On 8/28/20 1:54 PM, Poison BL. wrote:
I'm rather late to the game with this, but at the end of the day, mail coming *into* a mail server isn't typically encrypted (and even that is only the body, the headers can still reveal a great deal, and are necessary for the server to work with it).
You seem to be referring to S/MIME and / or PGP encryption. You are correct that S/MIME and PGP don't offer protection for headers.
However, STARTTLS provides an encrypted channel to protect all of the SMTP traffic. Thus, even the headers of email are encrypted while in flight between servers.
A packet dump at the switch will turn over every piece of mail you receive along the way.
When STARTTLS is in use, the only thing that you will see is the initial EHLO and STARTTLS commands. Everything after that will be encrypted traffic.
Email's not designed for end to end security by default.
Encryption for anything other than military use didn't really exist when email was developed.
Since then, things like STARTTLS (or SMTPS if you choose to abuse it for B2B connections) and VPNs have become a realistic option.
Most contemporary MTAs will opportunistically use STARTTLS if it is an option. We only need to worry about things that try to prevent STARTTLS from working. Thankfully, this is mostly authoritarian regimes in some parts of the world.
Secondly, any hosting on hardware you don't control is impossible to fully secure, if the services on that end have to operate on the data at all. You can encrypt the drive, encrypt the mail stores themselves, etc, but all of those things will result in the encryption key being loaded into ram while the VPS is running, and dumping ram from the hypervisor layer destroys every illusion of security you had.
I agree those are all valid concerns. However, we shouldn't let the inability to realistically have perfect prevent us from having something better than no encryption.
Dedicated hardware in a locked cabinet is as close as you get to preventing physical attacks when you're hosting in someone else's DC, and that's not nearly in the same market segment, price-wise, as a cheap VPS. At best, if you have sensitive email that you're sending or receiving, work with the other end of the communication and then encrypt the contents properly. Even better, go with a larger scale, paid, solution in which your email isn't even remotely worth the effort to tamper with for the hosting company's employees, and hope the contractual obligations are sufficient to protect you.
I'm not aware of any place that contracts will protect you against local court orders / government involvement.
If you have any sort of controlled data going in and out of your email, step up to a plan that adheres to the regulatory frameworks you're required to adhere to and make very sure the contracts for it obligate the vendor to secure things properly on their end (aws, azure/o365/etc mostly all have offerings for, at least, US Gov level requirements).
Yep. -- Grant. . . . unix || die
