[Dovecot] Pointers for developing a proper encryption plugin?

tomas at tuxteam.de tomas at tuxteam.de
Fri Jan 7 10:16:28 EET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Jan 06, 2011 at 02:05:29PM -0500, Michael Orlitzky wrote:
> On 01/06/2011 06:54 AM, Christian Felsing wrote:
> > Am 04.01.2011 07:38, schrieb tomas at tuxteam.de:
> >> The idea upthread (Jan-Frode) to keep a public key server-side and
> >> encrypt messages on arrival seems to me the way to go.

[...]

> This still doesn't work, because the administrator is the one who tells
> the system to encrypt messages as they arrive. He can peek at the
> messages before they're encrypted with the user's public key.

Right. You just reduce the window of opportunity: if a system gets
compromised, the attacker can just peek on newly arriving mail, not on
already delivered mail.

> It's impossible to hide the contents of a plain-text message from the
> person who receives it in plain text (the administrator). PGP/GPG is the
> only option.

You mean end-to-end? We are in violent agreement, then.
Encryption-on-arrival is just a mitigation technique. Best is to get
others to send me encrypted mail.

But the other techniques discussed here (e.g. having a Dovecot plugin
decrypt the mails before serving) seem to me nearly useless (at least
not worth the bother). Because at some point, this very plugin must have
the key available in some unprotected form, and then whoever compromises
the server can capture the key. So it wouldn't reduce signifcantly the
area of vulnerability.

This all IMO, of course.

Regards
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD4DBQFNJsvcBcgs9XrR2kYRAqkyAJ45Fp3H89IpdPPLyetFkRL0bCj/wgCVFCb+
QSFw9PHqZvzgeX9qIqzIsw==
=vPsq
-----END PGP SIGNATURE-----


More information about the dovecot mailing list