I am running my own mail server for a while now. Since the beginning I was thinking about how to store the mails encrypted, so that no one can read the mails with access to the server. The solution I came up with is relative easy to setup and is based upon OpenPGP/GnuPGP.

The basic idea is to take incoming mail before it is stored and encrypt it. I'm running postfix, which has the option to filter queued mails with external content filters. A content filter gets a mail via stdin, does whatever it needs to do and either rejects a mail or put it back into the mail queue.

I wrote a relativ simple Python script that takes a mail from stdin, processes it and then writes it back to stdout. The script can either decrypt, encrypt, sign or sign and encrypt a mail. It also tries to protect the mail headers following the memoryhole specs and supports Thunderbirds/Enigmails encrypted subject feature. The drawback is that Enigmail only supports the encrypted header from the memoryhole specs and other mail clients don't support them at all. For the content_filter in postfix I wrote a Bash script, that will resend the encrypted mail to put it back into the mail queue. The scripts can be found on GitHub.

Setup

1. Install gpgmail

2. Add a new user:

   adduser --shell /bin/false --home /home/gpgmail --disabled-password --disabled-login --gecos "" gpgmail
   

3. Create .gnupg folder and change permissions:

   mkdir /home/gpgmail/.gnupg
   chown gpgmail:gpgmail /home/gpgmail/.gnupg/
   chmod 700 /home/gpgmail/.gnupg/
   

4. If mails should not just get encrypted but also signed, create a new key pair:

   sudo -u gpgmail /usr/bin/gpg --homedir=/home/gpgmail/.gnupg --expert --full-gen-key
   

5. Import public keys and chnage trust:

   sudo -u gpgmail /usr/bin/gpg --homedir=/home/gpgmail/.gnupg --import /home/gpgmail/pubkey.asc
   sudo -u gpgmail /usr/bin/gpg --homedir=/home/gpgmail/.gnupg --edit-key <KEY> trust save
   sudo -u gpgmail /usr/bin/gpg --homedir=/home/gpgmail/.gnupg --edit-key <KEY> trust quit
   

6. Edit /etc/postfix/master.cf

   smtp          inet  n       -       y       -       -       smtpd -o content_filter=gpgmail-pipe
   smtps         inet  n       -       y       -       -       smtpd -o content_filter=gpgmail-pipe
   submission    inet  n       -       y       -       -       smtpd -o content_filter=gpgmail-pipe
   gpgmail-pipe  unix  -       n       n       -       -       pipe
     flags=Rq user=gpgmail argv=/usr/bin/gpgmail-postfix sign-encrypt gnupghome=/home/gpgmail/.gnupg key=<KEY_ID> passphrase=<PASSPHRASE> encrypt-subject -oi -f ${sender} ${recipient}
   

7. Restart postfix.

Sources

• https://www.grepular.com/Automatically_Encrypting_all_Incoming_Email
• http://kacangbawang.com/encrypting-stored-email-with-postfix/
• https://blog.jak-linux.org/2019/06/13/encrypted-email-storage/