Can Dovecot reject unencrypted mail?

Jochen Bern Jochen.Bern at binect.de
Wed Jan 10 22:43:42 EET 2018 

On 01/10/2018 01:08 PM, David Seaward wrote:
> Is it possible to configure Dovecot to reject mail that is not
> encrypted. In other words:
> 1. If the user tries to send an unencrypted message from their MUA,
> the server rejects it.
> 2. If a third-party tries to send an unencrypted message to the user,
> the server rejects it.

a) In a typical setup, neither of these two services uses dovecot.
b) In order to be able to exchange encrypted e-mails, the two parties
   need to exchange their public keys / certs beforehand. Which is
   usually done by - signed, but not encrypted, on purpose - e-mail.
c) Any other mail server the user has an account on can be used to
   circumvent your securing scenario 1, at least for a large number
   of recipients.
d) You're breaking pretty much every sort of autoreplies on this planet
   for your users.
e) Checking an e-mail for *every* sort of encapsulation that encryption
   may use is not quite trivial. Making sure that *the recipient* can
   actually decrypt it is impossible, as you assume that the system
   does *not* hold the recipient's private key. Nailing it down so that
   *only* the recipient can decrypt it (when the sysadmin might fool
   the sender into encrypting it for one of *his* pubkeys as well)
   should be quite a while of fun, too.

What I *have* done, in postfix, is to take every (single-recipient)
delivery to our own domain, look up a map that tells me whether the
server has a PGP/GnuPG, S/MIME, or neither type of pubkey/cert on
record, encrypt the incoming mail in the first two cases, and log a
warning (and allow the mail to pass unchanged) in the latter. Mind, that
was on peripheral mail servers where I could *assume* the mails not to
already be encrypted, not the actual MX. Also, keeping the map and
pubkeys updated didn't come for free, either, even though I'm the one
handing our staff their S/MIME certs in the first place.

Regards,
-- 
Jochen Bern
Systemingenieur

www.binect.de

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4278 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20180110/24da6232/attachment-0001.p7s>

More information about the dovecot mailing list