-6

I setup cloud server with encrypted volumes, I installed mail server with SMTP and IMAP, I allow only SSL connections (the latest TLS).

I was wondering if this configuration will prevent from others reading my emails - intentionally or unintentionally.

To boot the machine, I need to enter the password. So it's impossible to read my email from snapshots. Also, it's impossible to sniff it out. However it is possible to read it from the memory of virtual machine.

Is there any common way utilized by goverments, isps and cloud providers (except for monitoring tcp connections), that could compromise the security for all the time (assuming that the clients do check certificates and the server is using firewall with selinux and so on)? I mean technology built-in virtualisation which would monitor data processing and memory read and writes? Is there any way to protect from these assuming this machine is running XEN and it's 6 core Xeon launched Q1 2010? (Nahalem based).

Andrew Smith
  • 1,143
  • 13
  • 23
  • 2
    There is no guaranteed way to prevent anyone with access to the physical machine (or the cloud provider) from accessing the data on it, assuming they really want to. Having said that you can certainly make it hard for them to do so once it is on your server. But you still need to receive it somehow and email is a plain text protocol. – Hennes Feb 09 '13 at 15:15

2 Answers2

4

Email is considered an insecure protocol. Most SMTP servers on the net fling mail around in plain-text on port 25. Anyone wanting to snoop anywhere along the line can with no problem.

You can encrypt the connection between your mail client and your mail server, but the vast majority of mail servers on the Internet that will be relaying and receiving your mail use SMTP without TLS.

Basically, don't put anything in an email that you don't want read.

As @EEAA points out in another answer, client-side encryption with something like PGP on all mail is also a strong solution. Upvote him too!

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • 1
    You asked `"I was wondering if this configuration will prevent from others reading my emails - intentionally or unintentionally."` and the answer is **NO**. There are plenty of people that will be able to at any of the unencrypted SMTP relays along the way. If you're asking how to prevent people from compromising your mail server and accessing the mail databases on it, then you need to go back and edit your question to be more clear. – MDMarra Feb 09 '13 at 15:17
4

The only real answer here is to use PGP encryption on each client.

Your server is not only out of your physical control, but is also running in a virtualized environment. So all bets are off in regards to data security. End-to-end client encryption (where the emails remain encrypted on the server, and cannot be decrypted by the server) is the only way to ensure that email contents cannot be discovered by a third party.

EEAA
  • 109,363
  • 18
  • 175
  • 245