Re: [Mimedefang] PGP encyption of outging email
On 05/06/09 12:52:59, Pete wrote: Is there a method for encrypting outgoing email using PGP (or other methods). I am thinking of doing this on a per recipient basis. I.e encrypt email to people I regularly email and leave plain the rest. Any suggestions or ideas welcome. Something that I've done in the past is to set up a Mailman mailing list and to then direct secure email via that mailing list. A public/private key pair is created for each secure mailing list; this key pair is distributed to the mailing list recipients. List members configure their mail client to encrypt mail sent to the list with the private key, and to decode with the public key. A more general purpose method is described here: The Secure List Server: an OpenPGP and S/MIME aware Mailman http://non-gnu.uvt.nl/mailman-pgp-smime/ Attached, is a Perl script that I use, that is called via procmail that decodes PGP-encrypted attachments; it is derived from mgpg-test, part of the Mail::GPG package. The script handles most commonly occurring PGP attachments. You'll note that it looks for a passphrase that is read from a file in the user's home directory. (You wouldn't want to use this method for extremely confidential/secure mail.) #!/usr/bin/perl -w # # derived from mgpg-test, part of the Mail::GPG package # use strict; use lib 'lib'; use Mail::GPG; use Mail::Address; use MIME::Parser; use MIME::Entity; use MIME::Head; use MIME::Body; use Getopt::Std; use Socket; use Net::Domain qw(hostname hostfqdn hostdomain); sub decrypt_part ($) { my $entity_ref = shift; my $entity = $$entity_ref; my $mg = Mail::GPG-new (); # mail is encrypted, ask Mail::GPG for the # key to decrypt this mail my ($key_id, $key_mail) = $mg-get_decrypt_key (entity = $entity); return 0 if !defined $key_id; my ($addr) = Mail::Address-parse($key_mail); return 0 if !defined $addr; my $uid = $addr-user; return 0 if !defined $uid; # obtain passphrase from file. my $home = $ENV{'HOME'} || '~'; my $passfile = $home/.gnupg/passphrase-${uid}.txt; my $passphrase; open (PASSPHRASE, $passfile) || return 0; chomp ( $passphrase = PASSPHRASE ); close (PASSPHRASE); # decode the mail my ($decrypted, $result) = eval { $mg-decrypt (entity = $entity, passphrase = $passphrase) }; return 0 if $@; $$entity_ref = $decrypted; return 1; } sub decrypt_msg ($); sub decrypt_msg ($) { my $entity_ref = shift; my $entity = $$entity_ref; my $decrypted = 0; my $mg = Mail::GPG-new (); if ( $mg-is_encrypted ( entity = $entity ) ) { $decrypted = decrypt_part ($entity_ref); $entity = $$entity_ref; my $body = $entity-bodyhandle; if ($body) { my $btext = $body-as_string; if ($btext =~ /^[[:print:][:space:]]*$/) { # remove spurious crlf's if ($btext =~ s/\r\n/\n/g) { my $B = $body-open(w) || return 0; $B-print($btext); $B-close; } $entity-effective_type('plain/text'); } } } elsif ($entity-parts) { my @new_parts; for my $p ($entity-parts) { $decrypted |= decrypt_msg (\$p); push @new_parts, $p; } $entity-parts (\...@new_parts) if $decrypted; } return $decrypted; } $| = 1; # for debugging; open (STDIN, test-pgp-mail.txt) || die open failed if $^P; my $msg; { local $/; $msg = STDIN; # slurp } my $entity = Mail::GPG-parse ( mail_sref = \$msg ); exit 2 if !decrypt_msg (\$entity); # remove temp. files created by MIME::Entity $entity-purge; # Dump the decoded message my ($from_line) = ($msg =~ /^(From [^\n]*)/); print $from_line\n if defined $from_line; my $host = hostfqdn(); my $ip_addr = inet_ntoa( scalar gethostbyname( $host || 'localhost' )); my $head = $entity-head; my $old_content_type = $head-get('Old-Content-Type'); if ($old_content_type) { $head-replace('Content-Type', $old_content_type); $head-delete('Old-Content-Type'); } $head-replace('X-GPG-Decrypt:', Decrypted on host $ip_addr at . scalar localtime); $entity-print(\*STDOUT); ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] PGP encyption of outging email
Steffan wrote: I wonder why you don't want to encrypt/sign in the MUA. It is more flexible and, well, works most of the time. Because users are incapable of getting it right, and the time they forget to encrypt the message may also be the time they send company B's confidential data to company A. At one point I was seeing ~10 messages per week which the users had forgotten to encrypt, and I saw 2 in 6 months go to the wrong company without encryption. I looked at this a long time ago, and got a system working which verified that messages to and from designated domains were encrypted. It was a bit messy, but it worked. It also ensured that the corporate key had been included in the encryption targets, so we could enforce use of this key for message recovery purposes. It did this by trying to decrypt any encrypted parts using the corporate key. Coincidentally, this also stopped employees using encryption to any domain except those we expressly permitted it to - otherwise our confidential data could walk out of the door, and we'd be none the wiser. The issue, as Steffan has already pointed out, is that you have to trust your mail server with the passphrase to your private key, or in our case, to the company's private key. In our circumstances, this was more acceptable than the breaches of security caused by incapable users, but you may not be able to make that argument. Best Wishes, Paul. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] PGP encyption of outging email
Steffen Kaiser skmimedef...@smail.inf.fh-bonn-rhein-sieg.de wrote: On Wed, 6 May 2009, pete wrote: Is there a method for encrypting outgoing email using PGP (or other methods). I am thinking of doing this on a per recipient basis. I.e encrypt email to people I regularly email and leave plain the rest. If you search CPAN, you find tons of PGP / GnuPG modules unfortunatly. I made a quick search for PGP MIME (so you don't fiddle with the MIME structure yourself) and there are a few as well, e.g. Mail::GnuPG. The most problem I see is that you have to open your secret key to MIMEDefang. As I understand your mail so, that you are using a single-person system, this drops down to how secure your server is and if you trust the system to hold your key without passphrase or in pgp-agent. To encrypt outgoing email only public key (of the recipient) is required. Secret/private key (of sender) is required for *signing*. [...] -- [plen: Andrew] Andrzej Adam Filip : a...@onet.eu The time spent on any item of the agenda [of a finance committee] will be in inverse proportion to the sum involved. -- C. N. Parkinson ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] PGP encyption of outging email
On Thu, 2009-05-07 at 09:17 +0100, Paul Murphy wrote: Steffan wrote: I wonder why you don't want to encrypt/sign in the MUA. It is more flexible and, well, works most of the time. Because users are incapable of getting it right, and the time they forget to encrypt the message may also be the time they send company B's confidential data to company A. You might want to consider checking that the message is encrypted and rejecting if it is not. That's probably WAY simpler and has the side-effect of educating users on your policy. Richard signature.asc Description: This is a digitally signed message part ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] PGP encyption of outging email
Hi, Is there a method for encrypting outgoing email using PGP (or other methods). I am thinking of doing this on a per recipient basis. I.e encrypt email to people I regularly email and leave plain the rest. Any suggestions or ideas welcome. Thanks, Pete. pain is temporary, glory is forever! Powered by Linux. www.linux.org Scanned for viruses using ClamAV. www.clamav.net. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang