subject:"\[Mimedefang\] PGP encyption of outging email"

Re: [Mimedefang] PGP encyption of outging email

2009-05-27 Thread Gary Funck

On 05/06/09 12:52:59, Pete wrote:
 Is there a method for encrypting outgoing email using PGP (or other
 methods). I am thinking of doing this on a per recipient basis. I.e encrypt
 email to people I regularly email and leave plain the rest. 
 
 Any suggestions or ideas welcome. 

Something that I've done in the past is to set up a Mailman
mailing list and to then direct secure email via that
mailing list.  A public/private key pair is created for
each secure mailing list; this key pair is distributed
to the mailing list recipients.  List members configure
their mail client to encrypt mail sent to the list with
the private key, and to decode with the public key.

A more general purpose method is described here:
The Secure List Server: an OpenPGP and S/MIME aware Mailman
http://non-gnu.uvt.nl/mailman-pgp-smime/

Attached, is a Perl script that I use, that is called
via procmail that decodes PGP-encrypted attachments; it
is derived from mgpg-test, part of the Mail::GPG package.
The script handles most commonly occurring PGP attachments.
You'll note that it looks for a passphrase that is read
from a file in the user's home directory.
(You wouldn't want to use this method for extremely
confidential/secure mail.)

#!/usr/bin/perl -w
#
# derived from mgpg-test, part of the Mail::GPG package
#
use strict;
use lib 'lib';
use Mail::GPG;
use Mail::Address;
use MIME::Parser;
use MIME::Entity;
use MIME::Head;
use MIME::Body;
use Getopt::Std;
use Socket;
use Net::Domain qw(hostname hostfqdn hostdomain);


sub decrypt_part ($)
{
  my $entity_ref = shift;
  my $entity = $$entity_ref;
  my $mg = Mail::GPG-new ();
  # mail is encrypted, ask Mail::GPG for the
  # key to decrypt this mail
  my ($key_id, $key_mail) = $mg-get_decrypt_key (entity = $entity);
  return 0 if !defined $key_id;
  my ($addr) = Mail::Address-parse($key_mail);
  return 0 if !defined $addr;
  my $uid = $addr-user;
  return 0 if !defined $uid;
  # obtain passphrase from file.
  my $home = $ENV{'HOME'} || '~';
  my $passfile = $home/.gnupg/passphrase-${uid}.txt;
  my $passphrase;
  open (PASSPHRASE, $passfile) || return 0;
  chomp ( $passphrase = PASSPHRASE );
  close (PASSPHRASE);
  # decode the mail
  my ($decrypted, $result) = eval { $mg-decrypt (entity = $entity,
  passphrase = $passphrase) };
  return 0 if $@;
  $$entity_ref = $decrypted;
  return 1;
}

sub decrypt_msg ($);
sub decrypt_msg ($)
{
  my $entity_ref = shift;
  my $entity = $$entity_ref;
  my $decrypted = 0;
  my $mg = Mail::GPG-new ();
  if ( $mg-is_encrypted ( entity = $entity ) )
{
  $decrypted = decrypt_part ($entity_ref);
  $entity = $$entity_ref;
  my $body = $entity-bodyhandle;
  if ($body) {
my $btext = $body-as_string;
if ($btext =~ /^[[:print:][:space:]]*$/)
  {
# remove spurious crlf's
if ($btext =~ s/\r\n/\n/g)
  {
my $B = $body-open(w) || return 0;
$B-print($btext);
$B-close;
  }
$entity-effective_type('plain/text');
  }
  }
}
  elsif ($entity-parts)
{
  my @new_parts;
  for my $p ($entity-parts)
{
  $decrypted |= decrypt_msg (\$p);
  push @new_parts, $p;
}
  $entity-parts (\...@new_parts) if $decrypted;
}
  return $decrypted;
}

$| = 1;

#  for debugging;
open (STDIN, test-pgp-mail.txt) || die open failed if $^P;

my $msg;

{
  local $/;
  $msg = STDIN; # slurp
}


my $entity = Mail::GPG-parse ( mail_sref = \$msg );

exit 2 if !decrypt_msg (\$entity);

# remove temp. files created by MIME::Entity
$entity-purge;

# Dump the decoded message
my ($from_line) = ($msg =~ /^(From [^\n]*)/);
print $from_line\n if defined $from_line;

my $host = hostfqdn();
my $ip_addr = inet_ntoa( scalar gethostbyname( $host || 'localhost' ));

my $head = $entity-head;
my $old_content_type = $head-get('Old-Content-Type');
if ($old_content_type)
  {
$head-replace('Content-Type', $old_content_type);
$head-delete('Old-Content-Type');
  }
$head-replace('X-GPG-Decrypt:', Decrypted on host $ip_addr at  . scalar 
localtime);

$entity-print(\*STDOUT);
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] PGP encyption of outging email

2009-05-07 Thread Paul Murphy


Steffan wrote:

 I wonder why you don't want to encrypt/sign in the MUA. It is more 
 flexible and, well, works most of the time.

Because users are incapable of getting it right, and the time they forget to
encrypt the message may also be the time they send company B's confidential
data to company A.  At one point I was seeing ~10 messages per week which the
users had forgotten to encrypt, and I saw 2 in 6 months go to the wrong
company without encryption.

I looked at this a long time ago, and got a system working which verified
that messages to and from designated domains were encrypted.  It was a bit
messy, but it worked.  It also ensured that the corporate key had been
included in the encryption targets, so we could enforce use of this key for
message recovery purposes.  It did this by trying to decrypt any encrypted
parts using the corporate key.  Coincidentally, this also stopped employees
using encryption to any domain except those we expressly permitted it to -
otherwise our confidential data could walk out of the door, and we'd be none
the wiser.

The issue, as Steffan has already pointed out, is that you have to trust your
mail server with the passphrase to your private key, or in our case, to the
company's private key.  In our circumstances, this was more acceptable than
the breaches of security caused by incapable users, but you may not be able
to make that argument.

Best Wishes,

Paul.
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] PGP encyption of outging email

2009-05-07 Thread Andrzej Adam Filip

Steffen Kaiser skmimedef...@smail.inf.fh-bonn-rhein-sieg.de wrote:

 On Wed, 6 May 2009, pete wrote:

 Is there a method for encrypting outgoing email using PGP (or other
 methods). I am thinking of doing this on a per recipient basis. I.e encrypt
 email to people I regularly email and leave plain the rest.

 If you search CPAN, you find tons of PGP / GnuPG modules unfortunatly. I 
 made a quick search for PGP  MIME (so you don't fiddle with the MIME 
 structure yourself) and there are a few as well, e.g. Mail::GnuPG.

 The most problem I see is that you have to open your secret key to 
 MIMEDefang. As I understand your mail so, that you are using a 
 single-person system, this drops down to how secure your server is and if 
 you trust the system to hold your key without passphrase or in
 pgp-agent.

To encrypt outgoing email only public key (of the recipient) is required.
Secret/private key (of sender) is required for *signing*.

 [...]

-- 
[plen: Andrew] Andrzej Adam Filip : a...@onet.eu
The time spent on any item of the agenda [of a finance committee] will be
in inverse proportion to the sum involved.
  -- C. N. Parkinson
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] PGP encyption of outging email

2009-05-07 Thread Richard Laager

On Thu, 2009-05-07 at 09:17 +0100, Paul Murphy wrote:
 Steffan wrote:
 
  I wonder why you don't want to encrypt/sign in the MUA. It is more 
  flexible and, well, works most of the time.
 
 Because users are incapable of getting it right, and the time they forget to
 encrypt the message may also be the time they send company B's confidential
 data to company A.

You might want to consider checking that the message is encrypted and
rejecting if it is not. That's probably WAY simpler and has the
side-effect of educating users on your policy.

Richard


signature.asc
Description: This is a digitally signed message part
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

[Mimedefang] PGP encyption of outging email

2009-05-06 Thread pete


Hi, 

Is there a method for encrypting outgoing email using PGP (or other
methods). I am thinking of doing this on a per recipient basis. I.e encrypt
email to people I regularly email and leave plain the rest. 

Any suggestions or ideas welcome. 

Thanks, 

Pete.

pain is temporary, glory is forever! 
Powered by Linux. www.linux.org
Scanned for viruses using ClamAV. www.clamav.net.


___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

Re: [Mimedefang] PGP encyption of outging email

Re: [Mimedefang] PGP encyption of outging email

Re: [Mimedefang] PGP encyption of outging email

Re: [Mimedefang] PGP encyption of outging email

[Mimedefang] PGP encyption of outging email

5 matches

Site Navigation

Mail list logo

Footer information