Here's your chance....

Here's your chance....

Post by Erik Funke » Sun, 05 Nov 2006 16:25:39


Here's your chance to do a little Linux advocacy.

I have a client that needs an interesting configuration. They work very
closely with two other companies, and they have a lot of sensitive
information that they need to exchange. They do this now using email, and
PGP, but they want a more "transparent" solution that will automatically
encrypt any e-mails going between the companies without having to deal with
MUA encryption plug-ins. They also don't want a VPN between the companies,
and they don't want to use simple ssl encryption, they'd rather use
something more powerful, like AES or Blowfish.

They're currently using linux based email servers, and want to stay that
way. I've done some research, but haven't really found any good solutions
to this problem. Can anyone offer a suggestion?

Essentially, this move is to ensure that nobody ever forgets to encrypt
messages, or that a plug-in is required before they can send messages.
They also want to move to a web based email client, and want the encryption
to simply happen transparently in the background.
 
 
 

Here's your chance....

Post by Jim Richar » Sun, 05 Nov 2006 18:51:02

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 4 Nov 2006 01:25:39 -0600,



you could use rsync, since you're only going to-from a couple of
sources, simply set up an rsync job on the mail spools. Using ssh for
transport of course.


The details are left as an excersize for the reader, note that this
satisfies all the criteria you listed.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFTGKGd90bcYOAWPYRAmnqAJ41yvpoXxtPNUPa2SsK64vfvT1elQCg6YEx
17BN95ipI4lgE7X6LA6nWkM=
=Gw9Z
-----END PGP SIGNATURE-----

--
Jim Richardson http://www.yqcomputer.com/ ~warlock
Any nitwit can claim to understand computers. Many do.

 
 
 

Here's your chance....

Post by yttr » Sun, 05 Nov 2006 23:24:43


You do not have a client, because youre a toner monkey at a crappy
boondocks college, moron. "I have a client". Jesus christ.




-----yttrx



--
http://www.yqcomputer.com/
 
 
 

Here's your chance....

Post by Ramon F He » Mon, 06 Nov 2006 00:54:27


Erik:

What you need is roll up your sleeves (or hire someone who will) to do
some programming.

This opening of the hood is anathema to the WindowsWay, as you are
probably realizing now.

There are several PGP toolkits that will allow you to perform PGP
programmatically.

Sendmail is extremely configurable. You could replace the agent that
receives or sends the e-mail by a front end which encrypts/decrypts and
execs the real agent.

Are you fishing for free tips or are you looking to hire a competent
programmer?

-Ramon F Herrera
 
 
 

Here's your chance....

Post by Linonu » Mon, 06 Nov 2006 00:56:24

After takin' a swig o' grog, Erik Funkenbusch belched out this bit o' wisdom:



How about tunnelling all output intended for the remote server through
SSH, then.

--
Don't flip the Bozo Bit. -- Jim McCarthy, Microsoft
 
 
 

Here's your chance....

Post by rgc » Mon, 06 Nov 2006 01:02:55

begin risky.vbs
<4y6qdeiora43$ XXXX@XXXXX.COM >,
Erik Funkenbusch < XXXX@XXXXX.COM > writes:



You really should not be doing any *nix admin. You are not qualified.
As a clue in this instance think about local MTA configuration and
Jim's rsync solution.

--
Security is one of those funny things. You can talk about being "more"
secure, but there's no such thing. A vulnerability is a vulnerability, and
even one makes you just as insecure as anyone else. Security is a binary
condition, either you are or you aren't. - Funkenbusch 1 Oct 2006
 
 
 

Here's your chance....

Post by Sinister M » Mon, 06 Nov 2006 01:13:51

On 2006-11-04, Roy Culley < XXXX@XXXXX.COM > posted something concerning:



Ssh! He might pull something off by accident and the client(s) start
thinking he knows something about what he's doing. Imagine the backlash
against linux when he royally screws something else up in the future.

--
Kukudro: Innovative Microsoft peer-to-peer software.
 
 
 

Here's your chance....

Post by Bob Hauc » Mon, 06 Nov 2006 01:16:51

On Sat, 4 Nov 2006 01:25:39 -0600, Erik Funkenbusch



First, there is really no such thing as "ssl encryption". SSL is a
protocol that supports a number of cyphers including DES, and AES.
Those are apparently believed secure enough to transmit financial
transactions by the million, so I'm not clear on exactly what their
objection might be.

Be that as it may, I can think of a couple of approaches to think about.
I use Debian here, so exim4 is my MTA. I'm pretty sure I know how to
make the following work with that, YMMV with other MTA's.

One way would be to make some custom routing rules to pass all mail to
or from a certain set of domains through gpg. You'd set it up similarly
to the way you hook spamassasin or anti-virus into the delivery chain.

Another way to do it might be to use ssh. When mail is going to domain
X, have exim4 run a script that starts up an ssh tunnel. Then deliver
to a port on the local machine that's actually tunneled to the SMTP port
on the other end. This is similar to how batched smtp or uucp mail is
handled.

Of course, for both of these you'd have to figure out a scheme for
getting the keys to both ends. But you have that problem already with
the plugin approach.

No, I haven't done exactly what you're asking for, but having used exim4
and smail for many years and made them do closely related things, it can
be done, IMO.


--
-| Bob Hauck
-| Have you had enough of George Bush yet?
-| http://www.yqcomputer.com/
 
 
 

Here's your chance....

Post by Erik Funke » Mon, 06 Nov 2006 01:24:20


...


No, I'm looking for a solution that already exists. Your answer seems to
be "there isn't one". If that's the case, then I'll move on.
 
 
 

Here's your chance....

Post by Erik Funke » Mon, 06 Nov 2006 01:32:41


So, you're suggesting that I create local email accounts that will get
rsynced to the other server. That would work, but not really the solution
they're looking for.

What if someone forgets to use the local email and enters the remote email
address instead? More importantly, I also have to maintain accounts for
each user on the remote systems.

I could setup the server to deliver email to that domain locally, but that
doesn't solve the maintainence issue. I'd prefer some way to simply
automatically encrypt emails at the MTA level as they are delivered to the
remote systems I specify, regardless of the user.
 
 
 

Here's your chance....

Post by Ramon F He » Mon, 06 Nov 2006 01:34:50


The best newsgroup to look for is comp.mail.sendmail

-Ramon
 
 
 

Here's your chance....

Post by Erik Funke » Mon, 06 Nov 2006 01:39:36


None of the companies involved run sendmail. Most run Postfix, though one
runs exim. They're not going to install sendmail either.
 
 
 

Here's your chance....

Post by rgc » Mon, 06 Nov 2006 01:46:12

begin risky.vbs
<1b7ky04zb1p1r$ XXXX@XXXXX.COM >,
Erik Funkenbusch < XXXX@XXXXX.COM > writes:


I never said anything about using a local email address. You are
clueless Erik.


This really is trivial and maintenance would be utterly minimal. You
seem to reject all obvious solutions. The most obvious one you
rejected in your OP. Use a vpn for christs sake. Once the vpn is
configured that is all that needs to be done.

I get the feeling you are looking for a solution you are competent to
set up. Tough luck Erik. As I said you are no *nix admin. Tell them
you can't do it and let them get someone who can.

--
Security is one of those funny things. You can talk about being "more"
secure, but there's no such thing. A vulnerability is a vulnerability, and
even one makes you just as insecure as anyone else. Security is a binary
condition, either you are or you aren't. - Funkenbusch 1 Oct 2006
 
 
 

Here's your chance....

Post by Erik Funke » Mon, 06 Nov 2006 02:21:25


That's why I said "simple ssl", which is typically 128 bit RSA. This is
fine for drive-by protection, but not good if someone is deliberately
targeting you.


That gives me a direction to look at. One of companies involved runs Exim,
so that might help.


That's an interesting idea.


Yes, i'm not worried about that. We can send the keys using the existing
PGP approach.

Thanks for the suggestions.