Re: How to restrict encrypted email

Sat, 16 Jul 2016 08:05:23 -0700 

On Fri, Jul 15, 2016 at 10:25:43PM -0700, Michael Fox wrote:
> I'd like to be able to reject mail that contains encrypted content.  
> This is to satisfy US FCC rules against encrypted content on 
> amateur radio frequencies.  Some of our clients may connect via 
> amateur radio.

I think you're taking it too far.  Consider that the regulation was 
written by someone, and then ratified by a group, not one of whom had 
ever heard of GPG.  For that matter, the regulation probably did not 
anticipate packet radio use for IP traffic.  Surely they were only 
thinking about scrambled radio voice traffic.

You have already discarded STARTTLS from your EHLO reply for packet 
radio clients, and I think even that is going a bit too far.

If your interpretation of these FCC rules is accurate, you really 
can't offer any kind of connection to the Internet in any way, even 
indirect.  You can't possibly anticipate all kinds of cryptography 
and steganography.

Israel's then-future-king David, and his friend, then Prince 
Jonathan, cooked up and employed an encryption scheme in the Old 
Testament.  If your interpretation stands, you cannot allow anyone to 
say in email, "... is not the arrow beyond thee?" (KJV, 1 Samuel 
20:37.)  That could contain a hidden message.

Don't let them push you down this slippery slope.  If you are really 
worried about it, call the FCC or a private attorney and get a solid 
interpretation.

> I'd like to be able to restrict it only for certain clients.  But, 
> as I understand it, header checks can only be applied globally, to 
> all mail.

[OOTC: obligatory on-topic content]

Yes, but you can use an alternate cleanup service on an alternate 
smtpd instance, see postconf.5.html#cleanup_service_name and also 
cleanup.8.html .

> Sorry if this is a dumb question.  But, unfortunately, I don't
> have any experience with encrypted mail.  From what I've read,
> I'm thinking I need:
> 
> main.cf:
> 
>   mime_header_checks = pcre:${config_directory}/mime_header_checks.pcre
> 
> 
> mime_header_checks.pcre:
> 
>   # Block encrypted mail
>   /^Content-Type\:.*multipart\/encrypted/             REJECT Encrypted
> content not allowed
> 
> 
> 
> Is that sufficient?

No.  What about inline PGP/GPG messages?  What about encrypted 
messages hidden inside image or audio files?

[/OOTC]

> Any better ideas or other issues to consider?

Don't do it.  See above.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Reply via email to