this post was submitted on 31 Oct 2024
55 points (95.1% liked)

Privacy

32424 readers
508 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

I was interested in hosting my own mail server that provides a similar level of privacy for users as Protonmail, ie the server admin cannot read any emails, even those which are not E2EE with PGP. Is there a self-hostable solution to this?

I'm aware the server admin can't read emails that were sent encrypted using the user's PGP key, but most emails I get are automated emails from companies/services/etc without the option to upload a public key to send the user encrypted email. If you're with a service like Protonmail, the server admin still cannot read even these emails.

all 23 comments
sorted by: hot top controversial new old
[–] [email protected] 11 points 1 month ago (1 children)

That can easily be achieved with dovecot and a sieve script.

[–] [email protected] 5 points 1 month ago (2 children)

but then the admin can still read the mail while it arrives ;-)

[–] [email protected] 21 points 1 month ago (1 children)

That's true of protonmail too

[–] [email protected] 1 points 1 month ago (1 children)

but maybe only for emails from outside, not for emails from within protonmail? haven't read any specs of protonmail yet...

[–] [email protected] 1 points 1 month ago

For internal emails yes they are encrypted on the client side. OP can use PGP or S/MIME for that too.

[–] mspencer712 5 points 1 month ago (1 children)

I host my own for mspencer dot net, used this 15-ish step walkthrough from linuxbabe dot com. Only maybe three instances of spam in two years, gmail and outlook receive my messages just fine, etc. (Successful spammers were using legitimate services, and those services took action when notified. Greylist delays emails by a few minutes but it’s extremely effective against most spammers because they never come back to retry messages after a few minutes, while legitimate senders will.) I don’t know if I would accept blanket advice against self hosting.

Fundamentally if your mail server can see the addressee, it can see the content. SMTPS encrypts both in the same channel. So at the point where you accept messages and store them in a mailbox, the messages have to be readable.

Encrypting them at rest isn’t something I currently do, but if you’re going to later serve those messages to an email client that expects to receive clear text, your server needs both the keys and the messages. They can be stored in different places.

Most of your needs could be met with full disk encryption on the box hosting Dovecot. If you’re worried about being compelled to decrypt, there’s always the deck of cards trick: The pass phrase for full disk encryption consists of a memorized portion plus the letters and numbers of the top N cards in this deck of cards you keep by the server. If someone were to shuffle that deck of cards, and the server were powered down, the encrypted volume would be impossible to recover.

I’m eager to learn what other Dovecot tricks people can recommend to improve security.

[–] [email protected] 4 points 1 month ago (1 children)

I'm curious - do you use email aliases to help reduce spam or block specific senders more easily? I've found that aliases can make a big difference in managing privacy and limiting unwanted messages. Startmail, for example, offers aliases as a convenient option without the need for self-hosting.

[–] mspencer712 2 points 1 month ago (1 children)

I do, and I agree about their utility. My users and aliases are in OpenLDAP but it’s pretty easy to add new ones.

Separate accounts are preferable if you’re actually going to be responding to messages. I’ve had some embarrassing encounters where I’ve given an alias to a business that I didn’t realize was going to actually use it for real email conversations with a human. By default roundcube web mail lets you hit reply anyway and the reply goes out with your real address, which can lead to confusion.

[–] [email protected] 1 points 1 month ago (1 children)

That's a great point about alias use in roundcube. I can see how it could get confusing if you accidentally reply with your real address. This is where I think alias services that handle that automatically really shine. Have you ever run into other limitations or surprises with self-hosting, like with spam filtering or uptime? I imagine it could be quite time-consuming to keep up with all the configurations and updates, especially if you're aiming to maintain strong privacy protections.

[–] mspencer712 1 points 1 month ago

Not really, it’s been pretty effortless. Every couple months I have to make sure my renewed LetsEncrypt certs really got imported, but I don’t think I’ve had to intervene manually for anything in a long time.

[–] [email protected] 4 points 1 month ago (1 children)
[–] [email protected] 2 points 1 month ago

Thanks for all the links!

[–] [email protected] 4 points 1 month ago

in case you're not already aware; mail servers are favorite target of malware & intrusion enthusiasts so be sure to approach your build with security at the forefront of all your actions.

i found out; well after the fact; that my build got pwned at step 2 after spending money and weeks worth of time to do the same thing you're trying to do and i wish someone had clued me into this little bit of common knowledge back then; good luck.

[–] [email protected] 3 points 1 month ago

You want the mail-crypt-plugin in dovecot.

[–] [email protected] 2 points 1 month ago

If the mail is sent unencrypted the admin can read it. What I have is a script that encrypt incoming e-mail with the users key, so that they are stored encrypted on the harddrive. That at least protect against an intruder reading past e-mails. I use a Perl script written by Mike Cardwell for that.

Another service you might like to have for your users is WKD/WKS, so that senders clients can automatically fetch the public key for your users.

[–] [email protected] 2 points 1 month ago

As someone who used to maintain an email setup for a small company, I would stay far away from self-hosting Email.

[–] [email protected] 1 points 1 month ago (1 children)

This is a misconception. If the sender is outside proton mail the emails arrive in plain text. So it is possible for proton to read those emails. It is just that they pinky promise not read them and immediately encrypted them with your key. But if they wanted to they can read and moreover SMTP means your email has already traveled through multiple MX which could read your email but This is mostly not an issue since most email provider do encrypt with SSL of receiving MX but you might want to check few services use very very outdated softwares. But keep in mind SSL encryption is with Proton's keys and by necessity they have to first decrypt the SSL encrypted email and then encrypt with your key

[–] [email protected] 1 points 1 month ago

Well I know that, that's kind of the point of any encryption at rest that isn't also E2EE. I am the server admin in this case so I trust my own pinky promise that I'm encrypting emails at rest.

[–] [email protected] 1 points 1 month ago

I don't like using "encrypted" email because in fact email is really not a secure protocol by default, you can send secure email to each other but if you're communicating to gmail, yahoo, outlook... You will lost all your privacy. Hosting an email service is good but do not use encryption when talking randomly to gmail accounts.