Re: [Mimedefang] PGP encyption of outging email
On 05/06/09 12:52:59, Pete wrote: > Is there a method for encrypting outgoing email using PGP (or other > methods). I am thinking of doing this on a per recipient basis. I.e encrypt > email to people I regularly email and leave plain the rest. > > Any suggestions or ideas welcome. Something that I've done in the past is to set up a Mailman mailing list and to then direct secure email via that mailing list. A public/private key pair is created for each secure mailing list; this key pair is distributed to the mailing list recipients. List members configure their mail client to encrypt mail sent to the list with the private key, and to decode with the public key. A more general purpose method is described here: "The Secure List Server: an OpenPGP and S/MIME aware Mailman" http://non-gnu.uvt.nl/mailman-pgp-smime/ Attached, is a Perl script that I use, that is called via procmail that decodes PGP-encrypted attachments; it is derived from mgpg-test, part of the Mail::GPG package. The script handles most commonly occurring PGP attachments. You'll note that it looks for a passphrase that is read from a file in the user's home directory. (You wouldn't want to use this method for extremely confidential/secure mail.) #!/usr/bin/perl -w # # derived from mgpg-test, part of the Mail::GPG package # use strict; use lib 'lib'; use Mail::GPG; use Mail::Address; use MIME::Parser; use MIME::Entity; use MIME::Head; use MIME::Body; use Getopt::Std; use Socket; use Net::Domain qw(hostname hostfqdn hostdomain); sub decrypt_part ($) { my $entity_ref = shift; my $entity = $$entity_ref; my $mg = Mail::GPG->new (); # mail is encrypted, ask Mail::GPG for the # key to decrypt this mail my ($key_id, $key_mail) = $mg->get_decrypt_key (entity => $entity); return 0 if !defined $key_id; my ($addr) = Mail::Address->parse($key_mail); return 0 if !defined $addr; my $uid = $addr->user; return 0 if !defined $uid; # obtain passphrase from file. my $home = $ENV{'HOME'} || '~'; my $passfile = "$home/.gnupg/passphrase-${uid}.txt"; my $passphrase; open (PASSPHRASE, "<$passfile") || return 0; chomp ( $passphrase = ); close (PASSPHRASE); # decode the mail my ($decrypted, $result) = eval { $mg->decrypt (entity => $entity, passphrase => $passphrase) }; return 0 if $@; $$entity_ref = $decrypted; return 1; } sub decrypt_msg ($); sub decrypt_msg ($) { my $entity_ref = shift; my $entity = $$entity_ref; my $decrypted = 0; my $mg = Mail::GPG->new (); if ( $mg->is_encrypted ( entity => $entity ) ) { $decrypted = decrypt_part ($entity_ref); $entity = $$entity_ref; my $body = $entity->bodyhandle; if ($body) { my $btext = $body->as_string; if ($btext =~ /^[[:print:][:space:]]*$/) { # remove spurious 's if ($btext =~ s/\r\n/\n/g) { my $B = $body->open("w") || return 0; $B->print($btext); $B->close; } $entity->effective_type('plain/text'); } } } elsif ($entity->parts) { my @new_parts; for my $p ($entity->parts) { $decrypted |= decrypt_msg (\$p); push @new_parts, $p; } $entity->parts (\...@new_parts) if $decrypted; } return $decrypted; } $| = 1; # for debugging; open (STDIN, "; # slurp } my $entity = Mail::GPG->parse ( mail_sref => \$msg ); exit 2 if !decrypt_msg (\$entity); # remove temp. files created by MIME::Entity $entity->purge; # Dump the decoded message my ($from_line) = ($msg =~ /^(From [^\n]*)/); print "$from_line\n" if defined $from_line; my $host = hostfqdn(); my $ip_addr = inet_ntoa( scalar gethostbyname( $host || 'localhost' )); my $head = $entity->head; my $old_content_type = $head->get('Old-Content-Type'); if ($old_content_type) { $head->replace('Content-Type', $old_content_type); $head->delete('Old-Content-Type'); } $head->replace('X-GPG-Decrypt:', "Decrypted on host $ip_addr at " . scalar localtime); $entity->print(\*STDOUT); ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] PGP encyption of outging email
On Thu, 2009-05-07 at 09:17 +0100, Paul Murphy wrote: > Steffan wrote: > > > I wonder why you don't want to encrypt/sign in the MUA. It is more > > flexible and, well, works most of the time. > > Because users are incapable of getting it right, and the time they forget to > encrypt the message may also be the time they send company B's confidential > data to company A. You might want to consider checking that the message is encrypted and rejecting if it is not. That's probably WAY simpler and has the side-effect of educating users on your policy. Richard signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] PGP encyption of outging email
Steffen Kaiser wrote: > On Wed, 6 May 2009, pete wrote: > >> Is there a method for encrypting outgoing email using PGP (or other >> methods). I am thinking of doing this on a per recipient basis. I.e encrypt >> email to people I regularly email and leave plain the rest. > > If you search CPAN, you find tons of PGP / GnuPG modules unfortunatly. I > made a quick search for PGP & MIME (so you don't fiddle with the MIME > structure yourself) and there are a few as well, e.g. Mail::GnuPG. > > The most problem I see is that you have to open your secret key to > MIMEDefang. As I understand your mail so, that you are using a > single-person system, this drops down to how secure your server is and if > you trust the system to hold your key without passphrase or in > pgp-agent. To encrypt outgoing email only public key (of the recipient) is required. Secret/private key (of sender) is required for *signing*. > [...] -- [pl>en: Andrew] Andrzej Adam Filip : a...@onet.eu The time spent on any item of the agenda [of a finance committee] will be in inverse proportion to the sum involved. -- C. N. Parkinson ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] PGP encyption of outging email
Steffan wrote: > I wonder why you don't want to encrypt/sign in the MUA. It is more > flexible and, well, works most of the time. Because users are incapable of getting it right, and the time they forget to encrypt the message may also be the time they send company B's confidential data to company A. At one point I was seeing ~10 messages per week which the users had forgotten to encrypt, and I saw 2 in 6 months go to the wrong company without encryption. I looked at this a long time ago, and got a system working which verified that messages to and from designated domains were encrypted. It was a bit messy, but it worked. It also ensured that the corporate key had been included in the encryption targets, so we could enforce use of this key for message recovery purposes. It did this by trying to decrypt any encrypted parts using the corporate key. Coincidentally, this also stopped employees using encryption to any domain except those we expressly permitted it to - otherwise our confidential data could walk out of the door, and we'd be none the wiser. The issue, as Steffan has already pointed out, is that you have to trust your mail server with the passphrase to your private key, or in our case, to the company's private key. In our circumstances, this was more acceptable than the breaches of security caused by incapable users, but you may not be able to make that argument. Best Wishes, Paul. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] PGP encyption of outging email
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 6 May 2009, pete wrote: Is there a method for encrypting outgoing email using PGP (or other methods). I am thinking of doing this on a per recipient basis. I.e encrypt email to people I regularly email and leave plain the rest. If you search CPAN, you find tons of PGP / GnuPG modules unfortunatly. I made a quick search for PGP & MIME (so you don't fiddle with the MIME structure yourself) and there are a few as well, e.g. Mail::GnuPG. The most problem I see is that you have to open your secret key to MIMEDefang. As I understand your mail so, that you are using a single-person system, this drops down to how secure your server is and if you trust the system to hold your key without passphrase or in pgp-agent. If the mail has more than one recipient, you need to use "stream_by_recipient()" (or similiar) to have all recipients receiving either encrypted or not. Depending on the module you need to encrypt either in filter() each part or in filter_end() the message awhole. BTW: You wrote "encrypt", if you really mean "encrypt" rather than "sign", you need to have the public keys of the recipients, maybe from a keyserver, and if there are multiple recipients, you need to think about if you encrypt for all recipients (and yourself) and send one copy of the mail to all or send one mail per recipient (using stream_by_recipient()). Long time ago I looked at to sign the first text part of each outgoing message using PGP, but we dropped the idea after initial stage because of the security problems of the private keys. I wonder why you don't want to encrypt/sign in the MUA. It is more flexible and, well, works most of the time. Bye, - -- Steffen Kaiser -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBSgKQ6tlJzF6z/k3SAQJF8gf+N9rAMDxHm50NaRTn3VCyxqM1VZUXe5GR Yzwrx25g0JBxzDp1kpmsYjy4E6mD4CNT61ymKa3pFIZ7hNOkpFjhJc8gy5shEuHs FRDo7GZGWtbSHpUVesrpJi+02dZ+iDXZcMwgMch3uKh3cAqJsBMafaxPP/GhgKH1 CniS+dc8EzIi+f/OzIvfsdqNt5QmgkzwfIanqTZJC0kbNARQos//OmTHQRys9pDD R3viKrJoJt9FukVKJ0MtQAS9D1xqYpRWd7ClxFR5OaDweiMCQszqN+yI0vngdVze Wy6XPHVVjEiUUJ5dXAodWXrEpBsiOI3h0jIFFo7cJrPOKA9r8vEO4g== =7R0I -END PGP SIGNATURE- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] PGP encyption of outging email
Hi, Is there a method for encrypting outgoing email using PGP (or other methods). I am thinking of doing this on a per recipient basis. I.e encrypt email to people I regularly email and leave plain the rest. Any suggestions or ideas welcome. Thanks, Pete. pain is temporary, glory is forever! Powered by Linux. www.linux.org Scanned for viruses using ClamAV. www.clamav.net. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang