Setting Postfix to encrypt all traffic when talking to other mailservers

Update Aug 9, 2013: The biggest German email providers are currently running a big marketing campaign and promise secure email. They are using the same technique described on this page. After checking my logs, I can confirm that GMX-emails were delivered unencrypted on Aug 5, but arrived encrypted on Aug 6.

Thanks to Mr. Snowden, we know two important facts about the world of security and email:

First, most governments in the world will eavesdrop and store your communication, if they get the chance. They don't have a specific reason and the benefits are highly disputed.

Second, your users can't/won't use PGP or S/MIME to encrypt their email.

The job is left to admins. We need to maximize usability and compatibility, while ensuring that user data stays confidential. If you are running Postfix, I'd like to draw your attention to some useful settings that will protect your user's email in transit. If emails stay on the same server or the other server is secured as well, there is little chance to intercept messages on a big scale. If your users are sending emails to Gmail or Hotmail, then interception is still possible at the receiving end.

Make Postfix encrypt messages at all stages of delivery.
Figure 1: Vulnerability of email-messages in transit.

Continue reading

M/Monit preparing new monitoring tool

Since my webserver broke down, while I was caught on a ship to Japan, I have relied on the excellent monit to have an eye on all my important services.

Currently their inventors, who give the client-version away for free are working on a remarkable evolution of their M/Monit-tool, a solution to keep track of multiple monit-instances. It only used to give you alarms and show events. Now it will record your system load and memory usage.

If you already have monit installed, this is a great complement. Find out about the beta-version here.