[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Scott Burns <Scott.Burns%SeQent.Com@localhost> wrote ..
> Hello list,
> We have an opportunity to provide a hosted solution for a new customer. We
> would like to use NetBSD for part of this solution. The solution involves
> the intake and processing of large volumes of email. Due to some customer
> requirements /gov't regulations the incoming spooled mail files need to be
> encrypted when on disk. Is it possible to setup postfix, or I guess
> sendmail, to encrypt it's mail files (like /var/spool/mqueue from my
> sendmail days) when they are stored on disk before being forwarded to
> another machine?
> In this case postfix will be forwarding the email off to another machine
> after receiving/spam filtering occurs on the postfix machine. Once into the
> other machines custom mailserver we have control of this issue as the
> messages are dissected and processed.
Here's a quick hack I put together this morning that uses postfix w/ encrypted
mail. This example only encrypts the body of the message, but the headers could
be encrypted too. I used libmcrypt because I was in a hurry this morning but
you could pull out the mcrypt code and replace with gpgme or openssl encryption
if you wanted. I convert the binary data to base64 here just to play nice with
pgsql. I'm just sticking the IV in the same table as the body, might want to do
a sanity check regarding IV handling, key, etc. You can run pgsql from a RAM
disk if you want, also use the streaming features to replicate to other
servers, cloud, etc. That sort of thing. regurgitating the mail for re-send is
a piece of cake, or you could hack dovecot or whatever to use a pgsql store
instead of mbox if you wanted.
here's a sample mail encryption.
if you want to tinker with it, https://dx.burplex.com/ma3l.tar.gz
That sets up a RAM Disk and runs the pipe-to parser programs from the RAM disk.
the incoming email is stored on the RAM Disk (5 second rule?) for a moment. The
netbsd version of setup 'assumes' you don't have a drive labelled 'swap' that's
not actually a swap drive. (which is possible but weird IMHO). It might do bad
things if you have a real drive labelled 'swap', i haven't tried it.
Anyway, an idea.
San Jose California USA
Main Index |
Thread Index |