Bug#952378: spamassassin: Example config needs a way of whitelisting GPG signed mail (EG from DDs)
On Mon, Feb 24, 2020 at 01:56:59AM +1100, Russell Coker wrote: > It would be good if the example configuration included a way of whitelisting > mail from known good GPG keys. An example configuration that would be useful > in real use would be the Debian developer keylist. I think this is a great idea. Debian developers already have a bootstrapped trust mechanism and making use of it would make the spam problem better for ourselves. I have pondered implementing something like this and submitting it to the spamassassin maintainer for many years, but never got round to it. I thought of some additional complications though, which I hope will be helpful to mention here in case others wish to implement it. 1) Someone who wants to attack this could attach a legitimate email PGP signed by someone acceptable to the system to an otherwise illegitimate email. To avoid this, the filter would have to somehow verify that the entire email itself (and not just some of its contents) was constructed wholly by the signatory. But PGP protects only email contents. I don't know how to achieve this in a way that is easy for senders. Perhaps some connection between DKIM and PGP would be required, but of course that will be harder to achieve for senders. 2) (wishlist) it'd be nice if the filter could also use the web of trust and also allow any senders who have been signed in to the web of trust. This is harder of course, especially with the current SKS situation. But this would allow: anyone who has been signed in to the web of trust to immediately be able to get through to "Debian" mail servers without fear of spam filters; and for the purposes of this filter, abusers and abuser-supporters to have their PGP keys blacklisted, including for WoT path finding, effectively preventing abuse through this channel. Neither of these need to be addressed to make progress, but I thought it important to point out at least the first caveat. It's not my intention to pile on additional requirements. It'd be up to any implementor to decide how important it is to care about this. signature.asc Description: PGP signature
Bug#952378: spamassassin: Example config needs a way of whitelisting GPG signed mail (EG from DDs)
On Mon, 24 Feb 2020 01:56:59 +1100 Russell Coker wrote: > Package: spamassassin > Severity: wishlist > > It would be good if the example configuration included a way of whitelisting > mail from known good GPG keys. An example configuration that would be useful > in real use would be the Debian developer keylist. I don't know it this helps: https://metacpan.org/pod/Mail::SpamAssassin::Plugin::OpenPGP Note: I am a SA illiterate, and haven't test the plugin. signature.asc Description: PGP signature
Bug#952378: spamassassin: Example config needs a way of whitelisting GPG signed mail (EG from DDs)
Package: spamassassin Severity: wishlist It would be good if the example configuration included a way of whitelisting mail from known good GPG keys. An example configuration that would be useful in real use would be the Debian developer keylist. -- System Information: Debian Release: 10.3 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.4.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Enforcing - Policy name: default Versions of packages spamassassin depends on: ii adduser 3.118 ii curl7.64.0-4 ii init-system-helpers 1.56+nmu1 ii libhtml-parser-perl 3.72-3+b3 ii libhttp-date-perl 6.02-1 pn libmail-dkim-perl ii libnet-dns-perl 1.19-1 pn libnetaddr-ip-perl ii libsocket6-perl 0.29-1+b1 pn libsys-hostname-long-perl ii libwww-perl 6.36-2 ii lsb-base10.2019051400 ii perl [libarchive-tar-perl] 5.28.1-6 ii w3m 0.5.3-37 Versions of packages spamassassin recommends: ii gnupg 2.2.12-1+deb10u1 ii libio-socket-inet6-perl2.72-2 pn libmail-spf-perl ii perl [libsys-syslog-perl] 5.28.1-6 pn sa-compile pn spamc Versions of packages spamassassin suggests: pn libdbi-perl pn libencode-detect-perl pn libgeo-ip-perl ii libio-socket-ssl-perl 2.060-3 pn libnet-patricia-perl ii perl [libcompress-zlib-perl] 5.28.1-6 pn pyzor pn razor