My email is not secure, for a number of reasons. Here are a couple.
1) I have yet to find anyone willing to accept email from me that has been encrypted before I send it and must be decrypted by them (GPG for example).
2) It is stored in plaintext on a server I do not control (I send it to someone who uses one of those big hosts like Google, Yahoo, etc).
Sending it over the wire in plaintext is probably being less of an issue now (as it seems the most used hosts are doing TLS), but that doesn't really help with bullet #2.
I think the best bet is attempting to communicate with others using some other application that is not email based (like textsecure for example). Not sure how to get regular email from corporations via another means though (monthly bills for example).
"Sending it over the wire in plaintext is probably being less of an issue now (as it seems the most used hosts are doing TLS),"
Unfortunately, no, TLS in the SMTP world is basically a joke, security-wise. It can inconvenience a passive interceptor, but crumbles in the face of an active adversary, due to the fact that $NOBODY does cert checking, and consequently, nobody can do cert checking, because it would break their mail server, because nobody does cert checking properly.
I've been thinking about experimenting with enforcing cert-checks on incoming tls/smtp. Possibly with a plain text smtp mx as fallback (through some kind of try-again-later greylist-like magic).
Providing a fallback would negate the security benefit, obviously -- but might gather enough data for a whitelist (ish) of servers/sending domains which we can demand valid certs for.
I'm not too concerned about bouncing valid email, as long as it doesn't create loops. Nor am I that worried about missing emails.
As long as all the senders are a) mailing-lists that either should do the right thing, or will actually change to do the right thing if an error is reported, b) big free services like gmail/yahoo/outlook that might be divided into groups of "does the right thing" and "blacklist"/bounce to let any friend know that they need to send from "free service y, not x" -- and c) friends that run their own email servers and can be beaten (eh, educated) to compliance.
I'd really not like to rely on some random CA list, though. I'm personally a cacert.org-fan/user -- but I suppose one might try to lean on DANE to avoid that particular hairball -- to some extent. It's either that or manual whitelist+trust on first use/some kind of pinning.
One of the biggest security gaps in SMTP is that failing to establish TLS will result in falling back to plaintext; it's opportunistic TLS. Senders and receivers don't perform path validation because a validation failure will not stop a message from being sent -- it will just be sent with plaintext.
The missing piece is widespread support for a way for receiving mail servers to declare that they support TLS (and optionally identify their CA or pin their certificate), such that it will instruct senders to connect with mandatory TLS instead of opportunistic TLS. With a protocol like this in place, senders can begin performing path validation of the receiver's certificate when they connect, but only for receivers who declare it, allowing an incremental nonbreaking rollout. Once widespread support is in place, we can begin making an effort to require validated certificates.
I'd be interested to chat with anyone about email security and ideas to improve it; feel free to reach out. I would gladly put my support behind and implement a proposal that will solve these problems.
You do realize the entire internet is run on servers and network devices you do not control, right?
A bunch of intermediary relay mail servers of course all store and forward your mails. But there's also a couple dozen firewalls, traffic shapers, tunnels, bridges, routers, and managed switches that all have your e-mail. Who cares about disk storage when your e-mail is stored in 15 network device caches?
Mail has never really been secure, from the days of Incan relay runners passing messages across thousands of miles, to the Pony Express, to the current US postal service. Unless you put an encrypted letter in your envelope, it can (and regularly does) get intercepted by malicious actors. We've gone this long with it being insecure, so I don't see what the big fuss is with the internet all of a sudden.
Also: mail should be easy and universal. That's really the point of mail: that you can send a message to anyone, anywhere in the world, with one system, and it just works [while remaining inexpensive]. Anyone messing with it should always keep that in mind.
Maybe you commented after the title changed? Original title was "How secure is your email? here's email-in-a-box" (at least that's what I remember it was).
My comment was basically "email is not secure." I think we agree on that point.
Yes. I guess I was just (badly) making the point that since it's impossible to just communicate with one server you control, a secure mail paradigm should include servers we do not control.
On Linux, http://recoll.org can provide the full-text search function, but you'll need other programs to consolidate the email and import/export between cloud services.
I'd like to use this, but AFAICT there's no way for me to ensure that the app--or future updates to the app--don't send my private keys off to a third party. Even accidentally, say as a debugging core sent on crash
This project is pretty awesome... though I'm not clear on what happens after you are setup.
Does mail-in-a-box then provide the scripts to perform regular software updates and any configuration migrations between versions? There's more to running software than the initial setup... A complete Mail solution in a Unix-like environment consists of a lot of disconnected programs with their own configurations that are difficult to get running, and even more difficult to maintain without a full time systems administrator in place.
I mentioned in another discussion recently how much I would love to see something akin to SmarterMail available as a simple package install Cross-Platform (one of the best mail server softwares out there imho, from a setup/upgrade POV) but commercial and tied to Windows for deployments... If I didn't have to work for a living, I'd probably start something like this. Mail services are usually made far more complicated than they should be, and I understand there are a lot of desired features... but I do feel that having a good module/plugin system that one could be developed that isn't the pain that current solutions are.
To me a current mail solution should provide, SMTP, POP3, IMAP, WebMail, and WebAdmin at a minimum... Value adds would be easy multi-domain support, easy to configure AV/Spam plugins, Calendars + Sharing and Group Contact Sharing. Honestly, the only solutions with a relatively easy setup for this are for Windows... All the nix solutions are cobbled together bits that are very hard to upgrade and maintain versions and require a lot more breadth of knowledge than a single product. I've tried many of the systems for nix and they mostly suck in practice.. some more than others.
> Mail services are usually made far more complicated than they should be, and I understand there are a lot of desired features...
That was my impression of the whole thing, too. I've long had an exim configuration I could decorate my walls with, without understanding what most of it did or if it was secure.
Recently, I got so fed up I began writing my own mail server suite. It's still pretty basic and in development, but it does have some of the features you mention, namely
> SMTP
> POP3
> WebMail (though rudimentary)
> WebAdmin
> Multi-Domain support
In the pipeline, but not yet ready
> IMAP
> Plugins
Some of the goals of the project are to have a mail processing suite with a clear interface between the modules, as well as easy extensibility and configuration.
Me and some people I've talked into testing it already run some instances, and so far it has proved pretty stable.
Caveat: The backend is an SQLite database, so if your use-case is serving a lot of clients, there might be some lock contention.
If you separate each account's folders/inbox into a separate sqlite database, with the accounts/configuration in another, it probably wouldn't be to bad at even moderate scale.
But for < 100 users one sqlite db would probably be sufficient. (on a relatively fast drive/ssd)
That's actually exactly what you can already do with cmail ;)
Each user can optionally be assigned a "user database", storing only the mails in her own inbox (which also allows users to have direct control over their own mail database).
If this is not used, mail is stored in the master database.
As you said, most normal deployments should not run into those limits, but its worth keeping them in mind.
Why not use Maildir, or really any other standard scalable mail storage format? The most annoying thing in the universe is trying to export mail from one client to another with incompatible formats. Well, okay, maybe Vogon poetry is worse, but e-mail is a close second.
SQLite has a pretty great C API making it really easy to programmatically store, modify and retrieve data, which made it my first choice for runtime configuration data.
Adding another storage backend for the mail data would have meant a lot more code paths to support.
SQLite also has a lot of tools surrounding and supporting it (I particularly like SQLiteStudio) which allows querying/modifying/analyzing your mails with a huge number of programs, and using SQL - something I've found really useful!
With a sufficiently sane schema (which I hope we've achieved), transforming from the database format to any other format becomes really easy!
Also, since cmail is not really being developed with the intent to have people access their mail with a shell account (the main reason being that cmail users should not have to map to system users), supporting access formats on the server side is less of a priority - preferred access is via POP (already available) and IMAP (once it's done). The user database feature allows cmail users that ARE system users to control their own database.
An exporter to convert to/from Maildir is a planned feature :)
Hear-hear. Aside from a big directory of ascii text files, I can't think of a more future proof method of storage. So sqlite has that going for it, in addition to the extension API - which is awesome. I recently had to write some integration software for Kronos and some no name security system, as I was already storing the data in sqlite I decided to handle the Kronos business logic with a loadable extension - it was a pretty pleasant experience. Actually, I'm pretty sure there is an extension out there that allows you to use a directory of CSV files for table storage...
I've been thinking of using one of their schemas as a base for doing something similiar for an email client/interactive mail archive type thing (think: hyperkitty/pipermail).
Also notmuch has done some work for mapping email to xapian for search/tagging/indexing -- could also be a good source of inspiration I think.
I was aware of dbmail, but did not peruse the source in-depth, in part because it does not in itself implement SMTP.
Archiveopteryx I did not know, but thanks for the tip!
Using their databases as the basis for new tools has the obvious benefits of cross-compatibility, though there's always the drawback of database cruft that accumulates by virtue of differences in implementation or project goals.
I'm curious about all these comments about how much time it takes to maintain these systems. I've run a Debian+Courier+Spamassassin+Roundcube setup for over a decade for friends and family, and the maintenance required has been quite minimal. I have a script that emails me when security updates are available, and apt-get upgrade just takes a few seconds. Every couple of years I have to upgrade the Debian version, but that rarely takes more than a couple of hours. Outside of that, it just runs and runs.
Having said that, I am comfortable doing all that Linux sysadmin stuff, so maybe that's the difference. And if I were offering email accounts to people I didn't know, that would be an entirely different maintenance challenge.
Thanks... I ran my own mail server for a number of years, but with only a handful of accounts, it finally became far easier to just outsource... I've been thinking of doing something like mail-in-a-box on a cloud/vps host, but the time/frustration in maintaining such a thing has kept me away.
> Does mail-in-a-box then provide the scripts to perform regular software updates and any configuration migrations between versions? There's more to running software than the initial setup... A complete Mail solution in a Unix-like environment consists of a lot of disconnected programs with their own configurations that are difficult to get running, and even more difficult to maintain without a full time systems administrator in place.
If so, I'd be extremely tempted to switch over. I already use Postfix/Dovecot/Roundcube, but Roundcube is currently broken because of conf changes between upgrades and Dovecot has been _horribly_ broken (taken a week+ to sort out) by a big configuration change on their side a couple of years ago :\
I am so glad this is finally happening. The mail-in-a-box project is something I think has been needed for many years now. I run my own mail server, but few people have the know how to run one, and so too much mail ends up either at Google (being harvested for ad targeting) or at crappy E-mail providers with lousy security practices.
It's interesting that this does not encrypt at rest (e.g., via dm-crypt). I'd rather not rely on Digital Ocean to protect access to their backups and prevent data from leaking to other droplets. Also, it requires a somewhat sophisticated attack to obtain the dm-crypt key from a running VM.
1) Most robust "security" of this form is negated if you're running it on a budget VPS. Those things are often extremely and unavoidably insecure for reasons out of your control (out-of-date VM software, insecure control panels, incompetent VM neighbors, etc.).
2) OpenBSD is probably the best option for this. Just use OpenSMTPD and choose a simple secure IMAP server from the ports. OpenBSD is perfectly suited for simple, security-critical applications like mail servers.
This is great. On Ubuntu I always use "apt-get install mail-stack-exchange" which leaves you with STARTTLS enabled SMTP, IMAP, POP3 and, with the removal of 1 #, 587 submission. the users are the normal users of the system which automatically have a Maildir created upon receiving their first mail.
This solution also gives you webmail though and DKIM. Very nice, I use the OwnCloud webmail which works ok for me (less features but very, very much better looking than Roundcube and I can sync calendar and contacts to the same server!)
I think it is very important that projects like this one exist, they take the annoying details out of running your own server software. Thanks a lot!
1) I have yet to find anyone willing to accept email from me that has been encrypted before I send it and must be decrypted by them (GPG for example).
2) It is stored in plaintext on a server I do not control (I send it to someone who uses one of those big hosts like Google, Yahoo, etc).
Sending it over the wire in plaintext is probably being less of an issue now (as it seems the most used hosts are doing TLS), but that doesn't really help with bullet #2.
I think the best bet is attempting to communicate with others using some other application that is not email based (like textsecure for example). Not sure how to get regular email from corporations via another means though (monthly bills for example).