Encrypting and transferring system email with Zeyple

Granular Adjustment

The script creates an empty logfile for Zeyple, and conscientious admins will want to create a suitable configuration in the /etc/logrotate.d directory. The block of code that follows (lines 37-53) integrates Zeyple as a content filter on port 10026 (line 44; the port is configurable in /etc/zeyple/zeyple.conf) in the Postfix master.cf file; the matching entry for main.cf then follows.

Up to this point, the installation script has largely followed the instructions by Zeyple author Cédric Félizard. He recommends using the aliases database in Postfix to forward the internal email address to the external one. However, in our lab test, in the present configuration, Postfix does not use the To: field of the email header for the external email address; rather, it uses the X-Envelope: field, which is why some email will leave the system unencrypted (see also the Postfix manual [6]).

Help for Postfix

The remedy lies in lines 60 to 70. The code assigns the external address in the Postfix recipient_canonical database to the internal address, hashes the database again (line 66), and announces its existence in the Postfix master.cf configuration file (lines 67 to 70).

Now you only need to load the new Postfix configuration (line 72) to complete the installation and configuration, and the server will automatically encrypt outgoing email. From now on, all system email that would otherwise be sent to root on the mail system should be encrypted when it arrives at the specified external email address. You can test this configuration with the following:

date | mail -s test <admin_internal_email>

The public key for Zeyple is managed at the command line using GPG, the user zeyple, and the --homedir=/etc/zeyple option.

Zeyple Weaknesses

Zeyple provides good service but is far from perfect: For example, it cannot encrypt email attachments and therefore cannot handle typical HTML email. Also, an attacker could use the public key available on the keyserver to send spoofed system messages to the system administrator. The only solution is to sign email in addition to encryption, but Zeyple cannot do this, yet.

In any case, caution is advised: Hardening all your servers with a single private key is unwise; in the case of a compromise, all systems would need new keys. The only option is to generate a keypair for each system and revoke and replace them in individual cases. The organizational overhead could be significant, depending on the number of servers.

Infos

  1. Logdigest: http://sourceforge.net/projects/logdigest/
  2. LogSurfer: http://www.crypt.gen.nz/logsurfer/
  3. "Login Mail" by Charly Kühnast, Linux Magazine, August 2010, pg. 55: http://www.linux-magazine.com/Issues/2010/117/Charly-s-Column
  4. Zeyple on GitHub: https://github.com/infertux/Zeyple
  5. Installation script for Zeyple and Postfix: ftp://ftp.linux-magazin.com/pub/listings/magazine/153
  6. Postfix documentation for address rewriting: http://www.postfix.org/ADDRESS_REWRITING_README.html

The Author

Harry Knitter, http://www.knitter-edv-beratung.de, advises and assists small and medium-sized businesses with networking and IT security issues. He focuses especially on Linux. Additionally, he works as a computer instructor at the School of Public Administration and Justice in Bavaria.

« Previous 1 2

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Greylisting with Postgrey

    Vendors continue to develop new defenses against spam, one of the Internet’s most notorious pests. In this article, we integrate Postgrey with the Postfix mail server for a greylisting and whitelisting solution.

    more »
  • Bot_Attack

    While going about his normal duties, Linux Magazine author Charly Kühnast was hit with a mean attack. Charly’s separate anti-spam server, which sits in front of his mail server, saved him from the mail storm.

    more »
  • Charly's Column

    At the Niederrhein University future admins implement spam defense mechanisms by attracting the attention of the Viagra Mafia. The results are pertinacious blacklists and expert knowledge of methods for combating the menace.

    more »
  • Books
    more »
  • Optimizing Servers

    Your homepage was just linked by Slashdot, a new email campaign goes out tonight, and you need the database to deliver survey results. We’ll show you how to help your servers survive the strain.

    more »
comments powered by Disqus

Visit Our Shop

Trial Subscription

Digital Subscription

Subscribe

Direct Download

Read full article as PDF:

Price $2.95

News

Tag Cloud

Administration Community Desktop Events Hardware Linux Linux Pro Magazine Mobile Programming Software Ubuntu Web Development Windows free software open source