Encrypting cron emails with S/MIME


You might have your server setup in such a way that it runs a few tasks with cron so you don’t have to worry about them. Except.. you should. That is if the scheduled tasks send mission critical information over the internet. Now assume you have some kind of security audit software running like say lynis. You sure don’t want that report in the wrong hands since an attacker could really use that information to break into your server way easier than otherwise.

  • You have a S/MIME Certificate
  • You have root access to your linux web server
  • Your server runs on a recent Ubuntu


There are basically two ways of encrypting emails one is GPG and the other S/MIME. Refer to Encrypting cron emails with GPG if you prefer GPG. If you don’t know GPG I highly recommend checking that out as well since I personally consider it way more secure.

  1. Upload your S/MIME certificate to /home/smime.pem
  2. Create a file /home/smimecron.sh with following content
    ifne /usr/bin/openssl smime -encrypt -text -from $emailFrom -to $emailTo -subject cronlog /home/smime.pem | sendmail $emailTo
  3. Make the script executable chmod a+x /home/smimecron.sh
  4. For this script to work we need the program ifne installed. Usually if a command has no output to /dev/stdout or /dev/stderr gpg would encrypt an empty string and you would receive an encrypted email that has no content once decrypted. This would be annoying ifne prevents this. To install it run.
    apt-get install moreutils
  5. Add the line SMIME_CMD = /home/smimecron.sh somewhere at the top of your /etc/crontab
  6. Now you can use it by adding | $SMIME_CMD after a command something like this:
    * * * * * root echo "test" | $SMIME_CMD

One thought to “Encrypting cron emails with S/MIME”

  1. Hi! I just wanted to ask if you ever have any issues with hackers? My last blog (wordpress) was hacked and I ended up losing months of hard work due to no data backup. Do you have any solutions to stop hackers?

Leave a Reply

Your email address will not be published.