
another list, it is possible to weaken the security of the system.

Mixminion automatically downloads the server list every day.  It is
downloaded the first time you use a command which needs it.  The
"list-servers" command lists all the known servers:
> $ mixminion list-servers
> Mixminion version 0.0.7
> This software is for testing purposes only.  Anonymity is not guaranteed.
> May 07 08:05:23.001 -0800 [INFO] Downloading directory from http://mixminion.net/directory/Directory.gz
> May 07 08:05:24.790 -0800 [INFO] Validating directory
> aarg:smtp relay (ok)
> almery:mbox relay       (ok)
> anize:mbox relay        (ok)
> antani:smtp relay       (ok)
> cassandra:relay (not recommended)
> chicago:relay   (ok)
> cside:mbox relay        (ok)
> frell:mbox smtp relay frag      (ok)
> frell2:relay    (ok)
> futureworlds:relay      (ok)
> grove:mbox relay frag   (ok)
> gurski:mbox relay frag  (ok)
> hermes:mbox relay frag  (not recommended)
> Kisangani:relay (ok)
> lakshmi:relay   (ok)
> liberty:smtp relay frag (not recommended)
> mercurio:mbox smtp relay        (ok)
> metacolo:smtp relay     (ok)
> moria:relay     (ok)
> nixon:mbox relay        (ok)
> noisebox:relay  (ok)
> nowwhat:mbox relay      (ok)
> peertech:relay  (ok)
> POboxes:relay   (ok)
> psycocat:mbox relay     (ok)
> rot26:relay     (ok)
> rufus:relay     (ok)
> sgroi:relay     (ok)
> snorky:relay    (ok)
> squirrel:mbox smtp relay frag   (ok)
> stalker:relay   (not recommended)
> sushi:mbox relay frag   (ok)
> Tonga:smtp relay        (ok)
> totoro1:mbox smtp relay (ok)
> totoro2:smtp relay      (ok)
> typhaon:smtp relay      (ok)

Each line shows the name of a server, followed by the features which
that server supports.  For example, the "relay" feature means that the
server will take in messages and send them to other servers.  The
"smtp" feature means that the server will send outgoing electronic
messages using the traditional SMTP mail network.  The last field on
each line states whether the server should be used or not.

The "list-servers" command can list more fields than the default
above.  Mixminion commands may be modified with subsequent arguments.
For example, this command will list the host name, contact electronic
mail address, and the version of the software running for each server:
> $ mixminion list-servers -F hostname,contact,software

A number of other features may be listed and are described on the
mixminion(1)[2] man page under "Server Features".  The reader is
encouraged to try listing other available features.

5. Direct Forward Messages

A "direct forward message" is one which is sent through the Mixminion
system to an electronic mail address.  The sender knows where the
message went.  The receiver will not know where it came from.

This tutorial uses the test address "foo@bar.wiredyne.com".  The
reader should use his or her own test address.

The "send" command sends a message.  The "-t" argument specifies where
it should go.  Mixminion chooses the series of servers used to relay
the message.

This is what sending a message looks like:
> $ mixminion send -t foo@bar.wiredyne.com
> Mixminion version 0.0.7
> This software is for testing purposes only.  Anonymity is not guaranteed.
> Enter your message now.  Type Ctrl-D when you are done.
> The world is all that is the case.
> May 07 08:15:32.093 -0800 [INFO] Generating payload(s)...
> May 07 08:15:32.278 -0800 [INFO] Selected path is rufus,nixon,grove,nowwhat:POboxes,moria,metacolo
> May 07 08:15:32.705 -0800 [INFO] Packet queued
> May 07 08:15:32.711 -0800 [INFO] Connecting...
> May 07 08:15:40.063 -0800 [INFO] ... 1 sent

By default, Mixminion expects a message to be typed to it directly and
terminated with "Ctrl-D".  In this example, the message was "The world
is all that is the case."

This is the list of servers chosen to deliver the message:
rufus,nixon,grove,nowwhat:POboxes,moria,metacolo

The colon shows where the "swap point" is.  Swap points are a
fundamental feature to the design of the system.  They permit users to
not only send mail anonymously and securely but also to receive it.
Inside the encrypted Mixminion packets, there are two header fields
which are swapped once during transit through the Mixminion network.
The reasoning behind this design is complex and discussed in detailed
in [1].

The message that arrives should look something like this:
> To: foo@bar.wiredyne.com
> From: incognita@mixminion.metacolo.com
> Subject: Type III Anonymous Message (relayed by metacolo)
> X-Anonymous: yes
> Message-Id: <20040507162653.79BAD218@mixminion.metacolo.com>
> Date: Fri,  7 May 2004 16:26:53 +0000 (UTC)
>
> -----BEGIN TYPE III ANONYMOUS MESSAGE-----
> Message-type: plaintext
>
> The world is all that is the case.
> -----END TYPE III ANONYMOUS MESSAGE-----

Messages can also be piped into standard input:
> echo "The world is all that is the case." | mixminion send -t foo@bar.wiredyne.com

Mixminion can also send a message from a file using the "-i" option.
If the message is placed in the file "world", it can be sent like
this:
> $ mixminion send -t foo@bar.wiredyne.com -i world

Try sending several test messages.

As of this writing, it can take over an hour for messages chosen with
the default path lengths to arrive.  If the message is not seen
immediately it does not mean that the system or the Mixminion software
isn't working.

(Since mix networks rely on other traffic to mix a message, they have
have the property that performance actually improves with greater
usage up to a point.  In the future, performance will improve as
message traffic increases.)

The "-P" option can be used to modify the server path choosing
behavior of the program.  For example, "-P '*10'" will choose a path
of ten randomly selected servers.  We want a short path so we can see
a test message go through, so try sending a few messages with a path
length of 2.  (2 is the shortest path length that can be chosen.)

> $ mixminion send -t foo@bar.wiredyne.com -i world -P '*2'
> Mixminion version 0.0.7
> This software is for testing purposes only.  Anonymity is not guaranteed.
> May 07 08:27:58.829 -0800 [INFO] Generating payload(s)...
> May 07 08:27:58.910 -0800 [INFO] Selected path is metacolo:Tonga
> May 07 08:27:59.096 -0800 [INFO] Packet queued
> May 07 08:27:59.102 -0800 [INFO] Connecting...
> May 07 08:28:02.846 -0800 [INFO] ... 1 sent

Try sending some test messages this way.  As of this writing, messages
sent through two servers will take on the order of 20 minutes, with a
lot of variation on that time.

For fun, try sending some messages through a long path.  (The message
has been changed so the long path messages can be identified.):
> $ echo "Long path." | mixminion send -t foo@bar.wiredyne.com -P '*28'
> Mixminion version 0.0.7
> This software is for testing purposes only.  Anonymity is not guaranteed.
> Enter your message now.  Type Ctrl-D when you are done.
> May 07 08:35:32.976 -0800 [INFO] Generating payload(s)...
> May 07 08:35:33.429 -0800 [INFO] Selected path is mercurio,lakshmi,typhaon,rufus,frell,Kisangani,frell,grove,aarg,POboxes,psycocat,frell2,lakshmi,totoro2:nixon,rufus,typhaon,psycocat,metacolo,sushi,cside,frell,metacolo,aarg,rufus,cside,frell2,frell
> May 07 08:35:34.456 -0800 [INFO] Packet queued
> May 07 08:35:34.461 -0800 [INFO] Connecting...
> May 07 08:35:43.515 -0800 [INFO] ... 1 sent

As of this writing, messages sent through a path that long are going
to take the better part of a day to arrive.  You will probably see
some messages dropped as it only takes one server in the chain to fail
in order for the message to fail.

Send yourself a bunch of test messages to get a feel for how often
this happens with a long path.

Path arguments can be used to choose specific routes through the
Mixmaster network, to choose specific routes with sections of randomly
selected servers inserted, or to choose routes of random servers of an
approximate length.  The mixminion(1)[2] man page documents these
features.

Paths can be up to about 15 hops before and after the swap point.  A
direct forward message can be up to about 30 hops.  Each server takes
up a different amount of header space, so the amount of space needed
depends on the particular path chosen.  Header space is limited and
not all paths with the same number of hops can be used.

It is also possible to send "messages" without content or any final
destination.  The purpose of this is to generate "dummy traffic",
which many people believe increases the security of the system.
Intuitively it seems this must be true, but it has not been well
established.

A dummy message is sent by specifying the destination "drop".  The
message will be "dropped" by the last server in the chain.  Try
sending some dummy messages:
> $ mixminion send -t drop -P '*28'

Some messages are too large to fit into a single Mixminion message.
When this occurs, the message is automatically broken into fragments
which are sent separately through the Mixminion network.  The last
server automatically reassembles the fragments and sends the complete
message onward:
> $ mixminion send -t foo@bar.wiredyne.com -i bigfile
> Mixminion version 0.0.7
> This software is for testing purposes only.  Anonymity is not guaranteed.
> May 07 08:52:05.583 -0800 [INFO] Generating payload(s)...
> May 07 08:52:05.736 -0800 [INFO] Selected path is lakshmi:squirrel
> May 07 08:52:05.795 -0800 [INFO] Selected path is cside,grove:cside,squirrel
> May 07 08:52:05.883 -0800 [INFO] Selected path is almery,anize,mixiwoarsnet:typhaon,sushi,squirrel
> May 07 08:52:06.492 -0800 [INFO] Packet queued
> May 07 08:52:06.496 -0800 [INFO] Connecting...
> May 07 08:52:11.369 -0800 [INFO] ... 1 sent
> May 07 08:52:11.530 -0800 [INFO] Packet queued
> May 07 08:52:11.534 -0800 [INFO] Connecting...
> May 07 08:52:16.957 -0800 [INFO] ... 1 sent
> May 07 08:52:17.249 -0800 [INFO] Packet queued
> May 07 08:52:17.260 -0800 [INFO] Connecting...
> May 07 08:52:22.648 -0800 [INFO] ... 1 sent

As of this writing, fragment delivery is somewhat unreliable.

6. Receiving Messages Anonymously

Mixminion also supports the receipt of anonymous messages.  This is
achieved using "Single Use Reply Blocks" or "SURBs".  A SURB is an
encoded block of information which can be decrypted by the first
server it specifies.  That server will find inside another encoded
message which tells it the next server to get the message.  The last
block inside tells the final server where to send the message.  (See
[2] for a complete description of how this works.)

SURBs can only be used once.  This is a security feature.  Otherwise,
a SURB could be used repeatedly to send messages back to the
originator.  This would give an adversary valuable clues.

SURBs also expire.  After a SURB has expired it should not be possible
to trace it back.  By default, SURBs expire in one week.

To permit somebody to send mail, it is necessary to generate a SURB
and send it to them.  As of this writing, Mixminion is needed to
respond.  In the future, there will be SMTP gateways to the Mixminion
network which will accept SURBs and mail from anybody.

This is what a SURB looks like:
> -----BEGIN TYPE III REPLY BLOCK-----
> Version: 0.2
>
> U1VSQgABQKAXgOUzyhuwvWgSPS7yY3U2/fM2JwegyWpwqBT1NSt7ZfBOjBioRrZU
> t7e16lYxJVRHrZMtSmtpwPPbRECIukskQ9XqAjsQtNE7NC68rXhPiabnVjmOgUIs
> 2OOe29+io/Rkks5jqVHFEDaMaUzEZb8uxMS0KNKdhj6UF8K943pLp9UtOdM5tzM+
>
> ...
>
> p7HZAlW8U6ohkpDzJcaZghXLvL+hDMN8ff1ZknWstzVxck59cnr6pTkIMh21+RFB
> e2dJBTExRacpyiClJDh/YEmiJK5Apad9W1X1iE03AlTz9itEHjybnaxUABoAAg7f
> 7uUGsA1JRWy14Om6IonVknJgu+PJsdpHuI0uU97wnVKrXBO+Tbcrrw==
> -----END TYPE III REPLY BLOCK-----

The Mixminion command "generate-surb" creates a new SURB.  (If you
haven't generated one before, you will be asked to supply a pass phrase
to be used for the keyring.  If you have already created the keyring
pass phrase, you will be asked for it.)

It should look something like this:
> $ mixminion generate-surb -t foo@bar.wiredyne.com
> Mixminion version 0.0.7
> This software is for testing purposes only.  Anonymity is not guaranteed.
> May 07 08:58:48.945 -0800 [INFO] Selected path is POboxes,nowwhat,Tonga,typhaon
> Enter passphrase for keyring:
> -----BEGIN TYPE III REPLY BLOCK-----
> Version: 0.2
>
> U1VSQgABQKK6gDXXo99CMwqLzjTuQXET49fvuYmayi7DLpxXKoFHw2hCqP1YhJQo
> 0TtILHqa16jmmVgegp3ZFFTqxuXklWnjs45uD4/R1iMD9zkqRwXRhGkedaIit1hm
> ...

Note that the selected path does not have a ":" indicating a swap
point.  The way SURBs work is that the person using the SURB routes
the message to a swap point.  At the swap point, the SURB takes over
and directs the message to its anonymous recipient.  The path above is
the sequence of servers the message will go through after the swap
point.

This has the property that eavesdroppers cannot determine which SURB
the user is responding to - or even if he or she is responding to a
SURB at all.

Keep in mind, however, that depending on how the SURB was received,
the user may be known to the anonymous correspondent.  SURBs are
identifiable by their creator.

The "-o" option specifies a file to put the SURB in:
> $ mixminion generate-surb -t foo@bar.wiredyne.com -o surb.txt

Normally the contents of surb.txt would be sent to somebody else.
But, let's pretend that the SURB in surb.txt was actually sent to us
by an anonymous correspondent.  In order to reply to it we use the
Mixminion "send" command, but with the "-R" option to specify a file
holding the SURB rather than the "-t" option to specify a recipient.

> $ echo "SURB Test" | mixminion send -R surb.txt
> Mixminion version 0.0.7
> This software is for testing purposes only.  Anonymity is not guaranteed.
> Enter your message now.  Type Ctrl-D when you are done.
> May 07 09:00:36.763 -0800 [INFO] Selected path is POboxes,totoro2,snorky,mercurio,POboxes,aarg,almery,cybervalley,cside
> May 07 09:00:36.769 -0800 [INFO] Generating packet...
> May 07 09:00:37.365 -0800 [INFO] Packet queued
> May 07 09:00:37.370 -0800 [INFO] Connecting...
> May 07 09:00:42.304 -0800 [INFO] ... 1 sent

Note again the absence of a swap point in the path chosen.  This time
the path refers to the servers up to the swap point.

When it arrives, it will look something like this:
> Date: Fri, 7 May 2004 12:46:58 -0700
> Message-Id: <200405072046.i458Hqn9006802@www.aarg.net>
> To: foo@bar.wiredyne.com
> From: nobody@aarg.net
> Subject: Type III Anonymous Message
> X-Anonymous: yes
>
> This message is not in plaintext.  It's either 1) a reply; 2) a forward
> message encrypted to you; or 3) junk.
>
> -----BEGIN TYPE III ANONYMOUS MESSAGE-----
> Message-type: encrypted
> Decoding-handle: XsFGTVxuqYCGrR5GzM/21bMy3Lo=
>
> bMupOFEZfHKbjraLsDJ3+CS16HrATOnA7MwCkKENd3nd4tXBIJlMbqsINZA5IwjE
> 70JYX2wqHLpH5GlUcxr0jwNnNVIUk/HS3Xn9kWYVdU1S5FvDW/XS3ZiMRJCzHL3w
> DjIpyEkYX4716DmkdpOjFrwU+ouD0kSUeQvH4dMmNUKP0YNvBmRSSthgVzki7Ml6
>
> ....
>
> 8jcWJuDK3TH6tZR/1c0ve5lHRAFy9f2RJuhW6XIBkCsIWcEj1p6Z5pbyuEC9sYlm
> HdjcTTKx+riZkJFsdZMPJRfkl2hJhu0A6exRNzxMb7piy17OYvvlmXVzvH9cyM7c
> dkOFcNVvrNn0WtQItykXAB7j37e4K8Ww81ZP5KlVjMxn12UidL/ZeMADw9YjCK5s
> R/10M0pHp6pM/2F+hdEGCw==
> -----END TYPE III ANONYMOUS MESSAGE-----

Put the message in a file like "surb-reply.cipher".  The Mixminion
command "decode" will decrypt it.  The "-i" option specifies
the input file:
> $ mixminion decode -i surb-reply.cipher
> Mixminion version 0.0.7
> This software is for testing purposes only.  Anonymity is not guaranteed.
> Enter passphrase for keyring:
>
> The world is all that is the case.

The "-o" option specifies an output file:
> $ mixminion decode -i surb-reply.cipher -o surb-reply.txt
> Mixminion version 0.0.7
> This software is for testing purposes only.  Anonymity is not guaranteed.
> Enter passphrase for keyring:
> $ cat surb-reply.txt
>
> The world is all that is the case.

One use of Mixminion is to communicate with people anonymously.  Each
SURB can be associated with an "identity", which is just a made up
name used to keep different sets of SURBs apart.  When a reply comes
in for a SURB associated with a particular identity, its name is
displayed.

The "--identity" option associates a name with a SURB when it is
created:
> $ mixminion generate-surb -t foo@bar.wiredyne.com --identity=Ludwig -o ludwig.0
> Mixminion version 0.0.7
> This software is for testing purposes only.  Anonymity is not guaranteed.
> May 07 09:05:34.386 -0800 [INFO] Selected path is grove,noisebox,lakshmi,totoro2
> Enter passphrase for keyring:

Then send a message to that SURB:
> $ echo "The world is all that is the case." | mixminion send -R ludwig.0

The decoded response should look something like this:
> $ mixminion decode -i surb-reply-1.txt
> Mixminion version 0.0.7
> This software is for testing purposes only.  Anonymity is not guaranteed.
> Enter passphrase for keyring:
> May 07 09:08:14.776 -0800 [INFO] Decoded reply message to identity 'ludwig'
>
> The world is all that is the case.

The identity feature of SURBs is more than just convenient, it's a
security necessity.  If the user doesn't know the identity for which a
message was intended, then it is possible to be tricked into
responding under the wrong pseudonym.  This can be used to link
identities.

Try sending the above message to "Ludwig" again:
> $ echo "The world is all that is the case." | mixminion send -R ludwig.0
> Mixminion version 0.0.7
> This software is for testing purposes only.  Anonymity is not guaranteed.
> Enter your message now.  Type Ctrl-D when you are done.
> May 07 09:14:08.806 -0800 [WARN] Skipping 1 used reply blocks
> May 07 09:14:08.833 -0800 [ERROR] Not enough usable reply blocks found; all were used or expired.

Since the SURB was already used, Mixminion does not let it be used
again.

Like direct forward messages, SURBs can have a path specified:
> $ mixminion generate-surb -t foo@bar.wiredyne.com -o surb1.txt -P '*15'
> Mixminion version 0.0.7
> This software is for testing purposes only.  Anonymity is not guaranteed.
> May 07 09:35:59.761 -0800 [INFO] Selected path is Kisangani,grove,Tonga,POboxes,snorky,Tonga,Kisangani,rufus,POboxes,sushi,chicago,lakshmi,gurski,nowwhat,Tonga
> Enter passphrase for keyring:

However, no more than about 15 servers can be specified.  The reason
for this is that there can be no more than 15 or so servers before or
after the swap point.  The SURB only specifies the servers after the
swap point.

7. The Queue

The examples above which sent messages transmitted them immediately.
Mixminion also has a built in queue which can store messages for later
sending.  This obfuscates exactly when the messages were prepared.  It
also means that if a server is unavailable, the messages destined for
it will be kept in the queue and can be retried later.

The "inspect-queue" command shows the messages already in the queue.
There should be no messages in the queue at this point:
> $ mixminion inspect-queue
> Mixminion version 0.0.7
> This software is for testing purposes only.  Anonymity is not guaranteed.
> (No packets in queue)

The "--queue" command modifier instructs the "send" command to put
messages in the queue instead of transmitting them at once.

> $ echo "Queued message." | mixminion send --queue -t foo@bar.wiredyne.com
> Mixminion version 0.0.7
> This software is for testing purposes only.  Anonymity is not guaranteed.
> Enter your message now.  Type Ctrl-D when you are done.
> May 07 09:42:26.966 -0800 [INFO] Generating payload(s)...
> May 07 09:42:27.112 -0800 [INFO] Selected path is mixiwoarsnet,totoro2,typhaon:anize,aarg
> May 07 09:42:27.452 -0800 [INFO] Packet queued

Now there should be one message in the queue:
> $ mixminion inspect-queue
> Mixminion version 0.0.7
> This software is for testing purposes only.  Anonymity is not guaranteed.
>  1 packets for 'mixiwoarsnet' at mix.iwoars.net:48099 (oldest is <1 days old)

Put a bunch more messages in the queue.  Now there should be several
more:
> $ mixminion inspect-queue
> Mixminion version 0.0.7
> This software is for testing purposes only.  Anonymity is not guaranteed.
>  1 packets for 'POboxes' at mixminion.poboxes.info:48099 (oldest is <1 days old)
>  1 packets for 'anize' at anize.org:48099 (oldest is <1 days old)
>  1 packets for 'mixiwoarsnet' at mix.iwoars.net:48099 (oldest is <1 days old)
>  1 packets for 'snorky' at minion.bananasplit.info:48099 (oldest is <1 days old)
>  1 packets for 'sushi' at dexter.gabuilders.com:48099 (oldest is <1 days old)

The "flush" command transmits the messages in the queue:
> $ mixminion flush
> Mixminion version 0.0.7
> This software is for testing purposes only.  Anonymity is not guaranteed.
> May 07 09:47:04.444 -0800 [INFO] Flushing packet queue
> May 07 09:47:04.617 -0800 [INFO] Found 5 pending packets
> May 07 09:47:04.657 -0800 [INFO] Sending 1 packets to server at dexter.gabuilders.com:48099...
> May 07 09:47:04.662 -0800 [INFO] Connecting...
> May 07 09:47:09.358 -0800 [INFO] ... 1 sent
> May 07 09:47:09.534 -0800 [INFO] Sending 1 packets to server at mixminion.poboxes.info:48099...
> ....

If all the servers were up, there should be no more messages in the queue:
> $ mixminion inspect-queue
> Mixminion version 0.0.7
> This software is for testing purposes only.  Anonymity is not guaranteed.
> (No packets in queue)

Sometimes messages can't be delivered and have to be deleted from the
queue.  The "clean-queue" command does this.  By default, it only
deletes old messages, so to clean all the messages the "-d 0" option
will be needed, meaning "delete all messages regardless of age."

Queue up a few messages and try removing them:
> $ mixminion clean-queue -d 0
> Mixminion version 0.0.7
> This software is for testing purposes only.  Anonymity is not guaranteed.
> May 07 09:54:52.015 -0800 [INFO] Removing 1 packets for server at privacy.outel.org:48099
> May 07 09:54:52.049 -0800 [INFO] Removing 1 packets for server at totoro.wangafu.net:48100
> May 07 09:54:52.115 -0800 [INFO] Removing 1 packets for server at typhaon.so36.net:48099

8. More Sources of Information

[1] G. Danezis, R. Dingledine, and N. Mathewson "Mixminion: Design of
a Type III Anonymous Remailer Protocol" Available at
http://mixminion.net.

[2] The mixminion(1) man page is available with the tarball and at
http://mixminion.net.