{"id":100,"date":"2017-03-03T12:50:19","date_gmt":"2017-03-03T12:50:19","guid":{"rendered":"http:\/\/www.hestben.se\/HestbenTechnical\/?p=100"},"modified":"2017-03-03T12:50:19","modified_gmt":"2017-03-03T12:50:19","slug":"encrypting-automatic-mail-from-a-linux-server-with-gpg","status":"publish","type":"post","link":"https:\/\/www.hestben.se\/HestbenTechnical\/?p=100","title":{"rendered":"Encrypting automatic mail from a linux server with GPG"},"content":{"rendered":"<p>So, recently, I have been reviewing my systems, to harden them against attack. When I look back at it, I really think I have had quite naive in what security measures I employ.<br \/>\nOne thing I have started doing, is have logwatch send a mail to my mail address every day. That way, I am more forced to look into what is happening with the servers each day. This information could be interesting to an attacker, though, so it is important to secure that information. In part, I have been looking into if my MUA uses TLS to send the mail to the outgoing mail server (I will cover this in a different post). Then, you should ensure that connection is secure when downloading and viewing the mail is secure as well (also covered in a different post).<br \/>\nBut, in the end, you don&#8217;t know how the outgoing mail server sends the mail to the receiving server. Best is then to encrypt the mail. I did some duckduckgoing (the duckduckgo.com equivalent of googling) and found this post:<a href=\"https:\/\/blogs.fsfe.org\/stefan.a\/2013\/04\/18\/gnupg-encrypted-mail-forwarding\/\">GnuPG-encrypted mail forwarding<\/a><\/p>\n<p>Using the steps from that post, I first imported my public gpg-key for the root user with<br \/>\n<code>gpg --import &lt;path\/to\/public\/key&gt;<\/code><br \/>\n<code>gpg --edit-key &lt;The key&gt;<code><\/code><\/code><br \/>\nAnd trust the imported key ultimately (gpg will complain otherwise, and you don&#8217;t have any way to handle that interaction in an automated script). Thus, in the gpg-promt do:<br \/>\n<code>trust<\/code><br \/>\n<code>5<\/code><br \/>\nAnd lastly, quit<br \/>\n<code>quit<\/code><\/p>\n<p>Then, I created the mailgate user with<br \/>\n<code>adduser mailgate<\/code><\/p>\n<p>On one of my systems, I use Maildir format instead of mbox-format, so I was changing my script to handle this. One con with the script in <a href=\"https:\/\/blogs.fsfe.org\/stefan.a\/2013\/04\/18\/gnupg-encrypted-mail-forwarding\/\">that<\/a> post above, is that the mail is not a <code>Content-Type: multipart\/encrypted;<\/code>, instead, the body of the mail, is an encrypted text, that you manually need to decrypt with gpg.<\/p>\n<p>I asked around on the channels <code>#gnupg<\/code> and <code>#mutt<\/code> (you can use <code>mutt<\/code> to send an encrypted mail, that has the correct format, but piping the message into mutt didn&#8217;t make it a <code>Content-Type: multipart\/encrypted;<\/code> mail) on freenode, and was tipped by <code>dtw<\/code> in <code>#gnupg<\/code> about mime-construct (<a href=\"https:\/\/paste.debian.net\/917641\/\">example usage<\/a>)<\/p>\n<p>So, I ended up with a script looking like this (beware that wordpress line breaks badly):<\/p>\n<p><code>#!\/bin\/bash<br \/>\n#backup this script to \/home\/robert\/scripts<br \/>\nrsync \/root\/scripts\/relay_mailgate_mail_encrypted \/home\/robert\/scripts\/<br \/>\nchown robert:robert \/home\/robert\/scripts\/relay_mailgate_mail_encrypted<br \/>\nMAILGATE_NEW_MAIL_DIR=\/home\/mailgate\/Maildir\/new<br \/>\nMAILGATE_CUR_MAIL_DIR=\/home\/mailgate\/Maildir\/cur<br \/>\nif [ ! -z \"$(ls -A $MAILGATE_NEW_MAIL_DIR)\" ]<br \/>\nthen<br \/>\nBACKUP_DIR=\/home\/mailgate\/mailbackup\/`date +%y%m%d-%H%M`<br \/>\nmkdir $BACKUP_DIR<br \/>\necho $BACKUP_DIR<br \/>\nrsync -a $MAILGATE_NEW_MAIL_DIR $BACKUP_DIR<br \/>\nfor mail in $MAILGATE_NEW_MAIL_DIR\/*<br \/>\ndo<br \/>\necho $mail<br \/>\ncat $mail | mime-construct --subpart \\<br \/>\n--type 'text\/plain; charset=UTF-8' \\<br \/>\n--encoding quoted-printable \\<br \/>\n--file - \\<br \/>\n| gpg --batch --yes \\<br \/>\n--armor --textmode --openpgp \\<br \/>\n--recipient \"mailaddr@domain.com\" \\<br \/>\n--encrypt \\<br \/>\n| mime-construct --output \\<br \/>\n--header \"From: root\" \\<br \/>\n--to \"mailaddr@domain.com\" \\<br \/>\n--subject \"Relayed mail\" \\<br \/>\n--header \"Date: $(date --rfc-2822)\" \\<br \/>\n--multipart 'multipart\/encrypted; protocol=\"application\/pgp-encrypted\"' \\<br \/>\n--type application\/pgp-encrypted \\<br \/>\n--encoding 7bit \\<br \/>\n--string $'Version: 1\\n' \\<br \/>\n--type application\/octet-stream \\<br \/>\n--file - | sendmail -i mailaddr@domain.com<br \/>\nmv $mail $MAILGATE_CUR_MAIL_DIR<br \/>\ndone<br \/>\nfi<\/code><br \/>\nI called this script in a script in <code>\/etc\/cron.hourly\/00mailencrypt<\/code>.<br \/>\nLastly, I edited the <code>\/etc\/cron.daily\/00logwatch<\/code> and <code>\/etc\/apt\/apt.conf.d\/50unattended-upgrades<\/code> scripts to mail to <code>mailgate@localhost<\/code> instead of to an external address directly.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So, recently, I have been reviewing my systems, to harden them against attack. When I look back at it, I really think I have had quite naive in what security measures I employ. One thing I have started doing, is have logwatch send a mail to my mail address every day. That way, I am &hellip; <a href=\"https:\/\/www.hestben.se\/HestbenTechnical\/?p=100\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Encrypting automatic mail from a linux server with GPG&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hestben.se\/HestbenTechnical\/index.php?rest_route=\/wp\/v2\/posts\/100"}],"collection":[{"href":"https:\/\/www.hestben.se\/HestbenTechnical\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hestben.se\/HestbenTechnical\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hestben.se\/HestbenTechnical\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hestben.se\/HestbenTechnical\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=100"}],"version-history":[{"count":9,"href":"https:\/\/www.hestben.se\/HestbenTechnical\/index.php?rest_route=\/wp\/v2\/posts\/100\/revisions"}],"predecessor-version":[{"id":109,"href":"https:\/\/www.hestben.se\/HestbenTechnical\/index.php?rest_route=\/wp\/v2\/posts\/100\/revisions\/109"}],"wp:attachment":[{"href":"https:\/\/www.hestben.se\/HestbenTechnical\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=100"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hestben.se\/HestbenTechnical\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=100"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hestben.se\/HestbenTechnical\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=100"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}