[oclug] secure email

Bart Trojanowski bart-oclug at jukie.net
Fri Aug 16 09:53:19 EDT 2002 

* Chris Church <linuxinfo at sgl.com> [020816 09:10]:
> Greetings,
> 
> Can someone tell me the easiest way to implement secure smtp and pop3,
> while using sendmail and not recompiling the kernel to include ipsec and
> without unplugging the computer and using snail mail. :-)

There are many things you can encrypt here.  So let us look at the
TCP/IP stack

+----------+
| *        |		(sendmail, mutt, pine, mozilla-mail, etc)
+----------+
| TCP      |		(kernel stack)
+----------+
| IP       |		(kernel stack)
+----------+
| ethernet |		(NIC)
+----------+

I will start from the bottom.

ethernet: you can secure this by not allowing anyone you don't like from
connecting to your hub/switch.  Ethernet does not go across your
router/gateway it must be 'forwarded'.

IP: IPSec allows you to encrypt every IP packet going between two
points, but you have to have support for it on both sides with no change
to the application software.  This is ideal if you only want to secure
email between certain hosts on the network.  Ideally you would want
everyone to use IPSec -- then all traffic would be secure.

TCP: SSL (or its replacement TLS) is a method of encrypting all TCP
traffic along one TCP steam.  The application, however, must be aware
of SSL and do extra things to make it happen.  This form of protection
also requires that both parties support SSL.

*: Application level encryption is the easiest to setup.  The
application either supports it (via patches or upgrades) or it does not.
There are a few choices here, but on this list we will tell you to use
GPG (gnupg or GNU Privacy Guard).  It is a method of encrypting every
mail with public key cryptography.  This method is setup by the user on
an application basis.  Each user you want to encrypt mail to must be
able to decrypt it using GPG (have a key, have software setup, etc).

The most important thing about GPG/PGP is that you don't have to own the
machine (ie have root) to install it.  It's very safe and you cannot
screw up.  The worst you could probably do -- unless you try to make
mistakes -- is to make your key worthless.  To protect yourself learn
about PGP before you start.

B.

-- 
				WebSig: http://www.jukie.net/~bart/sig/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://tux.oclug.on.ca/pipermail/oclug/attachments/20020816/7b41bf86/attachment.bin

More information about the OCLUG mailing list