3

I can set up my own email server, and quite happy with it, using standard open source components - postfix, roundcube, etc on top of HardenedBSD or OpenBSD.

I'd like to offer the use of my email server to friends and family, as some of them have said in as many words that they'd like it and would benefit. But I have a real ethical issue over hosting something so personal to them without more privacy safeguards. Even if I wouldn't read anything, I feel very uneasy that in principle, I easily could.

I know that as the server admin, anything the software can do, I can do. As always, it's about raising the barrier, not about absolute data protection.

The family/friends who would like to use it, aren't sophisticated users Think parents/grandparents generation. I doubt they're doing anything very unusual. They wouldn't know how to use custom certs or PGP or similar, and most of their email contacts wouldn't either (online purchases, friends, etc). They'll use standard POP/IMAP/SMTP/webmail, with standard apps. So anything that's to be done, would have to be unilateral - not relying on them to understand complex setups, or things that won't work in common clients.

I cant avoid the need for at least one server admin with rights to configure things, and I know that any other users would have to rely completely on trust and it couldn't easily be "proven" what I'd done or not done. While they trust me (I help them routinely with email and host their backups as it is), it's just that, on principle, I don't feel that an email host should be able to look at third party users emails (other than where there's a clear expectation such as within an enterprise), and I want to get as close as I can to that, myself.

In other words, although trust is needed in any setup, there is a difference between trusting someone won't click and read (although it's trivial to do so), and trusting they have set it up and made it very hard to click and read.

Things I've thought of trying:

  • I've pondered setting it up in an encrypted VM, in such a a way that once booted with the correct passphrase (needed to boot but doesn't let it log in), the system actually locks out its root and admin accounts and only allows a limited account that can manage mail but not view other users' data. Or maybe give the root passphrase in written form to a trusted relative who lacks access, and locking down the admin IP to their IP, so it's accessible in an emergency but not otherwise. I don't know if that helps, or is naive, though.

  • I've also looked for prebuilt end to end encryption for users, as that would be ideal, but I don't think this can work unless the user, and their contacts, both use appropriate client software, or avoid "ordinary" clients and stick to very specific ones ... and that just isn't likely/achievable for their expected "ordinary" use.

Is there an easy way to build/set up an email server for family/friends who request it, which at least helps to raise the bar in these areas, and lets me feel safer that their privacy is real, and not easily intruded upon, even if not ideal or absolute?

What steps can I take that would help?

Stilez
  • 1,664
  • 8
  • 13
  • In other words, you don't trust yourself? Then please just don't do it. ... Your ideas how to harden it are strange at best, but more likely actively harmful (hacking into a system where tha admin already locked himself out and has no way to detect it? Yay) – deviantfan Jul 29 '18 at 13:37
  • Other than that, I really recommend not to do these people such a "favor". Because a) time spent (for what benefit). Running a public mail server with some useful security (against external threats) ... even the log reading time alone can be a notable amount. b) It's an invitation to become their free support guy for every other computer problem too. Then you have a fulltime job with 0 payment. – deviantfan Jul 29 '18 at 13:44
  • @deviantfan - I trust myself. But I have principles too, and the one doesn't exclude the other. I have to do it for myself, and I've been asked to let some family/friends use it. The question isn't about "should I". It's about how to best implement my personal principles, in doing so. Which in this case, is a technical infosec question. What can a sysadmin do, in setting up an email system, if they want to ensure it places a high premium on others' privacy? – Stilez Jul 29 '18 at 14:06
  • @Stilez Is there anything else you want me to add to my answer? – forest Mar 14 '21 at 06:45

1 Answers1

1

If you are the administrator and have full access, there is no practical way you can protect your users from you going rogue. You can encourage them to use PGP encryption or S/MIME, but you simply cannot protect them from yourself while still supporting standard, plaintext emails to arbitrary email providers. However in the end, it is unlikely that you will be much of a threat to them. One moderately popular email service provided a quote explaining the situation perfectly:

Administering a mail host is sort of like being a nurse; there's a brief period at the start when the thought of seeing people's privates might be vaguely titillating in a theoretical sense, but that sort of thing doesn't last long when it's up against the daily reality of shit, piss, blood, and vomit.

Now that I think about it, administering a mail host is exactly like being a nurse, only people die slightly less often.

You may want to put yourself into a privacy mindset. You can do this by communicating to your users that you take their privacy seriously using more than a privacy policy with the tired old staged claims of taking your privacy "very seriously". For example, you may want to consider publishing all subpoenas you receive. You may want to encrypt the database and advertise that fact to show that you are trying to protect from HDD theft. You may even want to have an FAQ on the privacy problems inherent to email, in which you can and should explain that they need to trust you. Doing all of this will not only improve other people's trust in you, but will put you in a mindset where violating someone's privacy transitions from a mildly rude offense to an unthinkable violation.

Community
  • 1
forest
  • 64,616
  • 20
  • 206
  • 257
  • Interesting. But in this case the users would be close family who already trust me, and I trust myself. They aren't technical and won't know if I do more, and don't need me to. Its my own principles I want to walk as much as possible. If they used a third party email system, I'd say to consider what steps were taken to prevent misuse. I want to find what concrete technical steps I could take, to actually impede my own access, even if they aren't worried and even if I could work round it - not just write an FAQ and explain how boring it would be..... – Stilez Jul 30 '18 at 07:45
  • @Stilez How difficult do you wish to make your access? Remember that the more difficult it is to administer maliciously, the more difficult it is to administer honestly. – forest Aug 02 '18 at 01:27
  • The situation is, I want to be able to offer to host someones email (family/friend, trusted sensible person), who has privacy/trust issues, and wants more control, would self host but lacks capability. I can self host easily, but I want to put the emails themselves and their administration "outside my own reach" for them. Ethics, i dont want them to have to "just believe" I didn't go and look. So essentially, making it visible (to another sysadmin) that I have locked myself out of access of their email's plain text. Yes I can disable, delete and damage the data and system, but I cannot actuall – Stilez Mar 15 '21 at 15:07
  • ....actually view their plain text/contents/settings. Only they can do that. Clearly this implies sometning like an encrypted VM I set up and only they have the login, or the email store is encrypted and contents decrypted client-side or.... dunno. But that's my best guess. – Stilez Mar 15 '21 at 15:12