Encrypting and transferring system email with Zeyple
Granular Adjustment
The script creates an empty logfile for Zeyple, and conscientious admins will want to create a suitable configuration in the /etc/logrotate.d
directory. The block of code that follows (lines 37-53) integrates Zeyple as a content filter on port 10026 (line 44; the port is configurable in /etc/zeyple/zeyple.conf
) in the Postfix master.cf
file; the matching entry for main.cf
then follows.
Up to this point, the installation script has largely followed the instructions by Zeyple author Cédric Félizard. He recommends using the aliases database in Postfix to forward the internal email address to the external one. However, in our lab test, in the present configuration, Postfix does not use the To:
field of the email header for the external email address; rather, it uses the X-Envelope:
field, which is why some email will leave the system unencrypted (see also the Postfix manual [6]).
Help for Postfix
The remedy lies in lines 60 to 70. The code assigns the external address in the Postfix recipient_canonical
database to the internal address, hashes the database again (line 66), and announces its existence in the Postfix master.cf
configuration file (lines 67 to 70).
Now you only need to load the new Postfix configuration (line 72) to complete the installation and configuration, and the server will automatically encrypt outgoing email. From now on, all system email that would otherwise be sent to root on the mail system should be encrypted when it arrives at the specified external email address. You can test this configuration with the following:
date | mail -s test <admin_internal_email>
The public key for Zeyple is managed at the command line using GPG, the user zeyple
, and the --homedir=/etc/zeyple
option.
Zeyple Weaknesses
Zeyple provides good service but is far from perfect: For example, it cannot encrypt email attachments and therefore cannot handle typical HTML email. Also, an attacker could use the public key available on the keyserver to send spoofed system messages to the system administrator. The only solution is to sign email in addition to encryption, but Zeyple cannot do this, yet.
In any case, caution is advised: Hardening all your servers with a single private key is unwise; in the case of a compromise, all systems would need new keys. The only option is to generate a keypair for each system and revoke and replace them in individual cases. The organizational overhead could be significant, depending on the number of servers.
Infos
- Logdigest: http://sourceforge.net/projects/logdigest/
- LogSurfer: http://www.crypt.gen.nz/logsurfer/
- "Login Mail" by Charly Kühnast, Linux Magazine, August 2010, pg. 55: http://www.linux-magazine.com/Issues/2010/117/Charly-s-Column
- Zeyple on GitHub: https://github.com/infertux/Zeyple
- Installation script for Zeyple and Postfix: ftp://ftp.linux-magazin.com/pub/listings/magazine/153
- Postfix documentation for address rewriting: http://www.postfix.org/ADDRESS_REWRITING_README.html
« Previous 1 2
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Linux Servers Targeted by Akira Ransomware
A group of bad actors who have already extorted $42 million have their sights set on the Linux platform.
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs