So, Alice encrypts message with Bob's public key, that's EM1.
Then Alice encrypts EM1 with the server's public key, outputing EM2. And sends that to Bob thru the MTA.
The server decrypts EM2 revealing EM1 and some plaintext metatdata arbitrarily specified by Alice.
The MTA random-delays to keep them all out of order, and sends it on to Bob with encrypted body, whatever Alice felt like putting in the plaintext metadata supposedly representing the prior travels, and no attempt to disguise the MTA's IP, etc..
NSA now can see Alice's post to the MTA, but none of the mails coming out of the MTA match the text of Alice's email. The best the wiretapper can do is decide "someone in set A sent to someone in set B", and maybe apply statistical analysis. It is easy for the wiretapper if there are only a few people using this and hard if there are a lot.
The objection will be, but NSA/FBI etc. will trojan the code, coerce the secret keys, make the server deceive users. So the server owner would like to put in something that makes it all unavoidably, and conspicuously break if the code is compromised. Securing the latter behavior remains a problem when the adversary has, one must assume, physical control of the server.
You just described more or less the behavior of how a nym.alias.net address worked back in the day, which had the added benefit of not even knowing who you were, because you chained as many remailers together as you wanted.
The server decrypts EM2 revealing EM1 and some plaintext metatdata arbitrarily specified by Alice. The MTA random-delays to keep them all out of order, and sends it on to Bob with encrypted body, whatever Alice felt like putting in the plaintext metadata supposedly representing the prior travels, and no attempt to disguise the MTA's IP, etc..
NSA now can see Alice's post to the MTA, but none of the mails coming out of the MTA match the text of Alice's email. The best the wiretapper can do is decide "someone in set A sent to someone in set B", and maybe apply statistical analysis. It is easy for the wiretapper if there are only a few people using this and hard if there are a lot.
The objection will be, but NSA/FBI etc. will trojan the code, coerce the secret keys, make the server deceive users. So the server owner would like to put in something that makes it all unavoidably, and conspicuously break if the code is compromised. Securing the latter behavior remains a problem when the adversary has, one must assume, physical control of the server.