Basic email security - why is GPG so rare - etc.

I find it hard, next to impossible, to get companies to post public GPG keys for their email addresses. It seems I have to accept that this is simply not going to happen, and that I have to live with sending regular emails. That's all people seem to know out there.

Is regular email, without GPG (or S/MIME which know nothing about), really enough for email security? Here I'm obviously talking about just server-to-server security, where no middle man can see the email. Obviously, without GPG the email providers will still be able to read the email. It seems I have to live with this risk. It's good enough for now.

So my question is, can I somehow determine from /var/log/mail.log (Postfix) whether my email was sent to particular email address, or whether an email from a particular address was received, in a secure fashion? If so, how do I determine this?

Answers to the above questions and any other related thoughts that come to mind on email security, GPG, etc. would be highly appreciated.

4 Replies

On the second thought, server-to-server is not enough. There is also the server to mail client (via IMAP/POP) on the other side. Who knows what kind of security that has, if any at all.

It seems to me like email is just an overall insecure communications method. If so it bothers me how commonly used it is.

Again, I ask for your thoughts about these issues. Correct me if I'm wrong. Are my worries unfounded?

People gave up on privacy long before the whole Snowden escapades.

For the majority of email, who cares if "other people" read it. Since the beginning of email, it was always advised to treat email like a postcard, not a sealed letter.

Real secure communications requires quite a bit of pre-communication prep (hence the lack of widespread adoption). I find it easier to use a word processor, encrypt that file, then just send the file as a regular email attachment (works as well for moving stuff via dropbox, etc). But I only worry about passwords, financial info, and my plot to take over the government (just kidding nsa).

I think every encrypted email scheme that attempted to make it point-n-click easy, has failed to date.

Thunderbird used to have a plug-in to sign/encrypt email, I don't know if that is current or abandoned.

You best bet….shave one of your slaves head, tattoo the message on their scalp, let the hair grow back, then send your slave to the recipient.

Thunderbird still has enigmail which is actively supported (I use it). All my emails are signed by default, sometimes people send me encrypted mail but only once in a blue moon. The biggest thing against gpg is you can't read it in your web mail client (yet).

Some MTAs will note in the Received: header if TLS was used; many do not (Postfix does not by default).

The Postfix docs tell about how to enable logging of TLS negotiation.

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct