On Thu, 2025-05-01 at 17:35 +0000, Brendan Rempel wrote: > > Hi, I'm sure this has been answered before but a quick google is > coming back with unrelated links. Any ideas on how to encrypt > outgoing email? I saw one example using OpenSSL to cURL which is a > bit weird, but maybe? I'm trying to send localhost from > OpenBSD/OpenSmtpd, so I don't need anything fancy. > > > It's not required, just looking for a more secure way to send email > verification codes and if anybody has done this before.
PGP and smime are done in the email client. Most email clients support them. (I use Evolution and Alpine.) Mailx does not. :-) Encrypting between client and MTA (e.g. opensmtpd) is done with TLS (port 465) or STARTTLS (port 587 or 25). If you are concerned about the shadowy TLS cabal (that approves CAs for the default security policy of mainstream browsers and email clients), you are wise. Any of the CAs approved by the cabal can forge any cert for any domain. So when you control the clients, you can make your own CA, and either add it to the "trust to forge anything" list (simple for normies), or provide a PKCS#11 policy that trusts your CA only for your private domains/TLDs (and trusts cabal CAs only for ICANN domains). Note that ICANN can forge any DNS records (and does so routinely for "take downs" over alleged copyright violations). I've met the admin, and afaict he would never knowingly allow such a thing - but just sayin'. For this reason, you should have a private TLD (or use a block chain distributed TLD provided by projects like Alfis). Clients should use DNS servers that serve your private TLD(s) as well as ICANN.
