See https://github.com/u...tb/gpg-mailgate for more information
Assume you're using Postfix with some IMAP server and Thunderbird. (Edit: if you're only using one of Thunderbird/Postfix, you can take the first/second part of the guide, respectively)
First, install Enigmail, a Thunderbird add-on, if you haven't already (Thunderbird -> Tools -> Add-ons -> Enigmail). Generate a key pair via Thunderbird -> OpenPGP -> Key Management -> Generate -> New Key Pair. Most of the default options are okay, maybe add 4096 bits RSA; probably you want to add a passphrase on the key.
Now, go back to the Key Management page, select display all keys by default, right click your new key, and select export to file. Only export the public key. We'll be copying this to your Postfix server so that the server has the public key to encrypt all incoming mail with. So, suppose you have it stored now on the server as /home/youruser/public.key
Okay, so we'll be using gpg-mailgate for automatic encryption filter. It's actually not complete, but luckily someone made a bunch of fixes.
[login as root]
useradd -s /bin/false -d /var/gpg -M gpgmap
mkdir -p /var/gpg/.gnupg
chown -R gpgmap /var/gpg
chmod 700 /var/gpg/.gnupg
sudo -u gpgmap /usr/bin/gpg --import /home/youruser/public.key --homedir=/var/gpg/.gnupg
sudo -u gpgmap /usr/bin/gpg --list-keys --homedir=/var/gpg/.gnupg
cd /root
git clone https://github.com/uakfdotb/gpg-mailgate.git
cd gpg-mailgate
cp -R GnuPG /usr/lib/python2.7 # replace 2.7 with your python version
cp gpg-mailgate.py /usr/local/bin/gpg-mailgate.py
cp gpg-mailgate.conf.sample /etc/gpg-mailgate.conf
You will need to edit /etc/gpg-mailgate.conf, the configuration file. In the "domains = ", add all of the domains you'll want to be encrypting email for. Then, at the bottom, first find your key ID thing that was displayed with the "--list-keys" command. See the example in the configuration file. Your configuration file should look like:
[default]
add_header = yes
domains = mydomain.com,myawesomedomain.com,mynotsoawesomedomain.com
[gpg]
keyhome = /var/gpg/.gnupg
[logging]
file = /tmp/gpg-mailgate.log
[relay]
host = 127.0.0.1
port = 10028
[keymap]
[email protected] = AAAAAA
[email protected] = AAAAAA
Add this to /etc/postfix/master.cf:
gpg-mailgate unix - n n - - pipe
flags= user=gpgmap argv=/usr/local/bin/gpg-mailgate.py ${recipient}
127.0.0.1:10028 inet n - n - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
And finally, set the Postfix content filter in /etc/postfix/main.cf:
content_filter = gpg-mailgate
Note that if you already have a content_filter, you have to do some complicated chaining stuff. I decided to just get rid of my amavisd content filter, since the Spamassassin at least sucks anyway... (doesn't block spam, marks stuff that isn't spam as spam)
Now restart Postfix and send a test email. Hopefully it doesn't bounce! Sucks if it does.
Source1: http://www.rzegocki.pl/blog/Administration/2013/04/14/setting-encrypted-backup-email-server.html
Source2: http://ultramegaman.wordpress.com/tag/gpg-mailgate/
Assume you're using Postfix with some IMAP server and Thunderbird. (Edit: if you're only using one of Thunderbird/Postfix, you can take the first/second part of the guide, respectively)
First, install Enigmail, a Thunderbird add-on, if you haven't already (Thunderbird -> Tools -> Add-ons -> Enigmail). Generate a key pair via Thunderbird -> OpenPGP -> Key Management -> Generate -> New Key Pair. Most of the default options are okay, maybe add 4096 bits RSA; probably you want to add a passphrase on the key.
Now, go back to the Key Management page, select display all keys by default, right click your new key, and select export to file. Only export the public key. We'll be copying this to your Postfix server so that the server has the public key to encrypt all incoming mail with. So, suppose you have it stored now on the server as /home/youruser/public.key
Okay, so we'll be using gpg-mailgate for automatic encryption filter. It's actually not complete, but luckily someone made a bunch of fixes.
[login as root]
useradd -s /bin/false -d /var/gpg -M gpgmap
mkdir -p /var/gpg/.gnupg
chown -R gpgmap /var/gpg
chmod 700 /var/gpg/.gnupg
sudo -u gpgmap /usr/bin/gpg --import /home/youruser/public.key --homedir=/var/gpg/.gnupg
sudo -u gpgmap /usr/bin/gpg --list-keys --homedir=/var/gpg/.gnupg
cd /root
git clone https://github.com/uakfdotb/gpg-mailgate.git
cd gpg-mailgate
cp -R GnuPG /usr/lib/python2.7 # replace 2.7 with your python version
cp gpg-mailgate.py /usr/local/bin/gpg-mailgate.py
cp gpg-mailgate.conf.sample /etc/gpg-mailgate.conf
You will need to edit /etc/gpg-mailgate.conf, the configuration file. In the "domains = ", add all of the domains you'll want to be encrypting email for. Then, at the bottom, first find your key ID thing that was displayed with the "--list-keys" command. See the example in the configuration file. Your configuration file should look like:
[default]
add_header = yes
domains = mydomain.com,myawesomedomain.com,mynotsoawesomedomain.com
[gpg]
keyhome = /var/gpg/.gnupg
[logging]
file = /tmp/gpg-mailgate.log
[relay]
host = 127.0.0.1
port = 10028
[keymap]
[email protected] = AAAAAA
[email protected] = AAAAAA
Add this to /etc/postfix/master.cf:
gpg-mailgate unix - n n - - pipe
flags= user=gpgmap argv=/usr/local/bin/gpg-mailgate.py ${recipient}
127.0.0.1:10028 inet n - n - 10 smtpd
-o content_filter=
-o receive_override_options=no_unknown_recipient_checks,no_header_body_checks
-o smtpd_helo_restrictions=
-o smtpd_client_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o mynetworks=127.0.0.0/8
-o smtpd_authorized_xforward_hosts=127.0.0.0/8
And finally, set the Postfix content filter in /etc/postfix/main.cf:
content_filter = gpg-mailgate
Note that if you already have a content_filter, you have to do some complicated chaining stuff. I decided to just get rid of my amavisd content filter, since the Spamassassin at least sucks anyway... (doesn't block spam, marks stuff that isn't spam as spam)
Now restart Postfix and send a test email. Hopefully it doesn't bounce! Sucks if it does.
Source1: http://www.rzegocki.pl/blog/Administration/2013/04/14/setting-encrypted-backup-email-server.html
Source2: http://ultramegaman.wordpress.com/tag/gpg-mailgate/
Last edited by a moderator:
