Encrypting and transferring system email with Zeyple
IT specialists often rely on automatic notification for status messages and logfiles by email. A Python script named Zeyple uses GPG to protect potentially sensitive messages against unauthorized viewing.
The information contained in system update messages is not just informative, it's also frequently sensitive, containing details such as usernames, email addresses, and even data that is subject to data protection legislation (Figure 1).
If you send these kinds of messages unencrypted, you could be providing important clues to attackers and making it easier for surveillance agencies to monitor your activities. Securing transport with SSL/TLS is one approach to adding security. However, this method does not provide complete protection for mail content.
Once a message reaches the provider's mail transfer agent (MTA) at the other end, encryption stops, and the mail is back in cleartext. Therefore, to make email communication completely inaccessible to outsiders requires continuous encryption of the content from the sender to the receiver. Linux systems offer a relatively easy-to-use encryption method called GPG, which stands for GNU Privacy Guard. This approach, which works well for routine communications, requires a bit more preparation on a server that you want to encrypt and send without user interaction.
The most elegant method passes email from the MTA queue to a program that encrypts the messages and then puts them back in the queue. Then, the MTA routes the mail as usual to the receiver or receivers (Figure 2). This process is exactly what the Python script Zeyple , by Cédric Félizard, does. The tool, named Zeyple Encrypts Your Precious Log Email, a recursive acronym in the best Unix/Linux style, hooks into the MTA queue where it encrypts all email to recipients whose public GPG keys are on record.
Using Postfix as an example, I'll show you how to install Zeyple and configure the SMTP server to cooperate with it. Zeyple is available for download on GitHub  and should also work with other MTAs that provide an appropriate queue filter mechanism, according to the developers.
install.sh script in Listing 1 sets up cooperation between Zeyple and Postfix . The example is based on Debian Squeeze with Postfix version 2.7.2, but with minor adjustments, it should work just as well on other distributions. For encryption to work, the system administrator needs to generate a GPG key pair and upload the public key to a keyserver.
01 #!/bin/bash 02 # install.sh 03 [ ... ] 04 # Enter the internal address to which system email usually goes here 05 INT_ADDRESS= 06 # EXT_ADDRESS defines the external address of the server to which to send the encrypted system messages. Important: You need a public GPG key on the keyserver for this address ($KEYSERVER_ADDRESS, see line 9) 07 EXT_ADDRESS= 08 # The URL of the keyserver 09 KEYSERVER_ADDRESS= 10 11 # Install dependencies 12 apt-get install sudo gpg python-gpgme 13 14 # Create the system user without home directory and without login permission 15 adduser --system --no-create-home --disabled-login zeyple 16 17 # Download the Python script zeyple.py 18 wget https://github.com/infertux/zeyple/blob/master/zeyple/zeyple.py 19 # Download configuration file 20 wget https://github.com/infertux/zeyple/blob/master/zeyple/zeyple.conf.example 21 22 # Set up a directory under /etc for configuration file and key management 23 mkdir -p /etc/zeyple/keys && chmod 700 /etc/zeyple/keys && chown zeyple: /etc/zeyple/keys 24 25 # Fetch the public key from the keyserver for $EXT_ADDRESS and import with gpg 26 sudo -u zeyple gpg --homedir /etc/zeyple/keys --keyserver $KEYSERVER_ADDRESS --search $EXT_ADDRESS 27 28 # Move the example configuration file to /etc/zeyple 29 mv zeyple.conf.example /etc/zeyple/zeyple.conf 30 # Move zeyple.py to /usr/local/bin and apply user rights 31 mv zeyple.py /usr/local/bin/zeyple.py 32 chmod 744 /usr/local/bin/zeyple.py && chown zeyple: /usr/local/bin/zeyple.py 33 34 # Create logfile and set user rights 35 touch /var/log/zeyple.log && chown zeyple: /var/log/zeyple.log 36 37 # Prepare Postfix for Zeyple: expand main.cf and master.cf to include filter entries 38 cd /etc/postfix 39 40 cat >> master.cf <<END 41 zeyple unix - n n - - pipe 42 user=zeyple argv=/usr/local/bin/zeyple.py 43 44 localhost:10026 inet n - n - 10 smtpd 45 -o content_filter= 46 -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters 47 -o smtpd_helo_restrictions= 48 -o smtpd_client_restrictions= 49 -o smtpd_sender_restrictions= 50 -o smtpd_recipient_restrictions=permit_mynetworks,reject 51 -o mynetworks=127.0.0.0/8 52 -o smtpd_authorized_xforward_hosts=127.0.0.0/8 53 END 54 55 # Install the content filter in main.cf 56 cat >> main.cf <<END 57 content_filter = zeyple 58 END 59 60 # For Zeyple to assign keys correctly, it is recommended to redirect the internal email address for outgoing mail to the external address 61 cat >> recipient_canonical<<END 62 $INT_ADDRESS $EXT_ADDRESS 63 END 64 65 # Create the new Postfix database recipient 66 postmap recipient_canonical 67 # Publish database in Postfix address rewriting 68 cat >> main.cf <<END 69 recipient_canonical_maps = hash:/etc/postfix/recipient_canonical 70 END 71 # Reload Postfix configuration 72 /etc/init.d/postfix reload 73 74 exit 0
Lines 5 and 7 of the listing define the internal (e.g.,
root@<local.domain>) and the external (e.g.,
email@example.com) email addresses. Then, you need to choose an appropriate keyserver on which to store the public key for the external email addresses and add its URL to line 9.
For the installation script to work, Zeyple also needs the packages sudo, GPG, and python-gpgme (line 12). GPG is usually already installed on Debian squeeze, but not sudo or python-gpgme. Line 15 creates the user zeyple, under whose privileges the script runs. Under no circumstances should the admin run Zeyple with the privileges of the postfix or root accounts.
Line 20 loads the configuration example from GitHub, and the script creates the configuration directory and the directory for the GPG key database for Zeyple before setting up permissions.
Line 29 transports the sample configuration to
/etc/zeyple, which you can use without any changes. The next few lines move the Python script
/usr/local/bin and make it executable.
Buy this article as PDF
Kernel king admits his tone has alienated volunteers, but says the demands of the process require directness.
New flaw in an old encryption scheme leaves the experts scrambling to disable SSL 3
Lennart Poettering wants to change the way Linux developers talk to each other.
Enterprise giant frees itself from ink and home PCs (and visa versa).
Mozilla’s product think tank sinks silently into history.
TODO group will focus on open source tools in large-scale environments.
New tool will look like GParted but support a wider range of storage technologies.
New public key pinning feature will help prevent man-in-the-middle attacks.
Carnegie Mellon researchers say 3 million pages could fall down the phishing hole in the next year.
The US government rolls new best-practice rules for protecting SSH.