Settings up a NetBSD machine to handle secure communications. This will just be a little simple mailserver that people can login to, launch pine, and leave emails for other users.
At this time no POP/IMAP/SMTP access is planned nor needed. This is not intended to be a mail server for external email but rather just for secure internal communications.
- 1 Setting up CGF using CGD in NetBSD
- 1.1 1) Find a place to store the raw encrypted data.
- 1.2 2) Create a file to store the encrypted mail in. For my setup I’m going to use a 2GB file.
- 1.3 3) Now we configure cgd(4) to use AES 256 bit encryption:
- 1.4 4) Setup the filesystem
- 1.5 5) Mount the new encrypted CGF.
Setting up CGF using CGD in NetBSD
1) Find a place to store the raw encrypted data.
# mkdir /encrypted
2) Create a file to store the encrypted mail in. For my setup I’m going to use a 2GB file.
# dd if=/dev/zero of=/encrypted/usr.cdg bs=1m count=2048 # chmod go-rwx /encrypted/usr.cdg # vnconfig vnd0 /encrypted/usr.cdg
3) Now we configure cgd(4) to use AES 256 bit encryption:
# cgdconfig -g -V disklabel -o /encrypted/usr.cgd aes-cbc 25
4) Setup the filesystem
# cgdconfig -V re-enter cgd0 /dev/vnd0a /encrypted/usr.cgd /dev/vnd0a's passphrase: re-enter device's passphrase: # newfs /dev/cgd0a
5) Mount the new encrypted CGF.
# mount /dev/cgd0a /user
# umount /secure # cgdconfig -u cgd0 # vnconfig -u vnd0
Still to be added:
- Migrate home directory to the encrypted partition. This way the mail will be stored in the ~/mail, which will be on an encrypted partition. This partition will need to be manually mounted each time the machine is rebooted.
- Close the ports for incoming and outgoing mail, so that mail can only be sent and received internally. We don’t want people forwarding secure emails outside the secure environment.
- Set things up so that when someone logs in, they are immediately brought to the pine interface. (There’s no reason for users to know there’s anything other than strictly email going on here).