[wellylug] GPG Webmail
John C Barstow
jbowtie at amathaine.com
Tue Apr 27 11:44:35 NZST 2004
On Mon, 2004-04-26 at 23:39 +0100, JP wrote:
> --- John C Barstow wrote:
> > For one of my projects I am looking to set up a
> > secure webmail system
> > (Debian testing/unstable if it matters).
> >
> > My understanding so far is that I can generate GPG
> > keys for new users
> > and use the public keyring to encrypt mails. My
> > question is around
> > decrypting; if it's webmail you typically don't want
> > the private key on
> > client computer, that implies server-side storage of
> > some kind, with the
> > web server somehow obtaining the private key and
> > using it to decrypt.
> >
> Sam's comments are good ones.
>
I agree for the general case. This is for a specific, controlled
environment; the users will only be sending e-mail to other users on the
same system. Keys will be generated and signed by the server, so noone
will be compromising an existing key or a key used for other purposes.
I'm reconciling two conflicting requirements - webmail access for
non-technical users and encrypted emails to prevent casual
eavesdropping.
Remember, 70% of users will give you their password for a bar of
chocolate and 30% of the same group will volunteer them for free.
Private keys are the least of my worries.
> But ... if you have control over the webmail server or
> can convince the owner (whom you trust) to install it,
> the Squirrelmail webmail app supports GPG using a
> plugin:
>
> <http://www.squirrelmail.org/plugin_view.php?id=153>
>
> Docs are in the downloadable tar.gz. Seems your keys
> are stored on the server, and you import them using
> some secure http setup.
>
> imp webmail apparently also supports GPG in its latest
> incarnation, but I can't find documentation for it.
>
> All said and done though, I can't help feeling this is
> a little bit too risky. Best option for security, but
> worst for cost: laptop/PDA you carry round with you
> for sending mail.
I knew someone would have solved this before. I'll probably go with
SquirrelMail since I have control over the server.
More information about the wellylug
mailing list