On 05/16/2018 06:07 AM, Aki Tuomi wrote:>> On 15 May 2018 at 22:43 Gandalf Corvotempesta <gandalf.corvotempesta at gmail.com> wrote: >> Is possible to implement and end-to-end encryption with dovecot, where >> server-side there is no private key to decrypt messages? > > You could probably automate this with sieve and e.g. GnuPG, which would mean > that all your mails are encrypted without server having key to decrypt this.Considering the keywords "dovecot" and "sieve", that would still not be "end to end" and not even "MSA to MX"(-ish) but merely "encrypted storage upon/after final delivery", wouldn't it ... ? FWIW, for auto-encrypting someplace near the MSA, I've used the "GPGPit" tool that's available on the web (and that I've made into an "SMIMEit" myself). The nontrivial problem with that is to retrieve recipients' pubkeys in an even remotely trustworthy manner, of course. Regards, -- Jochen Bern Systemingenieur www.binect.de www.facebook.de/binect -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4278 bytes Desc: S/MIME Cryptographic Signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20180516/8658631d/attachment-0001.p7s>
On 16.05.2018 12:56, Jochen Bern wrote:> On 05/16/2018 06:07 AM, Aki Tuomi wrote: >>> On 15 May 2018 at 22:43 Gandalf Corvotempesta <gandalf.corvotempesta at gmail.com> wrote: >>> Is possible to implement and end-to-end encryption with dovecot, where >>> server-side there is no private key to decrypt messages? >> You could probably automate this with sieve and e.g. GnuPG, which would mean >> that all your mails are encrypted without server having key to decrypt this. > Considering the keywords "dovecot" and "sieve", that would still not be > "end to end" and not even "MSA to MX"(-ish) but merely "encrypted > storage upon/after final delivery", wouldn't it ... ? > > FWIW, for auto-encrypting someplace near the MSA, I've used the "GPGPit" > tool that's available on the web (and that I've made into an "SMIMEit" > myself). The nontrivial problem with that is to retrieve recipients' > pubkeys in an even remotely trustworthy manner, of course. > > Regards,To be strict, 'end to end' would mean that the SENDER would encrypt it on his station, and RECEIVER would only decrypt it on his station. Everything else is not end-to-end =) Aki
On 05/16/2018 12:01 PM, Aki Tuomi wrote:> On 16.05.2018 12:56, Jochen Bern wrote: >> Considering the keywords "dovecot" and "sieve", that would still not be >> "end to end" and not even "MSA to MX"(-ish) but merely "encrypted >> storage upon/after final delivery", wouldn't it ... ? > > To be strict, 'end to end' would mean that the SENDER would encrypt it > on his station, and RECEIVER would only decrypt it on his station. > Everything else is not end-to-end =)Yes. Hence my ad-hoc "MSA to MX" terminology for the middle ground that sysad-me can achieve *without* continued user enthusi^H^H^H^H^H^H^H cooperation. :-} Regards, -- Jochen Bern Systemingenieur www.binect.de www.facebook.de/binect -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4278 bytes Desc: S/MIME Cryptographic Signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20180516/7a6b91a8/attachment.p7s>
Il giorno mer 16 mag 2018 alle ore 12:02 Aki Tuomi <aki.tuomi at dovecot.fi> ha scritto:> To be strict, 'end to end' would mean that the SENDER would encrypt it > on his station, and RECEIVER would only decrypt it on his station. > Everything else is not end-to-end =)Yes, of course, but this solution with GPG where dovecot is able to encrypt mails with GPG key will increase the overall security, but still allows to read all email (just before the encryption) with some malwares and so on.