I guess discussing my setup (retry rules, queue lifetime or encryption
setup) is not strictly on the topic, but I'm commenting it further:
• Slavko via mailop [2023-10-09 09:34]:
Dňa 9. 10. o 8:44 Kirill Miazine via mailop napísal(a):
The reason for a long retry is that I have to manually decrypt
mailstore partition in case of server reboot. Exim would accept the
message, but defer delivery until the mount appears. I wanted to have
some time in case of a reboot and me not being easily available to
mount the partition.
Consider to spend some time to setup auto decrypt on boot, doing that
manually has little security enhancement on servers, as once decrypted,
the content is available to OS and thus to potentional attacker too (the
only restrictions are access rights).
I've come to current setup as good enough approach to protect data in
"cloud" and remote dedicated server setups, where I didn't want raw data
on the provider's block storage or physical disk, and where I equally
didn't want to have another device at the same provider act as a
decryption key.
And I don't really type in the passphrase normally, a script does that
over ssh. But when e.g. offline, I have to type it in manually.
When you store decrypt key on separate disk (eg. USB stick), you are
safe even after disk replace...
For local setups that's an option, for remote setups where provider is
offering virtual disks it's certainly an option too, but I didn't want
them to have the key.
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
