amuck-landowner

Postfix - encrypt incoming mail

perennate

New Member
Verified Provider
See https://github.com/u...tb/gpg-mailgate for more information

Assume you're using Postfix with some IMAP server and Thunderbird. (Edit: if you're only using one of Thunderbird/Postfix, you can take the first/second part of the guide, respectively)

First, install Enigmail, a Thunderbird add-on, if you haven't already (Thunderbird -> Tools -> Add-ons -> Enigmail). Generate a key pair via Thunderbird -> OpenPGP -> Key Management -> Generate -> New Key Pair. Most of the default options are okay, maybe add 4096 bits RSA; probably you want to add a passphrase on the key.

Now, go back to the Key Management page, select display all keys by default, right click your new key, and select export to file. Only export the public key. We'll be copying this to your Postfix server so that the server has the public key to encrypt all incoming mail with. So, suppose you have it stored now on the server as /home/youruser/public.key

Okay, so we'll be using gpg-mailgate for automatic encryption filter. It's actually not complete, but luckily someone made a bunch of fixes.


[login as root]
useradd -s /bin/false -d /var/gpg -M gpgmap
mkdir -p /var/gpg/.gnupg
chown -R gpgmap /var/gpg
chmod 700 /var/gpg/.gnupg
sudo -u gpgmap /usr/bin/gpg --import /home/youruser/public.key --homedir=/var/gpg/.gnupg
sudo -u gpgmap /usr/bin/gpg --list-keys --homedir=/var/gpg/.gnupg
cd /root
git clone https://github.com/uakfdotb/gpg-mailgate.git
cd gpg-mailgate
cp -R GnuPG /usr/lib/python2.7 # replace 2.7 with your python version
cp gpg-mailgate.py /usr/local/bin/gpg-mailgate.py
cp gpg-mailgate.conf.sample /etc/gpg-mailgate.conf

You will need to edit /etc/gpg-mailgate.conf, the configuration file. In the "domains = ", add all of the domains you'll want to be encrypting email for. Then, at the bottom, first find your key ID thing that was displayed with the "--list-keys" command. See the example in the configuration file. Your configuration file should look like:


[default]
add_header = yes
domains = mydomain.com,myawesomedomain.com,mynotsoawesomedomain.com

[gpg]
keyhome = /var/gpg/.gnupg

[logging]
file = /tmp/gpg-mailgate.log

[relay]
host = 127.0.0.1
port = 10028

[keymap]
[email protected]omain.com = AAAAAA
[email protected] = AAAAAA

Add this to /etc/postfix/master.cf:


gpg-mailgate unix - n n - - pipe
flags= user=gpgmap argv=/usr/local/bin/gpg-mailgate.py ${recipient}

127.0.0.1:10028 inet n - n - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8

And finally, set the Postfix content filter in /etc/postfix/main.cf:


content_filter = gpg-mailgate

Note that if you already have a content_filter, you have to do some complicated chaining stuff. I decided to just get rid of my amavisd content filter, since the Spamassassin at least sucks anyway... (doesn't block spam, marks stuff that isn't spam as spam)

Now restart Postfix and send a test email. Hopefully it doesn't bounce! Sucks if it does.

Source1: http://www.rzegocki.pl/blog/Administration/2013/04/14/setting-encrypted-backup-email-server.html

Source2: http://ultramegaman.wordpress.com/tag/gpg-mailgate/
 
Last edited by a moderator:

drmike

100% Tier-1 Gogent
Thanks for taking the time to put this together.  Not my environment mix, so I won't be testing/replicating it. 

We need more tutorials like this.   Keep up the good work and the fighting spirit!
 

perennate

New Member
Verified Provider
I have found that gpg-mailgate is actually garbage, even the fixed version in the git repository. Trying to rewrite the Python script now, will post when it works.

Edit: I believe I have fixed the problem (well the main one anyway; there were some other minor bugs that I also fixed). Just needed to get different method of finding to_addrs than the original script. The big issue was that it was reading the email to get the target addresses, something http://www.postfix.org/FILTER_README.html says to NEVER NEVER NEVER do!
 
Last edited by a moderator:

perennate

New Member
Verified Provider
There were some residual issues. The following have been fixed

  • Occassional attachment decryption errors: fixed by changing forced encoding from quoted-printable to 7bit
  • GPG v2 or something keys patch merged into the repository
 

perennate

New Member
Verified Provider
I want to edit the topic with stuff for encrypting outgoing mail as well for web applications, how to edit?
 

perennate

New Member
Verified Provider
Actually I wanted to edit the content, and I'm not sure what I want to edit it to. Maybe I'll just make a new post then.
 
Last edited by a moderator:

Mun

Never Forget
Wait so is the from server to client transfers? 
 

Or is the from server to server?

Mun
 

perennate

New Member
Verified Provider
This is for both mail sent from anyone to your mail server, and for mail sent from your mail server to anyone who has uploaded their PGP key.
 

kro

New Member
Verified Provider
Sanku, I've just fired up a container to give this a blast on. 

Have a perfect scenario to use it with.
 

perennate

New Member
Verified Provider
Cool, let me know if you run into any issues. There's also a web interface for it in the gpg-mailgate-web subdirectory of the repository.
 

kro

New Member
Verified Provider
As long as I can find doc/man pages, I should be good if i get stuck.
If I'm feeling super lazy, I may pester you :D

Cheers
 

k0nsl

Bad Goy
I'm sorry for rectifying what could be interpreted as an 'old topic' ! In any case, I thought that I finally should go along and do this for one of my servers, but I get this:



[email protected]: sudo -u gpgmap /usr/bin/gpg --import /home/k0nsl/public.key --homedir=/var/gpg/.gnupg
gpg: fatal: can't create directory `/root/.gnupg': Permission denied
secmem usage: 0/0 bytes in 0/0 blocks of pool 0/32768

Any ideas on how to proceed?

Thanks in advance.
 

wlanboy

Content Contributer
Any ideas on how to proceed?

Thanks in advance.
You user (the one with the mailbox) seems to not have a homedir.

Gnupg asumes "~/.gnupg" and it is using "/root/.gnupg'".

Are you sure that "/var/gpg/" does exist?
 
Top
amuck-landowner