Grepular

Automatically Encrypting all Incoming Email, Part 2

Written 7 years ago by Mike Cardwell

About a month ago, I described a technique and provided software for configuring your MTA to encrypt all incoming email with a public PGP key. The reason I did this was to secure my mail on the server and also in my various IMAP client caches. At the time, I pointed out a flaw which meant that the “Sent Items” folder wouldn’t be encrypted, but I now have a solution.

Most IMAP clients let you select the name of the folder to store sent mail in, and provide the option of disabling it altogether. In each of my email clients, I disabled storing sent mail, and configured my outgoing MTA to populate it instead. Now, when I send an email via SMTP, my MTA takes a copy of the message, encrypts it with my public key, connects to my IMAP server, and appends the resulting message to the Sent Items folder.

My MTA is Exim and my IMAP server is Dovecot. I also use two additional pieces of open source software which I wrote myself: gpgit to do the encryption, and pipe2imap to deliver the message via IMAP.

Although I’m using Exim, if your MTA can pass an incoming message to an external pipe, and then replace it with the output of that pipe, it will also work with gpgit. Pipe2imap should work with any IMAP server, and any MTA which can deliver a message to a pipe. I would love to hear from people who make this work with other MTAs.

In the router section of my Exim configuration, immediately before the standard dnslookup router, I added the following configuration:

sent_items_router:
   driver    = accept
   transport = sent_items_transport
   condition = ${if !eq{$authenticated_id}{}}
   unseen
   no_verify

This router intercepts any message sent by an authenticated connection, and passes it to a transport named “sent_items_transport”. Because of the “unseen” directive, the message is still processed by subsequent routers, so is still delivered to the recipient. The transport named “sent_items_transport” is more complicated and looks like this:

sent_items_transport:
   driver           = pipe
   user             = $authenticated_id
   group            = Debian-exim
   temp_errors      = *
   transport_filter = /etc/exim4/scripts/gpgit.pl $sender_address
   command          = /etc/exim4/scripts/pipe2imap.pl --ssl \
                         --user     master \
                     --authas   $authenticated_id \
                         --passfile /etc/exim4/master_imap_password.txt \
                         --folder   "Sent Items" \
                         --flags    '\\seen'
   log_defer_output = true

For exact details of the arguments used by the “gpgit.pl“ and “pipe2imap.pl“ commands, please refer to their respective documentation.

Now, all of my incoming and outgoing email is encrypted on the server, and in my various IMAP client stores. Regardless of whether or not the person I am communicating with has even heared of PGP.

There are also efficiency gains to be had by letting your MTA populate your Sent Items folder, rather than doing it with the client. If I send a 15MB email now, my client only has to upload it to the server once via SMTP. Previously, it was having to upload a second copy of the same message via IMAP.

Looking to hire somebody like me? I'm open to offers of full time employment and small contract jobs. Check out my hiring page. You can follow this Blog using RSS or . To read more, visit my blog index.

Feeling generous?BitcoinMoneroZcashPaypal