encrypt incoming emails with public gpg key before they are stored to maildir

Jochen Bern Jochen.Bern at binect.de
Thu Oct 31 12:21:57 EET 2019 

On 10/30/2019 03:29 PM, Fourhundred Thecat wrote:
> I have asked on the postfix mailing list for a solution, how to encrypt
> incoming emails with public gpg key

I'm using the following to PGP encrypt all *outgoing* e-mail addressed
to *us* on the SMTP-out server of certain older remote platforms (the
newer ones using only S/MIME instead). Note, however, that it's all
*automated* e-mails that I just *know* not to be encrypted beforehand.
AFAIK "PGP encrypted content" is not as tightly bound to MIME types and
the multipart/* hierarchy as S/MIME is, which complicates detection of
"it *already is* encrypted".

>> Can such filter work, without ever storing plaintext email on disk ?

postfix is an MTA, and does queueing as appropriate for such a beast.
You *will not* get a guarantee that the unencrypted mail will not
*temporarily* be written to disk (and deleted thereof without outright
wiping). Well, short of putting the spool directory on a ramdisk or
somesuch.

main.cf:

smtpd_recipient_restrictions = [...], check_recipient_access
hash:/etc/postfix/encrypt, [...]

master.cf:

gpgit     unix  -       n       n       -       10      pipe
  flags=Rq user=gpgit null_sender=
  argv=/home/gpgit/from-postfix.sh -f "${sender}" --target:${nexthop} --
${recipient}

encrypt(.db):

jochen.bern at binect.de                   FILTER gpgit:dummy
binect.de                               WARN Zieladresse fehlt in
encrypt Map
subdomain.binect.de			FILTER gpgit:catchall-MnemonicName
[... etc.]

~gpgit/.gnupg/gpg.conf:

trust-model always
[... various group definitions a la:]
group SomeAddress at binect.de = 0xSomeKeyID 0xYetAnother 0xSoManyPeople
group @subdomain.binect.de = 0xMoreOfThis 0xOhTheHumanity

I found gpgit on the web, but had to improve it a bit (and find working
SELinux contexts on my own), so I'm attaching my version and:

> # ls -Zal ~gpgit
> total 84
> drwx------. 3 unconfined_u:object_r:user_home_dir_t:s0 gpgit gpgit  4096 Oct 30 00:09 .
> drwxr-xr-x. 8 system_u:object_r:home_root_t:s0 root  root   4096 May 23  2013 ..
> -rwx------. 1 unconfined_u:object_r:postfix_pipe_exec_t:s0 gpgit gpgit  1676 May 21  2013 from-postfix.sh
> drwx------. 2 unconfined_u:object_r:gpg_secret_t:s0 gpgit gpgit  4096 Oct 30 00:15 .gnupg
> -rwx------. 1 unconfined_u:object_r:postfix_pipe_exec_t:s0 gpgit gpgit 12141 May 11  2015 gpgit.pl

Needless to say, you'll have to "su - gpgit" and "gpg --import ..." the
various(?) recipients' public keys, too. And *monitor* them there, if
there are any with a limited lifetime ...

Kind regards,
-- 
Jochen Bern
Systemingenieur

E  jochen.bern at binect.de
W  www.binect.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gpgit.tgz
Type: application/x-compressed-tar
Size: 4905 bytes
Desc: not available
URL: <https://dovecot.org/pipermail/dovecot/attachments/20191031/f3db0e8c/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4278 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20191031/f3db0e8c/attachment.p7s>

More information about the dovecot mailing list