Lähettäjä: Rich Johnson Päiväys: Vastaanottaja: Walt Reed Kopio: exim-users Aihe: Re: [Exim] Wanted: encrypted mail storage
On Wednesday, August 6, 2003, at 06:55 PM, Walt Reed wrote:
> I don't think anything is 100% secure: unless you are using TLS, it's
> going to be unencrypted on the wire comming in. Since so few sites use
> TLS, TLS encryption will be minimal.
>
> If you decide to do file level encryption, what is it that needs to be
> hidden? Just the message body or all the headers too?
Thank you all for your insights. I know I can't expect perfect
security. But here's a scenario to illustrate my security concerns:
- Configuration is a virtual domain serving a small community.
- User A: is exchanging e-mail with his doctor
- User B: is exchanging e-mail with her lawer
- User C: is exchanging e-mail with his pastor.
- User D: is a summer intern doing minor system administration on the
server--backups, etc.
- Users A,B, C & D and the sysadmin all know each other personally in
real-space.
The goal is to minimize the exposure of the privileged
exchanges--especially from casual observation by junior sysadmins. I
suppose one could think of this as a matter of due-diligence in
shielding privileged communication.
Here I am:
- not concerned about mail in transit between machines. SMTPS and
TLS/SSL handle that.
- not concerned about cleartext messages in memory. These are
ephemeral and spam-filtering requires access to the cleartext.
- moderately concerned about cleartext headers. Note that subject text
might be logged.
- very concerned about message content on disk. This is persistent
data and finds its way onto system backups.
- moderately concerned about information leakage from queued/frozen
mail.
- very concerned about information leakage from the mail spool and user
archives via 'grep' and 'find'.
- moderately concerned about a sysadmin's ability to manually decrypt
individual messages. This should be made difficult and ideally an
audit trail maintained.
The implementation of encryption should be transparent to the
client--some setup excepted.
So to _finally_ answer your question:
- Message body encryption is the major goal.
- Message header encryption is desirable, but not necessary.