On 10/30/2019 03:29 PM, Fourhundred Thecat wrote:
I have asked on the postfix mailing list for a solution, how to encrypt incoming emails with public gpg key
I'm using the following to PGP encrypt all *outgoing* e-mail addressed to *us* on the SMTP-out server of certain older remote platforms (the newer ones using only S/MIME instead). Note, however, that it's all *automated* e-mails that I just *know* not to be encrypted beforehand. AFAIK "PGP encrypted content" is not as tightly bound to MIME types and the multipart/* hierarchy as S/MIME is, which complicates detection of "it *already is* encrypted".
Can such filter work, without ever storing plaintext email on disk ?
postfix is an MTA, and does queueing as appropriate for such a beast. You *will not* get a guarantee that the unencrypted mail will not *temporarily* be written to disk (and deleted thereof without outright wiping). Well, short of putting the spool directory on a ramdisk or somesuch.
main.cf:
smtpd_recipient_restrictions = [...], check_recipient_access hash:/etc/postfix/encrypt, [...]
master.cf:
gpgit unix - n n - 10 pipe flags=Rq user=gpgit null_sender= argv=/home/gpgit/from-postfix.sh -f "${sender}" --target:${nexthop} -- ${recipient}
encrypt(.db):
jochen.bern@binect.de FILTER gpgit:dummy binect.de WARN Zieladresse fehlt in encrypt Map subdomain.binect.de FILTER gpgit:catchall-MnemonicName [... etc.]
~gpgit/.gnupg/gpg.conf:
trust-model always [... various group definitions a la:] group SomeAddress@binect.de = 0xSomeKeyID 0xYetAnother 0xSoManyPeople group @subdomain.binect.de = 0xMoreOfThis 0xOhTheHumanity
I found gpgit on the web, but had to improve it a bit (and find working SELinux contexts on my own), so I'm attaching my version and:
# ls -Zal ~gpgit total 84 drwx------. 3 unconfined_u:object_r:user_home_dir_t:s0 gpgit gpgit 4096 Oct 30 00:09 . drwxr-xr-x. 8 system_u:object_r:home_root_t:s0 root root 4096 May 23 2013 .. -rwx------. 1 unconfined_u:object_r:postfix_pipe_exec_t:s0 gpgit gpgit 1676 May 21 2013 from-postfix.sh drwx------. 2 unconfined_u:object_r:gpg_secret_t:s0 gpgit gpgit 4096 Oct 30 00:15 .gnupg -rwx------. 1 unconfined_u:object_r:postfix_pipe_exec_t:s0 gpgit gpgit 12141 May 11 2015 gpgit.pl
Needless to say, you'll have to "su - gpgit" and "gpg --import ..." the various(?) recipients' public keys, too. And *monitor* them there, if there are any with a limited lifetime ...
Kind regards,
Jochen Bern Systemingenieur
E jochen.bern@binect.de W www.binect.de