Encrypting and transferring system email with Zeyple
Key Service
IT specialists often rely on automatic notification for status messages and logfiles by email. A Python script named Zeyple uses GPG to protect potentially sensitive messages against unauthorized viewing.
Whether you choose Logdigest [1], LogSurfer [2], your own script, or cron [3], email is a common choice for quickly updating admins about the state of the system.
The information contained in system update messages is not just informative, it's also frequently sensitive, containing details such as usernames, email addresses, and even data that is subject to data protection legislation (Figure 1).
If you send these kinds of messages unencrypted, you could be providing important clues to attackers and making it easier for surveillance agencies to monitor your activities. Securing transport with SSL/TLS is one approach to adding security. However, this method does not provide complete protection for mail content.
Once a message reaches the provider's mail transfer agent (MTA) at the other end, encryption stops, and the mail is back in cleartext. Therefore, to make email communication completely inaccessible to outsiders requires continuous encryption of the content from the sender to the receiver. Linux systems offer a relatively easy-to-use encryption method called GPG, which stands for GNU Privacy Guard. This approach, which works well for routine communications, requires a bit more preparation on a server that you want to encrypt and send without user interaction.
The most elegant method passes email from the MTA queue to a program that encrypts the messages and then puts them back in the queue. Then, the MTA routes the mail as usual to the receiver or receivers (Figure 2). This process is exactly what the Python script Zeyple [4], by Cédric Félizard, does. The tool, named Zeyple Encrypts Your Precious Log Email, a recursive acronym in the best Unix/Linux style, hooks into the MTA queue where it encrypts all email to recipients whose public GPG keys are on record.
Postfix Example
Using Postfix as an example, I'll show you how to install Zeyple and configure the SMTP server to cooperate with it. Zeyple is available for download on GitHub [4] and should also work with other MTAs that provide an appropriate queue filter mechanism, according to the developers.
The install.sh
script in Listing 1 sets up cooperation between Zeyple and Postfix [5]. The example is based on Debian Squeeze with Postfix version 2.7.2, but with minor adjustments, it should work just as well on other distributions. For encryption to work, the system administrator needs to generate a GPG key pair and upload the public key to a keyserver.
Listing 1
install.sh
Installation Script
Lines 5 and 7 of the listing define the internal (e.g., root@<local.domain>
) and the external (e.g., admin@example.com
) email addresses. Then, you need to choose an appropriate keyserver on which to store the public key for the external email addresses and add its URL to line 9.
Dependencies
For the installation script to work, Zeyple also needs the packages sudo, GPG, and python-gpgme (line 12). GPG is usually already installed on Debian squeeze, but not sudo or python-gpgme. Line 15 creates the user zeyple, under whose privileges the script runs. Under no circumstances should the admin run Zeyple with the privileges of the postfix or root accounts.
Line 20 loads the configuration example from GitHub, and the script creates the configuration directory and the directory for the GPG key database for Zeyple before setting up permissions.
Line 29 transports the sample configuration to /etc/zeyple
, which you can use without any changes. The next few lines move the Python script zeyple
to /usr/local/bin
and make it executable.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Thousands of Linux Servers Infected with Stealth Malware Since 2021
Perfctl is capable of remaining undetected, which makes it dangerous and hard to mitigate.
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.