# Automatically Encrypting all Incoming Email, Part 2

About a month ago, I [described a
technique](/Automatically_Encrypting_all_Incoming_Email) and [provided
software](https://github.com/mikecardwell/gpgit) for configuring your <abbr
title="Message Transfer Agent">MTA</abbr> to encrypt all incoming email with a
public <abbr title="Pretty Good Privacy">PGP</abbr> key. The reason I did this
was to secure my mail on the server and also in my various <abbr title="Internet
Message Access Protocol">IMAP</abbr> client caches. At the time, I pointed out a
flaw which meant that the "Sent Items" folder wouldn't be encrypted, but I now
have a solution.

Most IMAP clients let you select the name of the folder to store sent mail in,
and provide the option of disabling it altogether. In each of my email clients,
I disabled storing sent mail, and configured my outgoing MTA to populate it
instead. Now, when I send an email via <abbr title="Simple Mail Transport
Protocol">SMTP</abbr>, my MTA takes a copy of the message, encrypts it with my
public key, connects to my IMAP server, and appends the resulting message to the
Sent Items folder.

My MTA is Exim and my IMAP server is [Dovecot](https://dovecot.org/). I also use
two additional pieces of open source software which I wrote myself:
[gpgit](https://github.com/mikecardwell/gpgit) to do the encryption, and
[pipe2imap](https://github.com/mikecardwell/pipe2imap) to deliver the message
via IMAP.

Although I'm using Exim, if your MTA can pass an incoming message to an external
pipe, and then replace it with the output of that pipe, it will also work with
gpgit. Pipe2imap should work with any IMAP server, and any MTA which can deliver
a message to a pipe. I would love to hear from people who make this work with
other MTAs.

In the router section of my Exim configuration, immediately before the standard
dnslookup router, I added the following configuration:

```text
sent_items_router:
   driver    = accept
   transport = sent_items_transport
   condition = ${if !eq{$authenticated_id}{}}
   unseen
   no_verify
```

This router intercepts any message sent by an authenticated connection, and
passes it to a transport named "sent_items_transport". Because of the "unseen"
directive, the message is still processed by subsequent routers, so is still
delivered to the recipient. The transport named "sent_items_transport" is more
complicated and looks like this:

```ini
sent_items_transport:
   driver           = pipe
   user             = $authenticated_id
   group            = Debian-exim
   temp_errors      = *
   transport_filter = /etc/exim4/scripts/gpgit.pl $sender_address
   command          = /etc/exim4/scripts/pipe2imap.pl --ssl \
                         --user     master \
	                 --authas   $authenticated_id \
                         --passfile /etc/exim4/master_imap_password.txt \
                         --folder   "Sent Items" \
                         --flags    '\\seen'
   log_defer_output = true
```

For exact details of the arguments used by the
"[gpgit.pl](https://gitlab.com/grepular/gpgit)" and
"[pipe2imap.pl](https://gitlab.com/grepular/pipe2imap)" commands, please refer
to their respective documentation.

Now, all of my incoming and outgoing email is encrypted on the server, and in my
various IMAP client stores. Regardless of whether or not the person I am
communicating with has even heared of PGP.

There are also efficiency gains to be had by letting your MTA populate your Sent
Items folder, rather than doing it with the client. If I send a 15MB email now,
my client only has to upload it to the server once via SMTP. Previously, it was
having to upload a second copy of the same message via IMAP.