On 4/2/22 20:11, Josey Smith wrote: > Hello, > > I'm currently setting up a somewhat unique personal email server. I > have a local server (Raspberry Pi) and a remote server (VPS running > OpenBSD). Emails are sent to the remote server and are then relayed to > my local server. When I send an email it goes from my local server to > the remote server, and is then relayed to it's recipient. Mostly I've > got it all working how I want it to. > > While I'm aware that nothing stored on a VPS (even momentarily) is > completely safe, I'd like to make my remote email server as secure as > possible from prying eyes (for example if my VPS host or a hacker made > a snapshot of my server for maleficent purposes).
If you can’t trust your hosting provider, get a different one. > Most of the time messages should only be on my remote server for a > matter of seconds at most before being sent to my local server, but if > my local network is down they could remain there much longer. Also as > the queue is written to disk someone could recover old messages from > deleted queues. > > The three areas I'm looking at so far are: > > 1) OpenSMTPD queue encryption > This is a good step, but presumably the key is stored in memory, so > could be retrieved from a snapshot of the server. Maybe I could > automate the key to change from time to time? Maybe? Be sure you don’t lose all of your existing messages in the queue. > 2) OpenBSD disk encryption > I read in a forum post that OpenBSD disk encryption only stores a part > of the key in memory at any one time. I can't find anywhere else that > says this, and I can't work out how that'd be possible. > > 3) GPG message encryption > I could in theory set up something that takes inward messages out of > the queue (before they are written to disk), encrypts them with my > public key, and then enters them back into the queue. But for most > outward messages GPG encryption won't be an option. That’s your best option for inbound stuff. That said, email isn’t your best option for security. Use something with proper end-to-end encryption and forward secrecy, such as Signal, Wire, Keybase, or Matrix. -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature