Then just run the following to activate the profile: aa-enforce /etc/apparmor.d/-mailgate.py If your system uses AppArmor, you can place the following in /etc/apparmor.d/-mailgate.py - keep in mind that you’ll need to match the version of python below with the version used on your system. HardeningĪs an added bonus, I threw together an apparmor profile. This works perfectly with a PGP-capable IMAP client, such as Thunderbird or K-9 Mail on Android. With all that, you should find that a test email sent to the email address you specified ends up in your Google inbox encrypted with your gpg key. o smtpd_authorized_xforward_hosts=127.0.0.0/8Īnd then we tell Postfix to use the filter by running this quick command to add a line to /etc/postfix/master.cf echo 'content_filter = gpg-mailgate' > /etc/postfix/main.cf o smtpd_recipient_restrictions=permit_mynetworks,reject o receive_override_options=no_unknown_recipient_checks,no_header_body_checks ![]() ![]() ![]() GPG MAIL ACTIVATION CODE INSTALLThe following goes in /etc/postfix/master.cf, keep in mind that I’m using a different username than the INSTALL directions do (this part gets a bit wide, you may need to expand your viewing window): gpg-mailgate unix - n n - pipeįlags= user=gpgmap argv=/usr/local/bin/gpg-mailgate.py sudo -u gpgmap /usr/bin/gpg -homedir /var/gpg/.gnupg -keyserver hkp:// -search we’ll need to tell Postfix to have a filter that calls the external script, and a channel to accept mail from the script after it’s encrypted. If you want an email alias encrypted with a key, use the keymap section of the config file above. The next command needs to be repeated for each email address you want to encrypt mails for. We can take advantage of Postfix’s privilege separation here: adduser -s /bin/false -d /var/gpg -M gpgmap Leave keyhome as default.Īfter this is done, we need to get the public keys we want to use for encryption. Then, if you have mail aliases, you’ll probably want to add entries under in the format email = longKeyID. In /etc/nf, modify the domains variable to include all domains you want to encrypt messages for. Otherwise GPG throws an error about not trusting the key and fails to encrypt messages. Here’s the short version, my apologies for the lazy instructions, make sure you replace the python version below with the version that’s live on your system: cp -R GnuPG /usr/lib/python2.6/Ībove, we need to add “–trust-model always” to the command in line 43. You’ll want to install gpg, then install GPG-Mailgate: cd /rootįrom here I mostly followed the steps from INSTALL, but they’re a bit dated and didn’t quite work for me. I sent a test email to ensure fowarding worked. Next I needed to make /etc/postfix/transport: DOMAIN.COM smtp:Īnd due a slight bug in Ubuntu’s blank configuration, I needed to make an aliases db: echo 'postmaster: root' > /etc/aliasesĪt this point I changed my DNS to point the MX record to this server. Transport_maps = hash:/etc/postfix/transport Smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) Mydestination = $myhostname, localhost.$mydomain, $mydomain Then, to create a basic forwarder configuration I made /etc/postfix/main.cf: myhostname = Creating a mail forwarderįirst, I installed Postfix with a blank configuration. ![]() Getting this operational on Ubuntu was easy. This project is a very straightforward filter to GPG encrypt mail if a recipient’s key is locally stored. I was running up blanks, until I stumbled upon. I’m partial to Postfix myself, I like they’re privilege separation model. I searched around for methods of implementing this, but many used Exim or Procmail. So, I’ve decided to encrypt all incoming emails before they get stored on Google’s servers. Also like most geeks, I host them on Google Apps. Some big parts of that data are my email accounts. Like most geeks, I have a few “vanity” domains that I receive email at. I’ve recently chosen to take more control over my data when it’s stored in the cloud.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |