Postfix Mailbox Encryption 1

[highbomber]

Hello,

I run a Postfix server with Courier and was wondering how I could encrypt my virtual mailboxes? My SMTP and IMAP traffic is already encrypted with TLS, but if root access was compromised anyone could read my mail.

What is the best way to encrypt the virtual mailboxes?

Thank you,

 

[Noway2]

There is no real direct and easy way to do this. You face difficulties such as needing the file system to be read-writeable in order for the mail server to function. Even if you encrypt the file system, it will still be decrypted when it is mounted.

The easiest approach would be to use PGP or GPG on the client end. The down side is that each recipient must have a key pair. Alternatively, you may be able to encrypt the message using a common key and store it in the mailbox/maildir and then decrypt it upon retrieval. However, the private key would still be located on the server and would only serve as much protection as the password protecting it.

From a security stand point, while applying security in layers is the best approach, of which encrypting your mail is a valid layer, if you had a root level compromise, you have much bigger issues that this, which is really focusing on a secondary symptom rather than the problem. I say this, not to be mean or harsh, but the reality is that once they have achieved root level access, secondary measures such as this will likely have little effect.

There are also services, such as hushmail that claim to encrypt the mail on the server. You might investigate how they operate. Also be aware that encrypting mail on the server only covers part of the process: the storage. Will it be decrypted in transit, during reading, on the client end, etc?

I realize that a compromised server feels like a violation and having your mail read only adds insult to that. However, you really need to investigate how the compromise occurred and take proper steps to prevent it from happening again. All other forms of action are just window dressing.

 

[highbomber]

Thank you. Your answer was very informative.

There have been no successful attacks, but I always think a "worst case scenario" sense. You are right, once root level access is gained there is little any other measures could achieve.

I have looked into GPG but I am not able to install software on the clients. Hushmail has similiar issues, on top of being proprietary.

I have a lot more to read about. I just hope for now the mail is secure enough for the time being.

Thanks again,

 

[Noway2]

If you decide to look into storing the mail in encrypted format, you might want to look at how a milter or other filter system, like spam assassin works. Typically, mail will arrive inbound, get sent out for delivery to the filter program on one port, and then returned into the queue on another port. Theoretically, you could receive the mail and instead (or in addition to) filtering for spam and viruses, pass the mail through GPG and store the encrypted message instead.

The retrieving side, might be a little more difficult and will depend upon what you are using for a POP/IMAP client. Specifically, you will need some form of per-processing filter to decode the mail file, perhaps to a temporary location.

In regards to "thinking of worst case scenarios", if you haven't heard of it, check out the security forum linuxquestions.org. There is a BIG sticky thread will a ton of security information that might assist in your research.