This repository contains source codes and how-to installation guide for email alias service with GPG/PGP encryption. p Purpose of this solution is to encrypt incoming emails by PGP/GPG key and forward them to the final destination. The high level logic is following:
Solution is using Ubuntu 12.04 and Postfix, Dovecot, MySQL, Amavis, Clam AntiVirus, SpamAssassin, Postgrey, Roundcube and Postfix Admin and gpgit. All this software is installed from standard Ubuntu 12.04 repositories, unless mentioned otherwise.
Use this guide to install mail server based on software mentioned above. This will be the starting point for additional tweaking. If you decide to install web mail interface, Roundcube is recommended for it's simplicity.
This sections mentions all files which need to be altered to make the solution working like mentioned on the pictures above. All files mentioned in this guide are available in the repository. All actions are performed as root unless mentioned otherwise. All files mentioned in this guide are available in the repository for reference.
adduser --home /var/gpg gpgmap
mkdir -p /var/gpg/.gnupg
chown -R gpgmap /var/gpg
chmod 700 /var/gpg/.gnupg
Get the gpgit and place it to required folder with required name.
cd /usr/local/bin
wget https://raw.githubusercontent.com/mikecardwell/gpgit/master/gpgit.pl
mv gpgit.pl gpgencmail.pl
Install required perl modules.
#cpan install MIME::Tools
#cpan install Mail::GnuPG
Create /etc/postfix/procmailrc.common file and add following recipe. This recipe is used to pass the email thorough gpgit tool which will encrypt it by GPG key.
TO=`egrep "^T[oO]:.*@gpgalias.com.*|for.*@gpgalias.com.*" | perl -wne'while(/[\w\.]+@[\w\.]+\w+/g){print "$&\n"}' | head -1`
:0 f
|/usr/local/bin/gpgencmail.pl --encrypt-mode prefer-inline $TO | /usr/sbin/sendmail -G -i $RECIPIENT
Edit /etc/postfix/master.cf so mail the postfix passes the email to gpgfilter after receiving it back from amavis.
127.0.0.1:10025 inet n - - - - smtpd
-o content_filter=gpgfilter # THIS IS THE REQUIRED CHANGE
Add following content to /etc/postfix/master.cf file:
gpgfilter unix - n n - 10 pipe
flags=Rq user=gpgmap:gpgmap null_sender=
argv=/usr/bin/procmail RECIPIENT=$(recipient) /etc/postfix/procmailrc.common
procmail unix - n n - - pipe
-o flags=RO user=vmail:mail argv=/usr/bin/procmail -t -m USER=${user} EXTENSION=${extension} RECIPIENT=$(recipient) /etc/postfix/procmailrc.common
The gpgfilter channel receives the email from postfix and passed it to procmail channel which passes it through /etc/postfix/procmailrc.common.
Disable postgrey as it is not desirable to delay any emails, destinations for the aliases are chosen by users. In /etc/postfix/main.cf comment out following line:
# "check_policy_service inet:127.0.0.1:10023" enables Postgrey.
Enable envelope rewriting so MAIL FROM field always contains your domain when sending the email to it's final destination. In /etc/postfix/main.cf set following:
sender_canonical_classes = envelope_sender
sender_canonical_maps = regexp:/etc/postfix/sender_canonical
And create file /etc/postfix/sender_canonical with following content:
This is required, otherwise SPF will be failing as mail.example.com is not permitted to send emails as MAIL FROM: [email protected]; refering to the first picture.
Adjust the /etc/postfix/header_checks and keep the Received header there, it is required to keep the original recipient [email protected] address.
#/^Received:/ IGNORE
/^User-Agent:/ IGNORE
/^X-Mailer:/ IGNORE
/^X-Originating-IP:/ IGNORE
/^x-cr-[a-z]*:/ IGNORE
/^Thread-Index:/ IGNORE
Edit /etc/amavis/conf.d/50-user so it contains following lines:
use strict;
$max_servers = 3;
$sa_tag_level_deflt = -9999;
$spam_quarantine_to = undef;
$final_spam_destiny = D_PASS;
$local_domains_re = new_RE( qr'.+@.+'i );
Edit /etc/postfix/main.cf:
smtp_host_lookup = dns, native
mydestination = mail, localhost
It is required to provision email aliases, destinations of these aliases and GPG keys for these aliases. This can be done in gpg command line and Postfix Admin web interface. All GPG keys must be generated (or possibly imported) for the alias address and not for the destination address (e.g. the GPG key shall be generated for [email protected] and NOT for [email protected]).
All GPG operations are performed as gpgmap user.
/usr/bin/gpg --list-keys
/usr/bin/gpg --import /path/to/gpgkey
It is important to edit the imported key and set the trust to ultimate, otherwise gpgit will not work properly.
/usr/bin/gpg --edit-key [email protected]
Type in "trust" and select "5 = I trust ultimately".
/usr/bin/gpg --genkey
WARNING: This process requires enough of random entropy. To easily fulfil this condition install RNG utils:
sudo apt-get install rng-tools
And run the generator; in separate terminal or as backround process:
sudo rngd -r /dev/urandom
/usr/bin/gpg --delete-key [email protected]
The aliases can be created by using Postfix Admin CLI or using Postfix Admin web interface.
/var/www/postfixadmin/scripts/postfixadmin-cli alias add [email protected] --goto [email protected]
/var/www/postfixadmin/scripts/postfixadmin-cli alias delete [email protected]
You can see sample encrypted email delivered to its destination here.
You can download VDI image with working solution here. Just import the VDI to Virtualbox. Two network interfaces are used - one with Virtualbox only network and one with NAT to access the Internet. The memory requirement is 1 GB, but 512 MB should also work.
NOTE: This image includes the custom provisioning frontend which is not mentioned in this guide.
Credentials and other useful info:
Domain: example.com
Hostname: mail.example.com
Services:
192.168.56.101/frontend
192.168.56.101/postfixadmin
192.168.56.101/roundcube
UNIX credentials:
project/project root/project
Postfixadmin credentials:
[email protected] / project
Mysql root password:
project