So, recently, I have been reviewing my systems, to harden them against attack. When I look back at it, I really think I have had quite naive in what security measures I employ.
One thing I have started doing, is have logwatch send a mail to my mail address every day. That way, I am more forced to look into what is happening with the servers each day. This information could be interesting to an attacker, though, so it is important to secure that information. In part, I have been looking into if my MUA uses TLS to send the mail to the outgoing mail server (I will cover this in a different post). Then, you should ensure that connection is secure when downloading and viewing the mail is secure as well (also covered in a different post).
But, in the end, you don’t know how the outgoing mail server sends the mail to the receiving server. Best is then to encrypt the mail. I did some duckduckgoing (the duckduckgo.com equivalent of googling) and found this post:GnuPG-encrypted mail forwarding
Using the steps from that post, I first imported my public gpg-key for the root user with
gpg --import <path/to/public/key>
gpg --edit-key <The key>
And trust the imported key ultimately (gpg will complain otherwise, and you don’t have any way to handle that interaction in an automated script). Thus, in the gpg-promt do:
trust
5
And lastly, quit
quit
Then, I created the mailgate user with
adduser mailgate
On one of my systems, I use Maildir format instead of mbox-format, so I was changing my script to handle this. One con with the script in that post above, is that the mail is not a Content-Type: multipart/encrypted;, instead, the body of the mail, is an encrypted text, that you manually need to decrypt with gpg.
I asked around on the channels #gnupg and #mutt (you can use mutt to send an encrypted mail, that has the correct format, but piping the message into mutt didn’t make it a Content-Type: multipart/encrypted; mail) on freenode, and was tipped by dtw in #gnupg about mime-construct (example usage)
So, I ended up with a script looking like this (beware that wordpress line breaks badly):
#!/bin/bash
#backup this script to /home/robert/scripts
rsync /root/scripts/relay_mailgate_mail_encrypted /home/robert/scripts/
chown robert:robert /home/robert/scripts/relay_mailgate_mail_encrypted
MAILGATE_NEW_MAIL_DIR=/home/mailgate/Maildir/new
MAILGATE_CUR_MAIL_DIR=/home/mailgate/Maildir/cur
if [ ! -z "$(ls -A $MAILGATE_NEW_MAIL_DIR)" ]
then
BACKUP_DIR=/home/mailgate/mailbackup/`date +%y%m%d-%H%M`
mkdir $BACKUP_DIR
echo $BACKUP_DIR
rsync -a $MAILGATE_NEW_MAIL_DIR $BACKUP_DIR
for mail in $MAILGATE_NEW_MAIL_DIR/*
do
echo $mail
cat $mail | mime-construct --subpart \
--type 'text/plain; charset=UTF-8' \
--encoding quoted-printable \
--file - \
| gpg --batch --yes \
--armor --textmode --openpgp \
--recipient "mailaddr@domain.com" \
--encrypt \
| mime-construct --output \
--header "From: root" \
--to "mailaddr@domain.com" \
--subject "Relayed mail" \
--header "Date: $(date --rfc-2822)" \
--multipart 'multipart/encrypted; protocol="application/pgp-encrypted"' \
--type application/pgp-encrypted \
--encoding 7bit \
--string $'Version: 1\n' \
--type application/octet-stream \
--file - | sendmail -i mailaddr@domain.com
mv $mail $MAILGATE_CUR_MAIL_DIR
done
fi
I called this script in a script in /etc/cron.hourly/00mailencrypt.
Lastly, I edited the /etc/cron.daily/00logwatch and /etc/apt/apt.conf.d/50unattended-upgrades scripts to mail to mailgate@localhost instead of to an external address directly.