DIY secure email
 

This is regarding security but I am also new at Linux, so I am putting it in the newbie section . . .

I am working with Ubuntu server 12.04 and excited about learning this new platform and getting away from the dark side of non-open source software. So, I am working on two goals at once - learn and run linux (server - Ubuntu 12.04) and create a secure and non-traceable portal for general email communications. The latter comes about after a long, on-going discussion amongst members of a business group who wish to discuss both business and items of personal nature via email. Now, with the recent revelation of governmental intrusion into our means of electronic communication, I am further inspired to continue with this project.

There are certainly some commercial services that might offer this, but I would like the satisfaction and possible added protection of building something myself.

PGP using common, public email providers certainly offers message encryption to a satisfactory level. Messages may persist in the cloud somewhere and be publicly discoverable at some level, but are probably uncrackable most reasonable means. However there are certainly trails leading to the senders and recipients of such messages.

My goals would be:
1) encrypt all email info (message and recipients)
2) info in #1 above stored in encrypted form on the server
3) eliminate any unauthorized or forced access to the encrypted message on the email server
4) further encryption of email from the clients to the server via VPN or SSL obfuscate the data stream between client and server as to even the type of protocol (email, for ex.)

So my thoughts are:
1) Build up a linux server with open source email components - qmail seems to be a good candidate for the MTA. Have clients use PGP.
2) Use whole computer or disk encryption method to thwart efforts to benefit from access to the physical or virtual computer.
3) Use SSL tunnel between client and server
4) Add further hardening of the linux server and network via either hardware of OS configuration (iptables and such)

This would seem to offer all the goals enumerated above and perhaps not be too much of a technical challenge.

This
http://www.sans.org/reading_room/whi...il-server_1372
is a reference I got from linuxquestions.org and seems to be good except that it may be a bit dated (2004).

Thoughts?

OK, so you want to hide from the "government". I won't address questions about your motives, however tempting that might be.

I'm going to poke a few holes in your scheme from a technical standpoint to test whether you really observe all areas of risk.

1) SSL for transit at less that 2048 bits of encryption is effectively crackable and probably susceptible to man-in-the-middle attacks. So your client-server connection is not likely going to prevent government level intrusion to observe the message stream content.

2) The client will decrypt the message in memory and display on the screen in plain text (with whatever user-readable encoding you might use). At that point, your client was susceptible to key-loggers, screen scrapers, remote monitoring, and number of other tools available to government-level intrusion and monitoring.

3) My personal bias (tin-foil hat time) is that PGP keys are already shared with sufficient breadth that it should be a nominal task for the government level intrusion to break clean through PGP. That however, is not something I can point to with any examples. The weakness in PGP is the chains of trust, IMHO.

4) Your entire premise for exchanging email in this highly secure manner WILL break down unless you and all your participants restrict all communications to within your platform. When they communicate outside of your realm of security, you compromise your model

5) You are a linux newbie, you will make a mistake or fail to enable something and this may not work as you expect

6) Humans may/will leak information which would compromise your messaging model.

7) "but are probably uncrackable most reasonable means" - indicates that you are being dishonest with yourself in assessing the breadth of computing resources that most evidence indicates a government intrusion team could bring to bear to decrypt/decipher communications. More tin-foil hat stuff here but I think you need to appreciate that (in the context of evaluating "reasonable") the government - with virtually unlimited resources or oversight - will crack you.

Frankly, my limited insight suggests you need to re-evaluate your secure messaging model and consider an alternative such as a central message service (like this forum engine) and some (highly complex) means of securing the clients so that they cannot print, screen shot or forward the content nor can they be penetrated by government intrusion (assuming you attract their attention).

Or, just behave yourself. :-)

Thanks for your input!

Most people don't need a motive to want phone and internet privacy! How about you?

What I really want is something better than the commonly available means for email communication. Yes, I agree, the client is the weak link. If your machine is not secured, if you allow others to read your email attach keystroke loggers, etc. then you have issues. I'm not talking about top secret security, just something to keep from being the 'low hanging fruit' of unauthorized data mining from either government or other unauthorized or unwanted access. And I'm not expecting to defeat some entity with massive computing power and experts from cracking a home made system. If someone is executing a MIM attack on your connection then you are definitely on someone's radar and probably have more problems than just email security. My thoughts were that having some level of message and connection encryption is a good place to start.

Moreso, I need a good project and so far I'm off to a good start with learning Linux server, etc.

Cheers,

. . .

OK, so taking back the anxiety to a simpler requirement: "I want to run a secure, linux-based email server" then you are looking at it pretty squarely.

Typical good behaviors for a mail server:

Use SSL-enabled channels for the clients (SPOP, SSL for IMAP)
Use PGP for message content
You could use an encrypted FS for the message storage (mailboxes) that you control, performance could become a consideration, as could backup and restore
Maintain your firewalls, utilize fail2ban to keep pests away, enable snort to monitor your server
Keep up to date on patches
Maintain and enforce a password policy

FedGov cracking of properly maintained RSA encryption is likely possible given the level of their computing and financial resources. Our task is to make decryption so expensive as to prevent cursory snooping.

Any thoughts on qmail vs postfix or other options for MTA?

There is no secure email unless it is between two trusted computers on a secure line.

One might consider a self signed certificate that gets rotated daily to any common email. You actually run into some limits on encryption since part of the message has to be read by routers.

In my view, the choice of the MTA is largely immaterial. qmail is dying, so use postfix.

Thanks for the update re qmail. Something I read made it look easier to set up, but now looking around at other threads re qmail, looks like it has issues.

Will keep working on it.