How to Encrypt OSSEC Email Alerts




You can use procmail to encrypt the email alerts that are send by OSSEC. This article explains one of the many ways how you can obtain this.

I did this by using the following:

  • Ubuntu 12.04 LTS
  • procmail
  • postfix
  • gnupg
  • Another SMTP server

First, edit your OSSEC configuration at /var/ossec/etc/ossec.conf to tell it to send mails to the root account on the localhost.


Then, let the alarms forward to the OSSEC account by changing the aliases:

echo "root: ossec" >> /etc/aliases
postalias /etc/aliases

Tell postfix to use procmail as LDA (Local Delivery Agent):

vim /etc/postfix/

Insert this on the first line:

mailbox_command = /usr/bin/procmail

Your postfix configuration need to look similar to this:

# See /usr/share/postfix/ for a commented, more complete version
mailbox_command = /usr/bin/procmail

smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)

myhostname =
myorigin = $myhostname
mydestination = hostname localhost
relayhost =
relay_domains =
mynetworks = [::ffff:]/104 [::1]/128
inet_interfaces = all

Reload postfix:

postfix reload

Import the public PGP key and assign the right permissions to the .gnupg directory:

gpg --homedir /var/ossec/.gnupg --import pubkey.asc
chmod -R 700 /var/ossec/.gnupg
chown -R ossec:root /var/ossec/.gnupg

Create a procmail recipe:

vim /var/ossec/.procmailrc

SUBJECT=`formail -xSubject:`
:0 c

Create a script that encrypts the mails:

vim /var/ossec/

/usr/bin/formail -I "" | /usr/bin/gpg --homedir /var/ossec/.gnupg --trust-model always -ear "" | /usr/bin/mail -s "$SUBJECT"

Give it execute permissions and the right owner:

chmod +x /var/ossec/
chown ossec:root /var/ossec/

Create the procmail log file, and give it the good permissions and owner:

touch /var/log/procmail.log
chmod 660 /var/log/procmail.log
chown ossec:root /var/log/procmail.log

This should work. If it doesn’t, check /var/log/mail.log and /var/log/procmail.log.