[Dovecot] Pointers for developing a proper encryption plugin?

Jan-Frode Myklebust janfrode at tanso.net
Fri Jan 7 10:49:56 EET 2011


On Thu, Jan 06, 2011 at 02:05:29PM -0500, Michael Orlitzky wrote:
> 
> This still doesn't work, because the administrator is the one who tells
> the system to encrypt messages as they arrive. He can peek at the
> messages before they're encrypted with the user's public key.

That's a small window of opportunity, compared to letting anyone who has
access or can break into the filesystem/backup-system get access to all
messages without any further complications.

I.e. currently it takes a "read-any-file" vulnerability (or access) to 
read all users messages, with server-side encrypted mailfiles it will
require "read-any-file" + strace processes while user is active. Then you
no longer need to worry about anyone getting access to your backups, read
dead/decomissioned drives, sysadmins "accidentally" reading files, etc..

> It's impossible to hide the contents of a plain-text message from the
> person who receives it in plain text (the administrator). PGP/GPG is the
> only option.

Sure, end to end encrypted messages is the only way to be completely sure
they're not read in transit.. But the fact that ~0% of our users
send/receive encrypted messages doesn't mean that we should disable SSL
for POP/IMAP connections. Sysadmin/network-admins can just read the
incoming plain text message anyway, so why use SSL on the last mile ?  ;-)



  -jf


More information about the dovecot mailing list