Sending encrypted e-mail notifications from Sentinel


Recently I had a need for encrypting the e-mail notifications that Sentinel sends from e.g. correlation rules.

The e-mails were going to be sent outside the organization to an external e-mail address, and the requirement was that only the recipient should be able to read the messages which of course presents a problem when using e-mail.

Even if you are using SMTP over TLS you have no control of the actual SMTP server which in this case was a service hosted in the cloud.

We decided to use open source tools that were at our disposal.

We opted to use a local Postfix running on a Linux server on the same network as the Sentinel server as a relay that would encrypt the e-mail messages using S/MIME before sending them to the real SMTP server.

Postfix for those who don't know, is a mail server. It has a neat extension functionality where you can write your own filter that process e-mail messages before they are delivered.

In this case we would use a filter that would encrypt the message before sending it to the real SMTP server.

You can read more about Postfix filtering in the official documentation here.

Doing this was quite easy, we created a bash script based on the example in the official documentation and using basic "Googling" skills.

What follows here is a simple walk through.

    1. Create a local user on the Linux server where Postfix is running. This user will own the script.

        1. We decided on a user called filter

        1. A home directory was created under /home/filter

        1. A work directory was created under /home/filter


    1. In the /home/filter directory we placed the X.509 certificate that would be used for encrypting the e-mail. Note that you only need the certificate and not the private key for encrypting.


    1. A bash script was created under /home/filter/


    1. The script follows below


    1. #!/bin/sh
      # Simple shell-based filter. It is meant to be invoked as follows:
      # /path/to/script -f sender recipients...
      # Localize these. The -G option does nothing before Postfix 2.3.
      SENDMAIL="/usr/sbin/sendmail -G -i" # NEVER NEVER NEVER use "-t" here.
      # Exit codes from <sysexits.h>


      # Clean up when done or when aborting.
      trap "rm -f in.$$ in.$$.encrypted" 0 1 2 3 15

      # Start processing.
      cd $INSPECT_DIR || {
      echo $INSPECT_DIR does not exist; exit $EX_TEMPFAIL; }

      cat >in.$$ || {
      echo Cannot save mail to file; exit $EX_TEMPFAIL; }

      #openssl smime -encrypt -out encrypted.txt -in testmessage.txt name_of_the_certificate_used_for_encryption.crt
      # Specify your content filter here.
      # filter <in.$$ || {
      # echo Message content rejected; exit $EX_UNAVAILABLE; }

      #Perform encryption here using OpenSSL
      SUBJECT="$(formail < in.$$ -x Subject)"
      openssl smime -encrypt -in in.$$ -out in.$$.encrypted -subject "$SUBJECT" -to $TO -from $FROM -aes256 $CERT || { echo Problem encrypting message; exit $EX_UNAVAILABLE; }

      $SENDMAIL "$@" <in.$$.encrypted

      exit $?


    1. The actual work is done on the line which begins with openssl. We are using good old OpenSSL S/MIME utility to encrypt the message with AES256. This is then fed back to Postfix which sends the encrypted message.


    1. The CERT variable should of course point to the certificate you will be using.


    1. After creating the script we must tell Postfix to use it.

        1. We edit /etc/postfix/ and add the following to the end of the file.

        1. filter unix - n n - 10 pipe
          flags=Rq user=filter null_sender=
          argv=/home/filter/ -f ${sender} -- ${recipient}

        1. Next we save the file and restart Postfix and test this by sending messages to Postfix server using mutt from another Linux machine.

        1. echo "This is a test" | mutt -s "Subject here" -c -y

        1. We can check what happens on the Postfix server by looking in the /var/log/mail.log logfile.


    1. The final step was to configure Sentinel to use the Postfix server as its SMTP server and we were done.



How To-Best Practice
Comment List