If you’re like me, you have a number of servers running on the wider internet. These servers generate a whole bunch of system emails that are really valuable to an administrator to keep track of the health of their system, but could also give valuable and exploitable information about your system to the bad guys, and since many administrators automatically forward these emails to an external address, it’d be handy if they were automatically encrypted.

Thankfully, on unix at least, this is relatively straightforward.

Setting up an encrypted forward…

  1. Firstly, install the packages you need:

    apt-get install procmail gnupg

  2. Next, in the account you use to forward your email (usually root email is redirected to a non-privileged user, check /etc/aliases), install the public key of the account you’re forwarding messages to:

    gpg --import /path/to/public.key

  3. Now, install the following script in ~/.procmailrc:

    SUBJECT=`formail -xSubject:`
    FROM=`formail -xFrom:`
    :0 c
    |formail -I "" | gpg --trust-model always -ear "you@example.com" | mail -r "$FROM" -s "$SUBJECT" you@example.com

If this works, you’ll have an unencrypted copy of the email left on the server, but anything that gets sent externally will be encrypted with your public key.

Thanks to DRG, for the original script for this, which I modified.