exim-encrypt-dlfunc
This library injects functions for string encryption and decryption into exim4. It is basically glue code that exports certain parts of the libsodium library to exim at runtime.
Installation
These instructions are currently only tested on Debian Linux.
- Install development tools and libsodium development files:
apt-get build-essential exim4-dev libsodium-dev meson pkg-config openssl exim4-daemon-heavy
- Clone this repository:
git clone https://git.scc.kit.edu/mail/exim-encrypt-dlfunc.git
cd exim-encrypt-dlfunc
- Build and test everything:
meson build # run only once
meson compile -C build
meson test -C build
- Copy to final destination (feel free to pick another place than
/usr/local/lib/):
meson install -C build
-
Ensure you have the correct exim build:
Not every build of exim is able to load libraries at runtime. Please refer to the documentation of the
${dlfunc{…}}function for details. exim from the debian packageexim4-daemon-heavymeets all the requirements.
Usage
There are currently two pairs of functions:
Symmetric encryption that derives its key from an ASCII string:
sodium_crypto_secretbox_encrypt_password(password, cleartext) → ciphertextsodium_crypto_secretbox_decrypt_password(password, ciphertext) → cleartext
The generated key is only as strong as the provided password.
Public key encryption that uses a key pair that needs to be created beforehand:
sodium_crypto_box_seal(public key, cleartext) → ciphertextsodium_crypto_box_seal_open(private key, public key, ciphertext) → cleartext
The second pair needs a proper key pair in the correct format. This is what the
generate_encryption_keys utility is for. Simply run it once to generate a pair. Be aware that every invocation will
overwrite the previous key pair without confirmation! Please save both parts in a safe place before proceeding.
$ ./generate_encryption_keys
=== Creating cryptobox key pair ===
Wrote »cryptobox_recipient_pk_exim.conf«
Wrote »cryptobox_recipient_pk.raw«
Wrote »cryptobox_recipient_sk_exim.conf«
Wrote »cryptobox_recipient_sk.raw
The *_exim.conf files contain the keys in a format that can simply be used in
exim.conf (the first line contains the key as a C code comment and can usually be discarded):
$ cat cryptobox_recipient_pk_exim.conf
# const unsigned char cryptobox_recipient_pk[32] = { 0xda, 0x46, 0xc8, 0x75, 0x2b, 0x31, 0xd9, 0x0c, 0x83, 0x54, 0x2d, 0x18, 0xda, 0xdc, 0xe5, 0x2d, 0x0e, 0x10, 0xe8, 0x0c, 0x39, 0xde, 0xaf, 0x30, 0x7e, 0xab, 0xca, 0x4d, 0xed, 0x26, 0x4d, 0x6e }; const unsigned int cryptobox_recipient_pk_length = 32;
cryptobox_recipient_pk = "2kbIdSsx2QyDVC0Y2tzlLQ4Q6Aw53q8wfqvKTe0mTW4="
The *.raw files contain the same key without any formatting; these files are not needed for usage with exim but are
generated as convenience when writing your own tools.
Example: remove X-Originating-IP: header
This example's use case was the initial reason to develop this library: remove the X-Originating-IP header to preserve our user's privacy but also keep the information in the final e-mail to enable response to complaints and abuse (the original header is usually provided in these cases). Add this snippet to your DATA ACL section in exim:
warn log_message = Removing X-Originating-IP header
condition = ${if def:h_X-originating-IP: {1}{0}}
add_header = X-KIT-Orig-IP-PKK: ${dlfunc{/usr/local/lib/libexim-encrypt-dlfunc.so} \
{sodium_crypto_box_seal} \
{ktp1OEEItrgvSfpVTtu+ybyNjzuuN8OzCdfrGAJt4j8=} \
{$h_X-originating-IP:}}
add_header = X-KIT-Orig-IP-Pass: ${dlfunc{/usr/local/lib/libexim-encrypt-dlfunc.so} \
{sodium_crypto_secretbox_encrypt_password} \
{This is a very non-secret key} \
{$h_X-originating-IP:}}
remove_header = X-Originating-IP
Pick one of the add_header lines depending on which kind of encryption you want.