[Dovecot] E-Mail Encryption
Ed W
lists at wildgooses.com
Mon Jul 27 20:03:20 EEST 2009
tomas at tuxteam.de wrote:
> Let me state it again: nothing is gained with server-side *de*cryption
> which can't be achieved more easily with disk encryption. Werver-side
> encryption is another thing...
>
One use case is where you have regulatory or policy determination that
certain email should be unreadable even to certain groups of users who
have elevated access to the server.
Obviously you need to beware network sniffers on the inbound side, but
take a look at MSExchange to see how they fairly cunningly encrypt in
such a way that you can grant certain users rights to see certain
mailboxes and encryption is used to make sure that permission is fairly
thoroughly enforced.
The main purpose is that you really want to minimise the backdoor where
the IT admins have access to potentially sensitive emails from
management/traders/corporate finance/legal, etc in large organisations
Sure it's hard to totally eliminate the ability for the IT guys to get
up to no good, but as far as possible things need to be locked down and
a granular encryption solution is the main way to tackle that. (But
whole disk encryption is at least a good start).
Complete end to end encryption is a cunning idea and of course the only
way to be sure there are no man in the middle attacks, but of course
this breaks all server based content filtering and virus scanning, so
it's unpopular right now... Most solutions need to involve a trusted
server application sitting in the middle
WOuld be extremely interested to hear from anyone using Dovecot in some
kind of "big biz" environment and how they tackle various policy issues
like this?
Cheers
Ed W
More information about the dovecot
mailing list