Debian – Decrypt incoming pgp mail with procmail

debianpgpprocmail

Currently I have a running Postfix server which delivers incoming mail through procmail. That works fine but now I want to decrypt any incoming mail which is encrypted with pgp automatically. So I have created a procmail rule to trigger gnupg.

This is my current .procmailrc:

:0 fw
* ^Subject: encryptme
| /usr/bin/gpg --decrypt | mail -s "ENCRYPTED: $subject" my@email.com

Now the mail is successfully decrypt and sent to my@email.com but with an empty subject (the mail only shows "ENCRYPTED: ") and with the email address of the server as the sender. And of course the decrypted mail contains parts of the email header.

Content-Type: multipart/mixed; boundary="713bkotRlnRGA7FAhJANoI0IsDpX3ws8N"

--713bkotRlnRGA7FAhJANoI0IsDpX3ws8N
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: quoted-printable

Just a test.

--713bkotRlnRGA7FAhJANoI0IsDpX3ws8N--

Is there any possibility to decrypt incoming mail this way automatically and "clean" (just the decrypted message) without additional software like GNU Anubis? And what is a good rule for procmail to trigger the program (insted of the subject)?

I hope this information is enough for somebody to help me.

Best Answer

In so many words, gpg --decrypt wants a file, not an email message. An email message typically consists of multiple MIME parts (your example shows a multipart/mixed with just a single body part, but the concept still holds), which are not files. You need to pass just the encrypted payload, not the MIME container, to gpg, or find a wrapper or option which helps gpg parse the MIME wrapper.

Quick googling turned up a simple Perl MIME wrapper which does this:

https://github.com/giovino/perl-mail-gpg-example

In case the link goes bad, reinventing the same wheel again should not be a significant challenge; you basically need to identify the MIME part which contains an encrypted payload, decode it (it's probably base64 encoded, unless it uses gpg's own "ASCII armor"), and pass it to gpg. The existence of an encrypted payload is probably a good trigger, but perhaps the wrapper should simply pass through anything which doesn't contain an encrypted payload, and you would feed everything to the wrapper.

Tangentially, there is nothing which defines $subject in Procmail or in your rules. You can do something like this:

:0
* ^Subject:[    ]\/[^   ].*
{ subject=$MATCH }

... where the whitespace between the square brackets should be a space and a tab.

Related Solutions

Cron – Best PGP/GPG Encrypt/Decrypt Script

You do not want a symmetric cipher

If you need to auto-run encryption you don't want to use a symmetric cipher with a passphrase (this is what gpg -ac does). Storing the passphrase in a script or in cron is unacceptable and pointless (seriously, this sounds harsh, but you may as well rot13 it.)

If you're using encryption, it isn't enough to simply "change the permissions" of the script. If it was, you could simple change the permissions on the data you want to hide. Encryption at this level is obviously meant to stop someone who has gained access to your account (most likely maliciously) reading the data once they have access.

In this case, what you want is public key crytography. You generate a private key (which is encrypted again with a symmetric cipher with a password) and a public key. The public key can be distributed anywhere. Anyone can encrypt data that you can read with your private key. Noone should have access to your private key. So for the type of encryption you need, it's perfect. You can store your public key on the server and encrypt all of your data using it. If an attacker has your public key and your encrypted data, he can do nothing.

Your private key should be the bit of the puzzle a potential attacker is always missing. You need to hide this. i.e. encrypting data that you can read is easy. Decrypting it should be hard. With a symmetric cipher, the difficulty of both is the same (if you want to think of it in those terms, it's probably not the greatest analogy.)

GPG makes public crypto relatively painless, but first things first, you need to generate a keypair (this is not done on your server, but on your desktop or somewhere secure you're happy having your private key):

$ gpg --gen-key

Run through the questions there.

Then you want to export your GPG public key and copy and paste it to your server:

$ gpg --list-keys
$ gpg --armor --export me@mydomain.com > pub.key

Copy pub.key to your server and then import with:

$ gpg --import pub.key

If you're considering using encryption in the first place, it's obviously because you've got sensitive data. I'd stress again: you need to think seriously about the way you're encrypting this data as it is a whole lot of effort for no gain if you simply use a symmetric cipher where the password can be accessed trivially.

Best Practical RT, sorting email into queues automatically using procmail

You might want to push the routing function onto RT instead of trying to implement it in procmail. Let the email be sent to RT, and then use something like the EmailRouting or SetOwnerAndQueueBySubject scrip examples to short the email into the appropriate queue.

From the RT Wiki ( https://rt-wiki.bestpractical.com/wiki/Main_Page ) :

EmailRouting -> https://rt-wiki.bestpractical.com/wiki/EmailRouting

SetOwnerAndQueueBySubject -> https://rt-wiki.bestpractical.com/wiki/SetOwnerAndQueueBySubject

Best Answer

Related Solutions

Cron – Best PGP/GPG Encrypt/Decrypt Script

Best Practical RT, sorting email into queues automatically using procmail

Related Topic