8

Is it possible with Postfix to add a warning to all emails received over a cleartext (non-TLS) connection?

For example modifying the subject and/or adding a custom header.

Dr.Haribo
  • 183
  • 5
  • 4
    I don't know if it's possible, but it would be pointless: you can only know if the connection from the next-to-last relay to the last relay used TLS, you can't know anything about previous hops. If you want email security, use PGP or S/MIME. – Gilles 'SO- stop being evil' Nov 14 '15 at 23:03
  • 2
    I agree end-to-end encryption is needed to keep emails private. It's been in the news recently that Gmail will be deploying something similar to what I described, and I wondered how hard it would be to do on one's own email server. I think it would be interesting to see. – Dr.Haribo Nov 16 '15 at 12:33

1 Answers1

6

The way to go here is to first tell Postfix to add the TLS connection status into the Received header. In /etc/postfix/main.cf add

smtpd_tls_received_header = yes

This will add something like (using TLSv1.2 with cipher … (256/256bits)) to the postfix generated received header. This information can then be used to add a custom headers. E.g. one could add a X-Transport-Layer-Security header and set its value depending on whether the above snippet is present in the Received header. Possible methods to do so include

  • writing a custom content filter which is called by Postfix,
  • leveraging Sieve scripts to edit the message, or
  • use some of the quadrillion other methods to process messages (proxy, milter, etc.).

I don't know of any ready-made solution to do this, but it shouldn't be much work either.

tarleb
  • 2,047
  • 11
  • 21
  • 1
    Yeah Sieve's `editheader` extension might be the easiest way to go. Info here: http://www.mvmf.org/docs/draft-degener-sieve-editheader-00.txt (section 5). To send your email over to the Sieve rules you might want to follow my answer here http://unix.stackexchange.com/a/252907/23085. Use the same procedure but just pipe the emails directly to Dovecot local delivery and require `editheader` extension. The code should be easy to come with following the examples on the link. – TCB13 Jan 25 '16 at 13:55
  • 1
    For Thunderbird there is an add-on called Paranoia which shows a happy, neutral or sad smiley face depending on whether Received headers indicate encryption or not. – Dr.Haribo Jan 25 '16 at 15:32