Encrypting and transferring system email with Zeyple

Key Service

Article from Issue 153/2013

IT specialists often rely on automatic notification for status messages and logfiles by email. A Python script named Zeyple uses GPG to protect potentially sensitive messages against unauthorized viewing.

Whether you choose Logdigest [1], LogSurfer [2], your own script, or cron [3], email is a common choice for quickly updating admins about the state of the system.

The information contained in system update messages is not just informative, it's also frequently sensitive, containing details such as usernames, email addresses, and even data that is subject to data protection legislation (Figure 1).

Figure 1: Email addresses, login information, and more: Many messages to sys admins include vulnerable data that easily can be sniffed through a man-in-the-middle attack.

If you send these kinds of messages unencrypted, you could be providing important clues to attackers and making it easier for surveillance agencies to monitor your activities. Securing transport with SSL/TLS is one approach to adding security. However, this method does not provide complete protection for mail content.

Once a message reaches the provider's mail transfer agent (MTA) at the other end, encryption stops, and the mail is back in cleartext. Therefore, to make email communication completely inaccessible to outsiders requires continuous encryption of the content from the sender to the receiver. Linux systems offer a relatively easy-to-use encryption method called GPG, which stands for GNU Privacy Guard. This approach, which works well for routine communications, requires a bit more preparation on a server that you want to encrypt and send without user interaction.

The most elegant method passes email from the MTA queue to a program that encrypts the messages and then puts them back in the queue. Then, the MTA routes the mail as usual to the receiver or receivers (Figure 2). This process is exactly what the Python script Zeyple [4], by Cédric Félizard, does. The tool, named Zeyple Encrypts Your Precious Log Email, a recursive acronym in the best Unix/Linux style, hooks into the MTA queue where it encrypts all email to recipients whose public GPG keys are on record.

Figure 2: Zeyple hooks into the queue of the mail transfer agent (e.g., in Postfix).

Postfix Example

Using Postfix as an example, I'll show you how to install Zeyple and configure the SMTP server to cooperate with it. Zeyple is available for download on GitHub [4] and should also work with other MTAs that provide an appropriate queue filter mechanism, according to the developers.

The install.sh script in Listing 1 sets up cooperation between Zeyple and Postfix [5]. The example is based on Debian Squeeze with Postfix version 2.7.2, but with minor adjustments, it should work just as well on other distributions. For encryption to work, the system administrator needs to generate a GPG key pair and upload the public key to a keyserver.

Listing 1


01 #!/bin/bash
02 # install.sh
03 [ ... ]
04 # Enter the internal address to which system email usually goes here
06 # EXT_ADDRESS defines the external address of the server to which to send the encrypted system messages. Important: You need a public GPG key on the keyserver for this address ($KEYSERVER_ADDRESS, see line 9)
08 # The URL of the keyserver
11 # Install dependencies
12 apt-get install sudo gpg python-gpgme
14 # Create the system user without home directory and without login permission
15 adduser --system --no-create-home --disabled-login zeyple
17 # Download the Python script zeyple.py
18 wget https://github.com/infertux/zeyple/blob/master/zeyple/zeyple.py
19 # Download configuration file
20 wget https://github.com/infertux/zeyple/blob/master/zeyple/zeyple.conf.example
22 # Set up a directory under /etc for configuration file and key management
23 mkdir -p /etc/zeyple/keys && chmod 700 /etc/zeyple/keys && chown zeyple: /etc/zeyple/keys
25 # Fetch the public key from the keyserver for $EXT_ADDRESS and import with gpg
26 sudo -u zeyple gpg --homedir /etc/zeyple/keys --keyserver $KEYSERVER_ADDRESS --search $EXT_ADDRESS
28 # Move the example configuration file to /etc/zeyple
29 mv zeyple.conf.example /etc/zeyple/zeyple.conf
30 # Move zeyple.py to /usr/local/bin and apply user rights
31 mv zeyple.py /usr/local/bin/zeyple.py
32 chmod 744 /usr/local/bin/zeyple.py && chown zeyple: /usr/local/bin/zeyple.py
34 # Create logfile and set user rights
35 touch /var/log/zeyple.log && chown zeyple: /var/log/zeyple.log
37 # Prepare Postfix for Zeyple: expand main.cf and master.cf to include filter entries
38 cd /etc/postfix
40 cat >> master.cf <<END
41 zeyple unix  -  n  n  -  -  pipe
42   user=zeyple argv=/usr/local/bin/zeyple.py
44 localhost:10026  inet  n  -  n  -  10  smtpd
45   -o content_filter=
46   -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
47   -o smtpd_helo_restrictions=
48   -o smtpd_client_restrictions=
49   -o smtpd_sender_restrictions=
50   -o smtpd_recipient_restrictions=permit_mynetworks,reject
51   -o mynetworks=
52   -o smtpd_authorized_xforward_hosts=
53 END
55 # Install the content filter in main.cf
56 cat >> main.cf <<END
57 content_filter = zeyple
58 END
60 # For Zeyple to assign keys correctly, it is recommended to redirect the internal email address for outgoing mail to the external address
61 cat >> recipient_canonical<<END
63 END
65 # Create the new Postfix database recipient
66 postmap recipient_canonical
67 # Publish database in Postfix address rewriting
68 cat >> main.cf <<END
69 recipient_canonical_maps = hash:/etc/postfix/recipient_canonical
70 END
71 # Reload Postfix configuration
72 /etc/init.d/postfix reload
74 exit 0

Installation Script

Lines 5 and 7 of the listing define the internal (e.g., root@<local.domain>) and the external (e.g., admin@example.com) email addresses. Then, you need to choose an appropriate keyserver on which to store the public key for the external email addresses and add its URL to line 9.


For the installation script to work, Zeyple also needs the packages sudo, GPG, and python-gpgme (line 12). GPG is usually already installed on Debian squeeze, but not sudo or python-gpgme. Line 15 creates the user zeyple, under whose privileges the script runs. Under no circumstances should the admin run Zeyple with the privileges of the postfix or root accounts.

Line 20 loads the configuration example from GitHub, and the script creates the configuration directory and the directory for the GPG key database for Zeyple before setting up permissions.

Line 29 transports the sample configuration to /etc/zeyple, which you can use without any changes. The next few lines move the Python script zeyple to /usr/local/bin and make it executable.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Greylisting with Postgrey

    Vendors continue to develop new defenses against spam, one of the Internet’s most notorious pests. In this article, we integrate Postgrey with the Postfix mail server for a greylisting and whitelisting solution.

  • Bot_Attack

    While going about his normal duties, Linux Magazine author Charly Kühnast was hit with a mean attack. Charly’s separate anti-spam server, which sits in front of his mail server, saved him from the mail storm.

  • Charly's Column

    At the Niederrhein University future admins implement spam defense mechanisms by attracting the attention of the Viagra Mafia. The results are pertinacious blacklists and expert knowledge of methods for combating the menace.

  • Books
  • Optimizing Servers

    Your homepage was just linked by Slashdot, a new email campaign goes out tonight, and you need the database to deliver survey results. We’ll show you how to help your servers survive the strain.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95