1

DISCLAIMER – I'm fishing for ideas, so I can see that some people will start downvoting and flagging this as unsuitable for SF, but hey, if you know of a better place to ask this question, there is a comment box down there, don't just hide behind your clicks.

I have this tiny production server that I'm sharing with colleagues and close clients. I've been asked to provide an e-mail service. I guess I never thought about this, but I was horrified to discover that the various mailbox formats store messages in clear text, and close to nobody seem to care very much. So I figured, those fancy providers must be doing something behind the scenes. I'm not necessarily thinking of ProtonMail, but I guess Google does store messages with some form of encryption – and yes, I realise these services might have developed their own software, but hey. So I started reading up, and the closest I got was a relatively complex Exim4 setup involving a GPG transport_filter with per-user key pairs.

The truth is that the messages that will likely go around the server will not be very confidential, and my colleagues and clients are savvy enough to use GPG themselves if need be. My main concern, rather, is that these messages are available in clear text for anybody – I can see this happening as soon as I won't be the only one managing the server, the occasional cat /var/mail/username (or whatever) will happen. Worst of all, the messages will be backed up in clear text – true, I can encrypt the backups.

As I said, I don't want to provide a protonmail-like service, I'm just looking for something that provides some form of smokescreen against careless admins. In particular, some form of clear text will be necessary during transit, for stuff like anti-virus and anti-spam. However, if you have compelling and uncomplicated solutions for something more secure, I'm open to all suggestions.

Morpheu5
  • 259
  • 4
  • 18
  • 2
    This is generally handled with privacy policies and nondisclosure agreements. – Michael Hampton May 09 '16 at 12:24
  • I could do that but I was hoping for a more technical solution. We don't have expertise neither money to involve the law. – Morpheu5 May 09 '16 at 12:39
  • Have you thought about signing up for Office 365? take all the hard work out of the problem and sign each client up for there own Office 365 account. Email, Skype for business, plus SharePoint all on different plans to suite different sized organisations. – Michael Brown May 09 '16 at 14:01
  • We have had some very bad experiences with Office 365, and in general we'd like to stay away from pre-cooked services – otherwise we'd have already chosen one. – Morpheu5 May 09 '16 at 15:48
  • I would echo Michaels' sentiments, encrypt mail in transit obviously, encrypt mail at rest in your own data center with a product that supports that, or simply have an access policy on the mailbox server, you can hack something together with an encrypted file system: http://www.blackhole-networks.com/Cheatsheets/EncryptedMailstore/ – Sum1sAdmin May 12 '16 at 13:18
  • Check out the [LEAP Encryption Access Project](https://leap.se), it might be of help.. – gxx May 12 '16 at 13:36
  • If you can't afford a lawyer, you have no business handling other people's email. You _absolutely need_ a lawyer at a bare minimum. You should have the lawyer before you even think about building the service. I cannot warn you strongly enough. You do not want to find yourself on the wrong end of a civil lawsuit, or worse, an FBI investigation, without a good lawyer. – Michael Hampton May 12 '16 at 18:52
  • Very few people should consider running their own email service, in my opinion. There are plenty of reputable, cheap email providers with significant amounts of experience who will take this headache away from you. I run my own server, and I have the knowledge and experience to run my own email service, but I pay $50 a year for someone else to do it for me. – Tim May 12 '16 at 20:33

2 Answers2

3

I'm just looking for something that provides some form of smokescreen against careless admins.

Short answer: no, you can't.

If you dealing with admins the first, last and only one defence is end2end encryption. So GPG is the answer.

Who has root access to the server (should) have it because they need it, and probably known how services are configured (in order to maintain them or fix them if something goes wrong).

So if you set up some obfuscation who has root probably know how this obfuscation was made and know how decode the messages, so:

  • It doesn't add any valid security layer
  • Create a false sense of security

A security system is only as secure as its secret. Beware of pseudo-secrets.

(Eric Raymond - The Cathedral and the Bazaar)

Instead you should choose wisely WHO has admin credentials:

  • They really need them?
  • A proper limited sudo access to some specific commands can be enough?

Other solutions:

Automatic GPG encryption of all incoming mails

PRO:

  • Keep IMAP mailboxes protected by peepers
  • Data are safe even if stolen

CONS:

  • Need a proper configured client to read mails (no webmail access)
  • Customer must agreed to it, provide their public GPG key and configure their mail clients (need tech skills)
  • Sender, recipient, subject and all headers are unencrypted (customers must be aware of it)
  • Need some work server side and a proper way to validate customer public keys
  • The message land in clear text on your server, so it can be wiretapped before GPG encryption

Full disk encryption on server

PRO:

  • Can keep data safe if the server or disks are stolen/seized
  • Full transparent, no need to special configuration of mailserver or other services

CONS:

  • No protection from admins or if the server is hacked
  • Need to input the password at every boot (trough SSH if only data partition is encrypted or trugh a KVM) and you must trust that channel.
  • You will get lesser i/o performance

Use of end2end encryption

PRO:

  • Safest way, even you can't access to these data

CONS:

  • Customers must do it and who customers contact must be proper do it
  • To be safe must be do on all mails in/out, about all online service send mails unencrypted (welcome mails, password change mails, notifications etc)
Community
  • 1
Tsumi
  • 343
  • 2
  • 8
  • 1
    Two points regarding full disk encryption (which you should use, given your planned setup): Have a look at [Unlocking a LUKS encrypted root partition remotely via SSH](http://blog.neutrino.es/2011/unlocking-a-luks-encrypted-root-partition-remotely-via-ssh/) and [mandos](https://wiki.recompile.se/wiki/Mandos), "a system for allowing servers with encrypted root file systems to reboot unattended and/or remotely.", which I can fully recommend! – gxx May 12 '16 at 13:59
  • I thought about full disk encryption. I'm running Docker containers on a KVM machine, so the whole thing is a bit fuzzy to me. I could potentially encrypt the container's volumes, though that wouldn't stop anyone from peeping into the messages if they have access to the container. – Morpheu5 May 16 '16 at 13:13
3

It's always a surprise to learn that it is obviously not common knowledge how the System Administrator (of an Email Server) and all his C-Level buddies can know about you and your communication going on in your company. GPG as mentioned in detail above is obviously one option - and you are right: your users could be the ones taking care of it. As soon as they do, you (the SysAd) can't read their emails anymore ... unless you have their key as well. Giving the facts you described, a good number of the email users are not using it.

The good old fashion way would probably be to write them an email suggesting doing so ... but this might be an approach beyond the purpose of this platform. A very compelling solution nevertheless (imho).

Having said this, back to the technical options:

Some years back in a company that offered this kind of user-managed privacy protection we used PGP (which offers a Pretty Good Privacy ;-) which is certainly a good alternative to GPG (these GNU people always want to twist our minds, don't they?), but it is still per-user-based.

Keep in mind that privacy and knowledge are pretty different in meaning. From what you are writing I think what you want is an additional level of privacy for others ... like out of some altruistic kind of thinking or caring about sensitive information sitting around and each and every admin having access to it. I think it's nice of you to think like this and you probably are overdoing it for some users if you think like this. They might not even want you to change what everybody got used to (or got used to not knowing). So, if you want to go beyond the level of having every individual taking care of their sensitive information included in emails and a individualized encryption solution is not available for any kind of reason ... I guess you have to go with the server solution as discussed very nicely by @Tsumi or you really go for protonmail.

Or - once again - you go for the human solution mentioned above - good luck finding the best decision for your use case!

dr. rAI
  • 131
  • 3
  • Just a note about ProtonMail, as i know they do encryption on incoming mail, that's good but buggy because they can be forced to wiretap the plaintext ones. A similar thing happen some years ago in Snowden case with Silent Circle, they ended up shutting down their entire company instead agree to government request. – Tsumi May 12 '16 at 18:39
  • I wish I could have split the bounty between you and Tsumi. Thanks for the food for thought. – Morpheu5 May 16 '16 at 13:10