I was interested in hosting my own mail server that provides a similar level of privacy for users as Protonmail, ie the server admin cannot read any emails, even those which are not E2EE with PGP. Is there a self-hostable solution to this?
I’m aware the server admin can’t read emails that were sent encrypted using the user’s PGP key, but most emails I get are automated emails from companies/services/etc without the option to upload a public key to send the user encrypted email. If you’re with a service like Protonmail, the server admin still cannot read even these emails.
in case you’re not already aware; mail servers are favorite target of malware & intrusion enthusiasts so be sure to approach your build with security at the forefront of all your actions.
i found out; well after the fact; that my build got pwned at step 2 after spending money and weeks worth of time to do the same thing you’re trying to do and i wish someone had clued me into this little bit of common knowledge back then; good luck.
That can easily be achieved with dovecot and a sieve script.
but then the admin can still read the mail while it arrives ;-)
That’s true of protonmail too
but maybe only for emails from outside, not for emails from within protonmail? haven’t read any specs of protonmail yet…
For internal emails yes they are encrypted on the client side. OP can use PGP or S/MIME for that too.
deleted by creator
That’s not really true, S/MIME is a thing
well for e2ee you obviously have to let one e encrypt the data for the other e. (good luck with newsletters then) for usual services kindly asking them to support either s/mime or gpg for outgoing emails, that would at least make them know the wish, but good luck there too.
i think the already mentioned solution with encrypting incoming messages on your side just before mda to your inbox should be the closest possible to what op wants. one would need to check if the message is already encrypted and skip encryption for those.
if you only want the admin of that email (imap) server to not be able to read all emails, maybe placing a separate encrypting server (smtp+encrypt+forward) inbetween outside world and your email imap server could be a solution.
one should have a look into the logfiles too as some mailers might log message subjects and of course sender/recipients along with ip adresses of incoming/outgoing servers which the op might not want to be readable as well (i dont know protonmail that much)
also gpg IMHO allows for sign-then-encrypt hiding the signature within the encrypted data which could be wanted. also one might want to look exactly what parts of the messages contents and its headers are encrypted or plaintext on the server before feeling safe from the threat one wants to be protected from.
You want the mail-crypt-plugin in dovecot.
This is a thing that folks have done in the past:
- http://kacangbawang.com/encrypting-stored-email-with-postfix/
- https://www.grepular.com/Automatically_Encrypting_all_Incoming_Email and https://www.grepular.com/Automatically_Encrypting_all_Incoming_Email_Part_2
- https://jnphilipp.org/posts/auto-encrypt-all-incoming-email-with-postfix/
- https://www.mydreams.cz/en/hosting-wiki/9663-configuring-automatic-email-encryption-in-postfix-on-centos-7-using-gpg.html
Thanks for all the links!
This is a misconception. If the sender is outside proton mail the emails arrive in plain text. So it is possible for proton to read those emails. It is just that they pinky promise not read them and immediately encrypted them with your key. But if they wanted to they can read and moreover SMTP means your email has already traveled through multiple MX which could read your email but This is mostly not an issue since most email provider do encrypt with SSL of receiving MX but you might want to check few services use very very outdated softwares. But keep in mind SSL encryption is with Proton’s keys and by necessity they have to first decrypt the SSL encrypted email and then encrypt with your key
Well I know that, that’s kind of the point of any encryption at rest that isn’t also E2EE. I am the server admin in this case so I trust my own pinky promise that I’m encrypting emails at rest.
I don’t like using “encrypted” email because in fact email is really not a secure protocol by default, you can send secure email to each other but if you’re communicating to gmail, yahoo, outlook… You will lost all your privacy. Hosting an email service is good but do not use encryption when talking randomly to gmail accounts.
