Fourhundred Thecat
2019-Oct-30 14:29 UTC
encrypt incoming emails with public gpg key before they are stored to maildir
Hello, I have asked on the postfix mailing list for a solution, how to encrypt incoming emails with public gpg key My original idea was to use a smtpd-milter, which would encrypt all incoming plaintext messages of given user, using the users public gpg key. This way, it would look as if the original sender has sent the message encrypted. Somebody suggested this might be better done in Dovecot, as it is Dovecot who stores the emails in Maildir. Does anybody have any suggestions how to implement this scheme in Dovecot ? I am including the original email below:> when new email arrives, and it is not already encrypted, I would like to > run it through a filter, which would encrypt the message with my public > gpg key, as if the original sender has sent the email encrypted. > > Why do I want to do this ? Why not ask the sender to send encrypted > messages to start with ? > > Lets say my bank sends me emails. I cannot force my bank to use gpg > encryption. I am happy they use email at all, instead of paper mail. > > My email server is untrusted. It can be hacked into and emails stolen. > Full disk encryption will not help, because the disk must be decrypted > during runtime. > > With my scheme, all emails would be stored encrypted on my server, and > decryption key does not exist on the server (emails are decrypted on my > local client) > > What would be the best way to implement this ? > > Can such filter work, without ever storing plaintext email on disk ?thanks,
Stephan Bosch
2019-Oct-30 17:21 UTC
encrypt incoming emails with public gpg key before they are stored to maildir
On 30/10/2019 15:29, Fourhundred Thecat via dovecot wrote:> Hello, > > I have asked on the postfix mailing list for a solution, how to encrypt > incoming emails with public gpg key > > My original idea was to use a smtpd-milter, which would encrypt all > incoming plaintext messages of given user, using the users public gpg > key. This way, it would look as if the original sender has sent the > message encrypted. > > Somebody suggested this might be better done in Dovecot, as it is > Dovecot who stores the emails in Maildir. > > Does anybody have any suggestions how to implement this scheme in Dovecot ?Something like this? https://perot.me/encrypt-specific-incoming-emails-using-dovecot-and-sieve Regards, Stephan.> I am including the original email below: > >> when new email arrives, and it is not already encrypted, I would like to >> run it through a filter, which would encrypt the message with my public >> gpg key, as if the original sender has sent the email encrypted. >> >> Why do I want to do this ? Why not ask the sender to send encrypted >> messages to start with ? >> >> Lets say my bank sends me emails. I cannot force my bank to use gpg >> encryption. I am happy they use email at all, instead of paper mail. >> >> My email server is untrusted. It can be hacked into and emails stolen. >> Full disk encryption will not help, because the disk must be decrypted >> during runtime. >> >> With my scheme, all emails would be stored encrypted on my server, and >> decryption key does not exist on the server (emails are decrypted on my >> local client) >> >> What would be the best way to implement this ? >> >> Can such filter work, without ever storing plaintext email on disk ? > thanks,
Jochen Bern
2019-Oct-31 10:21 UTC
encrypt incoming emails with public gpg key before they are stored to maildir
On 10/30/2019 03:29 PM, Fourhundred Thecat wrote:> I have asked on the postfix mailing list for a solution, how to encrypt > incoming emails with public gpg keyI'm using the following to PGP encrypt all *outgoing* e-mail addressed to *us* on the SMTP-out server of certain older remote platforms (the newer ones using only S/MIME instead). Note, however, that it's all *automated* e-mails that I just *know* not to be encrypted beforehand. AFAIK "PGP encrypted content" is not as tightly bound to MIME types and the multipart/* hierarchy as S/MIME is, which complicates detection of "it *already is* encrypted".>> Can such filter work, without ever storing plaintext email on disk ?postfix is an MTA, and does queueing as appropriate for such a beast. You *will not* get a guarantee that the unencrypted mail will not *temporarily* be written to disk (and deleted thereof without outright wiping). Well, short of putting the spool directory on a ramdisk or somesuch. main.cf: smtpd_recipient_restrictions = [...], check_recipient_access hash:/etc/postfix/encrypt, [...] master.cf: gpgit unix - n n - 10 pipe flags=Rq user=gpgit null_sender argv=/home/gpgit/from-postfix.sh -f "${sender}" --target:${nexthop} -- ${recipient} encrypt(.db): jochen.bern at binect.de FILTER gpgit:dummy binect.de WARN Zieladresse fehlt in encrypt Map subdomain.binect.de FILTER gpgit:catchall-MnemonicName [... etc.] ~gpgit/.gnupg/gpg.conf: trust-model always [... various group definitions a la:] group SomeAddress at binect.de = 0xSomeKeyID 0xYetAnother 0xSoManyPeople group @subdomain.binect.de = 0xMoreOfThis 0xOhTheHumanity I found gpgit on the web, but had to improve it a bit (and find working SELinux contexts on my own), so I'm attaching my version and:> # ls -Zal ~gpgit > total 84 > drwx------. 3 unconfined_u:object_r:user_home_dir_t:s0 gpgit gpgit 4096 Oct 30 00:09 . > drwxr-xr-x. 8 system_u:object_r:home_root_t:s0 root root 4096 May 23 2013 .. > -rwx------. 1 unconfined_u:object_r:postfix_pipe_exec_t:s0 gpgit gpgit 1676 May 21 2013 from-postfix.sh > drwx------. 2 unconfined_u:object_r:gpg_secret_t:s0 gpgit gpgit 4096 Oct 30 00:15 .gnupg > -rwx------. 1 unconfined_u:object_r:postfix_pipe_exec_t:s0 gpgit gpgit 12141 May 11 2015 gpgit.plNeedless to say, you'll have to "su - gpgit" and "gpg --import ..." the various(?) recipients' public keys, too. And *monitor* them there, if there are any with a limited lifetime ... Kind regards, -- Jochen Bern Systemingenieur E jochen.bern at binect.de W www.binect.de -------------- next part -------------- A non-text attachment was scrubbed... Name: gpgit.tgz Type: application/x-compressed-tar Size: 4905 bytes Desc: not available URL: <https://dovecot.org/pipermail/dovecot/attachments/20191031/f3db0e8c/attachment.bin> -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4278 bytes Desc: S/MIME Cryptographic Signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20191031/f3db0e8c/attachment.p7s>