F13 Get Postfix to send encrypted email

savagehobo · #1 13th September 2010, 12:56 AM

Hello All,

I am trying to setup a simple SMTP server to relay scanned documents from a Xerox machine to email addresses. Unfortunately the Xerox machine doesn't support TSL or SSL so sending mail over port 25 on gets blocked. I have setup postfix on a desktop running Fedora 13 and have been able to set it up to forward the mail onto the correct server (gmail for example). My question is, how do I get the server to encrypt the emails (scanned documents) when sending them over the internet?

I have tried adding:

Code:

smtpd_use_tls = yes
smtpd_tls_cert_file = /etc/postfix/smtpd.cert
smtpd_tls_key_file = /etc/postfix/smtpd.key

But when I look at the wireshark capture of the sending I can read my test message in plain text.
Anyone have some suggestions?

-SavageHobo

stevea · #2 13th September 2010, 01:17 AM

Well first you should understand that whether you send over port 25 (typical unencrypted smtp) or port 465 (TLS/SSL smtp) only determines encryption on that transfer. Even if your xerox and sendmail would use SSL, then the transfer to the next hop through gmail or whatever would be unencrypted.

I hate sendmail (use postfix) but yes you can wireshark the plaintext on port 25. You have to setup your email client (e.g. thunderbird) to connect with TLS to your smtpd server on port 465 (or other as configured) - then the port 465 traffic will be encrypted. You have to setup your sendmail (probably as you show) *and* you have to setup certificates for the ssl transfer to take place. Still - even if the client uses ssl on port 465 does NOT mean the email data is encrypted except between the client and the first smptd server. The transfer to the next hop will be unencrypted.

perhaps what you really want is mime encryption. Verisign and Thawte used to offer free certs for end-users (but soon they will chage an annual fee. You must one-time send the receiver your public cert. Then when the other guy gets an encrypted mime from you he can verify the source using thawte/verisign, and decrypt using the key received. All the modern email clients (thunderbird, evolution, ..) will handle these certs.

Perhaps you just want something else. How should the recipient decode the message ? Do these scans fgo offsite ?

savagehobo · #3 13th September 2010, 07:20 AM

Thanks for the quick reply.

Sorry, I should have mentioned that I have disabled sendmail and am using postfix.

Yes, the scans go from the remote office through the internet to the corporate office email servers. We were hoping to just encrypt the messages from the hop from my office to the larger one, because once it gets to the main office the mailboxes would just be accessed from the receiving server over the lan.

Is it possible to just encrypt the message using the public cert from the destination server? So the hop from my SMTP server to the receiving server?