Re: [Exim] Wanted: encrypted mail storage

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMjvanasco at <-
MWalt Reed at ->
Delete this message
Reply to this message
Author: Rich Johnson
Date:  
To: Walt Reed
CC: exim-users
Subject: Re: [Exim] Wanted: encrypted mail storage
On Wednesday, August 6, 2003, at 06:55 PM, Walt Reed wrote:

> I don't think anything is 100% secure: unless you are using TLS, it's
> going to be unencrypted on the wire comming in. Since so few sites use
> TLS, TLS encryption will be minimal.
>
> If you decide to do file level encryption, what is it that needs to be
> hidden? Just the message body or all the headers too?

Thank you all for your insights. I know I can't expect perfect
security. But here's a scenario to illustrate my security concerns:
- Configuration is a virtual domain serving a small community.
- User A: is exchanging e-mail with his doctor
- User B: is exchanging e-mail with her lawer
- User C: is exchanging e-mail with his pastor.
- User D: is a summer intern doing minor system administration on the
server--backups, etc.
- Users A,B, C & D and the sysadmin all know each other personally in
real-space.

The goal is to minimize the exposure of the privileged
exchanges--especially from casual observation by junior sysadmins. I
suppose one could think of this as a matter of due-diligence in
shielding privileged communication.

Here I am:
- not concerned about mail in transit between machines. SMTPS and
TLS/SSL handle that.
- not concerned about cleartext messages in memory. These are
ephemeral and spam-filtering requires access to the cleartext.
- moderately concerned about cleartext headers. Note that subject text
might be logged.
- very concerned about message content on disk. This is persistent
data and finds its way onto system backups.
- moderately concerned about information leakage from queued/frozen
mail.
- very concerned about information leakage from the mail spool and user
archives via 'grep' and 'find'.
- moderately concerned about a sysadmin's ability to manually decrypt
individual messages. This should be made difficult and ideally an
audit trail maintained.

The implementation of encryption should be transparent to the
client--some setup excepted.

So to _finally_ answer your question:
- Message body encryption is the major goal.
- Message header encryption is desirable, but not necessary.


Thanks again,
--rich



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-[Exim] LDAP lookup query in address rewriteRe: [Exim] Warning Message->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)