Ask Slashdot: Secure, Yet Accessible E-mail Archive Storage?

New submitter mlts writes: As of now, I just leave E-mail in a 'received-2015' subfolder on my provider's server, adding a new folder yearly. With the rise of E-mail account intrusions (where even though I'm likely not a primary target, but it is a concern), what is a secure, but yet accessible way to archive E-mail? I'm far less worried about the FBI/NSA/Illuminati, as I am about having stuff divulged to all and sundry if a mass breach happens. A few alternative I've considered: 1) Running my own physical IMAP server. The server would run on a hypervisor (likely ESXi), have Dovecot limited to the VPN I use, and use other sane techniques to limit access. 2) Archive the E-mail files through a cloud provider, with a client encryption utility (EncFS, BoxCryptor, etc.) In this case, E-mail would be stored in a different file a week. 3) Move it to local storage on a virtual machine, and if access is needed, use LogMeIn or another remote access item to fire up Thunderbird to access it. What would be a recommended way to secure E-mail that sits around, for the long haul, but still have it accessible? Even if you're not specifically worried about it, keeping older email around on a provider's server opens you up to warrantless access by U.S. law enforcement officials.

pop3 to local machine, then backup

[i.r.id10t]

Pull it down to your local machine either via pop3 or just moving messages from your imap inbox to a local folder.

Then whenever you like, archive that off somewhere. You could even convert maildir format to mbox and then run something like mhonarc on it to make web pages of 'em all wtih indexes and such, and just archive off the HTML onto a CD/DVD/whatever.

All that said, why are you keeping it all? I've kept all of my work related email for 18 years now (same employer) on my local machine. I've gone thru a few things more than a year old just for giggles, and one time I needed a license number that was locked up in a filing cabinet but didn't have my keys that day... But mostly an email that is 2 months old or older just isn't needed (by me, for my work, your needs probably vary).

Re: pop3 to local machine, then backup

You're assuming it is actually deleted from the server.

Newb.

Re:pop3 to local machine, then backup

[ShanghaiBill]

All that said, why are you keeping it all?

A better question is "Why delete it?" Keeping it involves near zero effort and near zero cost. If deciding what to delete takes more than a few seconds, it is not cost effective. I have every email I have sent or received for the last 30 years (except for spam) and it fits in 10 cents worth of storage. Even if you count backups and redundant copies, it is under $1. My archive has come in handy many times, including helping a third party dismiss a $150,000 lawsuit from a patent troll by documenting prior art. That was worth $1.

Re:pop3 to local machine, then backup

Keeping it involves near zero effort and near zero cost.

Huh? Keeping it seems to be sufficiently problematic to warrant an "Ask Slashdot". That doesn't sound like "near zero effort" at all.

Re:pop3 to local machine, then backup

[tlhIngan]

A better question is "Why delete it?" Keeping it involves near zero effort and near zero cost. If deciding what to delete takes more than a few seconds, it is not cost effective. I have every email I have sent or received for the last 30 years (except for spam) and it fits in 10 cents worth of storage. Even if you count backups and redundant copies, it is under $1. My archive has come in handy many times, including helping a third party dismiss a $150,000 lawsuit from a patent troll by documenting prior art. That was worth $1.

No, the OP is asking why is it necessary to have all the emails from years past always accessible. At least his solutions all seem to imply online instant access to the archived emails.

It wasn't about deleting old emails - it was keeping them online 24/7. Which I find is a point - I have years of emails archived and backed up, but not instantly accessible - because after about 3 months, the frequency of access drops off considerably - from maybe once a month to less than once a year.

And if the OP is asking how to prevent a breach, the best way is to keep it offline - you can't get at data that's not stored accessibly.

So yeah, keep your email, but I've found I can put each year's worth on a DVD or something (multiply backed up) or external HDD, and put it on the shelf, because I'll rarely need to access it, so the extra effort doesn't matter. If I kept it all online, yes I could get to it in seconds rather than minutes, but I risk a security breach exposing everything.

So first, perhaps examine what emails you do access in the archive frequently and then make a copy of them elsewhere, then everything else you put locally and offline, safe from hackers (but not burglars!).

Re:pop3 to local machine, then backup

[dcollins117]

All that said, why are you keeping it all?

I keep every email sent and received (excluding spam) on a local Dovecot server. It's a wonderful resource. Every event important to me ends up in an email to somebody. I use the archived emails in lieu of a journal or diary as an effortless way to record my personal history.

Re:pop3 to local machine, then backup

[FrozenGeek]

Personal email, I don't much care to keep. Business email, OTOH, is very useful. I use it as a paper trail. If I need to recall something, it's probably in my email. When a damager, um, sorry, manager, asks why I didn't do X (or why I did do X or, well, you get the idea) when in fact I did it, I usually just forward him the email I'd sent him N months ago detailing that his request is complete. Don't do that a lot, but every time I get to do it, it makes my week. Since corporate email servers are supposed to be secure, particularly from internal tampering, they are a good storage facility. That said, if the email is something that worries me, I archive it locally.

I used to be the paranoid weirdo until Snowdon. Now I'm smarter than most.

Re:pop3 to local machine, then backup

[jabuzz]

Because the moment you decide to put a low power home server (say a sub 20W mini-ITX device) on your internet connection always on access to all your email becomes trivial that why not?

The combination of dovecot, fetchmail, roundcube and z-push running on top of CentOS is a tough combination to beat. Of course you might want to run a calendaring server as well.

Once you are down this path how about a Plex or Emby server; actually handling DVD's or BlueRays is for suckers :-)

If you don't fancy building it all yourself a number of the cheap NAS boxes can be extended to do all this for you instead.

If you have a "superfast" broadband connection (I have a 40/20Mbps FTTC connection and could go to 80/20 tomorrow all with a static IP) then all your options really open up. I tell you know your own private cloud is way cheaper than something run by someone else.

Finally If the government decides it wants access to my cloud storage at least I will know about it. No serving a warrant and gagging order to my provider.

Print it?

On paper

Local!

[Sir+Holo]

Back it up locally and encrypt the backup on an external drive.

then, either lock that in a safe-deposit box, have a friend hold it, or hide it in some random but physically secure location. A fire-proof safe in your basement would work.

It is the only way, if any still exists at all

And yes, I like to have access to 1990's emails sometimes. Or need to. The world does not need to see them. BTW, law enforcement, under USA PATRIOT or CISA or some court ruling, do not need a warrant to read any email older than one year.

Re:Local!

Keep in mind that most Emails are sent unencrypted. Even when it is encrypted, it does not stop the remote side from storing it without encryption (or with a decryption key that is readily available on the same system). Although you can go crazy with security on your local side, if your remote side has no security all that info may still be compromised.

Think carefully about your trust model and how you use Email. If the contents of your Inbox is really that sensitive, then perhaps you should not be using public services at all. Saying that differently, perhaps you should set up your own Email service on a server in a private VPN that runs over the Internet.

Re:Local!

[unrtst]

While I have not tried the following, I think it may be a pretty swell idea...

* Use S/MIME encryption for your encryption
* Setup a filter (could use fetchmail+procmail, or your email client's native filter stuff, or an external process in python/perl/whatever)
* On new mail receipt, get copy of email, encrypt the body via S/MIME ("openssl cms"; man cms; don't use the misleadingly named "openssl smime"), and save back to the server in a different folder.
* On all your email clients, just check that new folder only.

There may be some fudging necessary either when encrypting or when reading the email, since the emails aren't from you, so the default client behavior of using the FROM address to determine the encryption key will not work. However, you could either alter the from to your own while filtering, and backup the real from to X-From:, and update your client to display the X-From instead of the From... or trick your client into treating the folder as a sent mail folder (sent encrypted emails get encrypted by your own cert and saved to your sent mail folder already... and reading those already works).

While it may take a little bit of a kludge to get it working, once it works, it'd just work. All your emails would be separately stored on whatever IMAP server you like. You'd be able to read them via any client with S/MIME support (assuming you have your private key with you). FYI, there are browser plugins that make S/MIME work with some webmail providers too.

All the other suggested solutions I've seen boil down to:
* download to local computer
* encrypt it somehow and make encrypted backups
Those have many layers of things that are not easily accessible. I'd be more likely to go that route anyway (just fits the way I work already), but encrypting the messages within the IMAP server may be a nice solution for many other users.

Re:Local!

[mlts]

It is a good idea, but for transport encryption, S/MIME should be used between clients, or even better, PGP/GnuPG because it isn't relying on a root CA key for security.

For DAR (data at rest), I have done complex setups in the past which have bitten me in the rear more often than not... these days, I wind up using gnupg for files, EncFS for directories, VeraCrypt for file based drive images, and the OS's native block encryption (BitLocker, FileVault, LUKS) for physical drives.

Long term, I should consider setting up a VM [1] that actively uses fetchmail to grab data, then SSH in and use mutt to read it, but right now, I'm mainly looking at yanking moldy stuff from mail providers, and stashing it in a place where it is accessible via SSH, VPN, or a 2FA mechanism [2].

[1]: I like virtualizing all servers that don't require bare metal, if at all possible. For a home user, it makes life easy when you can tote an external USB flash drive [3] from one box to another with the virtual machine on it.

[2]: 2FA isn't a cure for all ills, but it does take a number of attacks off the table, especially coupled with Fail2Ban or another blocking utility.

[3]: Or an external USB SSD. Even on such a low speed port like USB 3, the fact that there isn't any seek time on the SSD is noticable with multiple VMs running on it.

Re:Local!

[allo]

That doesn't matter as much as you may think.

Of course, the people are having a copy of my mails. But when somebody searches my mails at my provider, they have everything concerning me. When they need to search the recipient/sender mailboxes, they have to search hundreds of mailboxes. And they need to know, whom to search. Without a copy of the mail in my mailbox or addressbook (online) its hard to know.

Using an Archive on a cloud provider...

[Lab+Rat+Jason]

... is just INCREASING your attack surface, not reducing it! I'd go with the local backup if I were you.

Re:Using an Archive on a cloud provider...

[MagickalMyst]

Mod +1

Re:Using an Archive on a cloud provider...

[Lab+Rat+Jason]

I dunno... ask Kim Dotcom. Is it really a reliable archive if it disappears overnight? If the online host is the ONLY place you keep your archive, then it's really not anymore secure than keeping it at your house... and for the record, I've lost more data to belly-up hosts than I have to house fires and bad drives, so statistically speaking, my house is more secure. Granted this is just one data point, but who knows... maybe OP has had a lot of house fires or something.

One other point I'd like to make, is that if your cloud secured email backup needs to be easily accessible, then that implies that you are going to be carrying the key with you... either in the form of a memorizable and possibly guessable password, or a physical item that contains your key... again increasing your attack surface. If you don't carry the key with you, then how is that different than keeping your email on a disk at home? Hopefully your key is fireproof.

The only place where your email is guaranteed to exist is on NSA servers... ya know, it seems like they've got an untapped business model there.

Run your own IMAP server

[PvtVoid]

Get an email account with any domain provider, and set it up to forward to your private server. Read mail by connecting to an account on the private IMAP server. No need to run your own SMTP server; outgoing mail can be handled by your domain provider.

Problem solved.

Re:Run your own IMAP server

[CWCheese]

That's what Hilary did

Re:Run your own IMAP server

[Simulant]

Mod +1. This is what I do, more or less.

Re:Run your own IMAP server

[PvtVoid]

And I'm sure your domain provider is happy to pass a copy over to the NSA.

It's pretty hard to send a fucking email without using the network, but luckily that's not the threat model being discussed. If you want to keep email secure from network surveillance, you encrypt it. If you want to reduce vulnerability to a storage breach, you store it locally.

Re:Wow That Sounds Hard

[MagickalMyst]

"I'd just use Outlook for the mail client."

One feature of M$ Lookout is it's built in VTP (virus transport protocol). And it is very effective, from what i've been told.

Hillary is that you?

[stevegee58]

Or your new IT guy?

My "solution"

My ISP (Comcast) won't allow me to run a fully functional mail server due to so many ports being blocked so I host my domain/mx record at Google for your Domain (got a free account way back when). I then have Thunderbird running 24/7 alongside my home mail server, automatically sucking down new mail from my gmail account and putting them in the inbox of my own server. I still have to periodically go and delete all mail on gmail because I've not figured out how to automatically & permanently delete them (or sent mail) from an IMAP client. I also use Google's servers as a smart host for outbound mail, so when an email client it setup to send/receive mail to my server, it all works, just on alternate ports. TLS all around.

So.... there's a limited amount of my email sitting in gmail trash at any given moment, while I have access to all of my email on my own server via imap on all of my devices.

It was the best I could come up with on my very low budget. I do it less from a fear of google/government snooping (though that bothers me) than from a fear of hackers getting into my gmail account. My own server is a much smaller and more obscure target...

money

[zlives]

you could set up journaling locally. decent solutions exist to dedupe compress and encrypt.

The Only Safe Place

[TheAngryCat]

Is locked away in your home or in a secure place at your place of work. Everyone so far is telling you the obvious, nothing is safe or secure in the cloud.

Archive Software

[MichaelMac]

There's a software solution for this. The most secure way is on your own computer. Using IMAP to download those directly from your provider so you can then delete them. Webmail Archive Manager does just this. Downloads all emails in any folder(s) that you select. It has the entire email (text, rendered/code html, attachments, all the recipients, all the CCd and the full header for forensics). You can search, reorganize, whatever you like. I'm not sure what the policy is on links but it's here: http://maxedge.com/ If that link doesn't show up, just google Webmail Archive Manager....it's by MaxEdge. Oh...it's cheap too. -MichaelMac

Re:Archive Software

[KelseyFox]

If you have software that will handle this, I think that's the way to go. It's not secure or safe until you get it on your own systems. Direct download from your provider is "cleaner"...IMHO. Kelsey

Re:Archive Software

[Wolfrider]

--I looked into that, downside is that it seems to be Windows-only. Would prefer a Linux-based solution because MS/Windows "as we know it" may not be around 5 years from now**. Piler software looks interesting.

/ **although don't get me started on Linux+ systemd, that's a whole other gripe

Re:Archive Software

[MichaelMac]

Ahhh. It is Windows only. I know what you mean...I've been playing with Linux for years, but now I'm actually looking to see if I can seriously switch over.

Ask Hillary

Monica's ex-boyfriend's wife can tell you how to do this.....

a strange solution

[nimbius]

Im sure ill get downvoted for offering a non-solution but, bear with me...I think you need to take a more practical and meaningful approach to email in general...

speaking as an email administrator, Yearly archives of email are the virtual equivalent of an elderly hoarder with shoeboxes full of random correspondence. Once something is deleted, consider deleting it for good. Create a policy that, after 1 year or 30 days or $n amount of time, mail is automatically deleted regardless of whether its been read. if youve been mailed something for your personal record and its not in PDF format, click print-to-pdf, store it in an encrypted drive, and delete that message immediately. If you need information from the email for later use beyond the period of deletion then theres most surely a date youll have to act upon it. store it as a reminder in a calendar, and delete the email. the less email you have, the safer you are because youre being accountable for the data and information you're entrusted with by your peers...not just shoeboxing it.

Own IMAP server

[demon+driver]

As some others recommended, I use my own IMAP server – both for holding my complete mail archive (I once used the aid4mail tool to transfer my mail client based archive from Thunderbird to the IMAP server) and for continuously receiving (fetching) current e-mail from every active mail account I have. It is the one point of access for my email, whether I'm at home or on the road, from whatever device, and I have access to every single mail I have ever received or written (and not discarded...) from wherever I might be. Personally, I haven't implemented strong safety measures yet, actually I'm running hmailserver on a Windows machine which isn't really what I would call a wise solution, but so far it works perfectly well, as long as the server's internet connection is alive...

Thunderbird Local Folder

[corychristison]

I personally store archives emails in a local folder in Thunderbird on my primary workstation.

I then have it backup regularly to a secondary ("backup") drive installed in the system.

From there I have the backup drive encrypt and sync to a backup server (in a vm on a dedicated box) I have in a datacenter for disaster recovery.

Thunderbird automatically creates an Archives folder, with sub-folders of each year, when you use the "Archive" button.

Works for me. YMMV.

My own solution

[CanadianMacFan]

I have my own domain which I host at zoho.com for free since I only need one account. I only use that for incoming mail and spam filtering. Anything I want to keep I transfer over to the IMAP server that's running on my Synology NAS.

UNIX mail spool files will be accessible forever

[chaoskitty]

Just keep standard UNIX mail spool files locally, if you're worried about it.

Also, a mail server is not physical if it runs under a hypervisor, unless you physically have the box that runs both in your possession. You'll all see - hypervisors will be shown to be manipulated by cloud providers and/or TLA agencies to extract data from virtual machines without the virtual machines' admins knowing anything about it.

Re:UNIX mail spool files will be accessible foreve

[mlts]

I should have been a tad clearer in my post. The machine would physically sit at a location I (hopefully) control, so it would be in my physical possession. The reason for a hypervisor is so that the VM used for stashing archived mail would be able to be passed from bare metal to bare metal install as time goes on, without need to rebuild the system. It makes backups easy as well, where I just power the VM off, plug a USB drive into the host, mount a VeraCrypt volume, export the VM as a .OVA file, dismount the .hc file and drive, call it done. This isn't fancy, but snapshots taken often combined with monthly/quarterly exports to offsite media should cover things fairly reliably. If the data is vital, I toss it into one IMAP folder, encrypt that folder via PGP, GPG, VeraCrypt or some other brute-force resistant method, then toss it onto Amazon Glacier to rot as the backup of last resort.

TLAs are really not on my threat model, so I treat hypervisors the same as operating systems. However, I do like keeping communications with clients around for a period of time before dumping it, as a best practice, so I'm mainly concerned with an E-mail provider getting breached and wide swaths of users having their stuff made into torrents.

Re:Local! Agree ... but

[unrtst]

So let's be reasonable. Encrypt when needed, and take reasonable precautions, but don't make yourself a target.

If you only encrypt** that which needs special precautions, then you're making it EXTREMELY easy to target the messages that are important.
If you're going to encrypt, encrypt everything. This advice is also good for things like vpn use, proxy use, tor use, etc.

** ... or do anything out of the ordinary, like deleting it, or moving it to a different folder, or only downloading those messages, etc.

None of your bullet points are a negative to S/MIME use. The only edge case one is that the NSA may hold all your email because it is encrypted, but:
1. Who cares? I mean, I do from an overall rights issue, and I think it's wrong, but they're not going to leak stuff to my employer or any other trivial things.
2. The more we make them store (ie. if everyone encrypts everything), the less useful and feasible their selective storage becomes.
3. If you're actually worried about that, then your advice to selectively encrypt only when needed is debunked even further.

Acting out of the ordinary can draw attention, as you noted. The answer is to make encryption on many levels the norm for all trivial stuff, from slashdot to txt's to calls to ordering pizza etc. Then, when you do need it for something, it'll look absolutely normal.

Re:EncFS buggery

[allo]

modern filesystems have no 255 char limit.