Encrypting and transferring system email with Zeyple
Granular Adjustment
The script creates an empty logfile for Zeyple, and conscientious admins will want to create a suitable configuration in the /etc/logrotate.d
directory. The block of code that follows (lines 37-53) integrates Zeyple as a content filter on port 10026 (line 44; the port is configurable in /etc/zeyple/zeyple.conf
) in the Postfix master.cf
file; the matching entry for main.cf
then follows.
Up to this point, the installation script has largely followed the instructions by Zeyple author Cédric Félizard. He recommends using the aliases database in Postfix to forward the internal email address to the external one. However, in our lab test, in the present configuration, Postfix does not use the To:
field of the email header for the external email address; rather, it uses the X-Envelope:
field, which is why some email will leave the system unencrypted (see also the Postfix manual [6]).
Help for Postfix
The remedy lies in lines 60 to 70. The code assigns the external address in the Postfix recipient_canonical
database to the internal address, hashes the database again (line 66), and announces its existence in the Postfix master.cf
configuration file (lines 67 to 70).
Now you only need to load the new Postfix configuration (line 72) to complete the installation and configuration, and the server will automatically encrypt outgoing email. From now on, all system email that would otherwise be sent to root on the mail system should be encrypted when it arrives at the specified external email address. You can test this configuration with the following:
date | mail -s test <admin_internal_email>
The public key for Zeyple is managed at the command line using GPG, the user zeyple
, and the --homedir=/etc/zeyple
option.
Zeyple Weaknesses
Zeyple provides good service but is far from perfect: For example, it cannot encrypt email attachments and therefore cannot handle typical HTML email. Also, an attacker could use the public key available on the keyserver to send spoofed system messages to the system administrator. The only solution is to sign email in addition to encryption, but Zeyple cannot do this, yet.
In any case, caution is advised: Hardening all your servers with a single private key is unwise; in the case of a compromise, all systems would need new keys. The only option is to generate a keypair for each system and revoke and replace them in individual cases. The organizational overhead could be significant, depending on the number of servers.
Infos
- Logdigest: http://sourceforge.net/projects/logdigest/
- LogSurfer: http://www.crypt.gen.nz/logsurfer/
- "Login Mail" by Charly Kühnast, Linux Magazine, August 2010, pg. 55: http://www.linux-magazine.com/Issues/2010/117/Charly-s-Column
- Zeyple on GitHub: https://github.com/infertux/Zeyple
- Installation script for Zeyple and Postfix: ftp://ftp.linux-magazin.com/pub/listings/magazine/153
- Postfix documentation for address rewriting: http://www.postfix.org/ADDRESS_REWRITING_README.html
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.