Work on MIMEDefang

Hi, everyone,

I'm pleased to announce that we have hired someone for the summer to
work on MIMEDefang; the software will at last get some of the care and
attention that it has missed because we've been working full-time on
CanIt.

Roaring Penguin welcomes Richard Gould <rgould <at> roaringpenguin.com> who'll
be helping us clean up MIMEDefang v2 and design MIMEDefang v3.

Regards,

David.

PGP encyption of outging email

Hi, 

Is there a method for encrypting outgoing email using PGP (or other
methods). I am thinking of doing this on a per recipient basis. I.e encrypt
email to people I regularly email and leave plain the rest. 

Any suggestions or ideas welcome. 

Thanks, 

Pete.

pain is temporary, glory is forever! 
Powered by Linux. www.linux.org
Scanned for viruses using ClamAV. www.clamav.net.

				

Re: PGP encyption of outging email

On Wed, 6 May 2009, pete wrote:

> Is there a method for encrypting outgoing email using PGP (or other
> methods). I am thinking of doing this on a per recipient basis. I.e encrypt
> email to people I regularly email and leave plain the rest.

If you search CPAN, you find tons of PGP / GnuPG modules unfortunatly. I 
made a quick search for PGP & MIME (so you don't fiddle with the MIME 
structure yourself) and there are a few as well, e.g. Mail::GnuPG.

The most problem I see is that you have to open your secret key to 
MIMEDefang. As I understand your mail so, that you are using a 
single-person system, this drops down to how secure your server is and if 
you trust the system to hold your key without passphrase or in pgp-agent.

If the mail has more than one recipient, you need to use 
"stream_by_recipient()" (or similiar) to have all recipients receiving 
either encrypted or not.

Depending on the module you need to encrypt either in filter() each part 
or in filter_end() the message awhole.

BTW: You wrote "encrypt", if you really mean "encrypt" rather than "sign", 
you need to have the public keys of the recipients, maybe from a 
keyserver, and if there are multiple recipients, you need to think about 
if you encrypt for all recipients (and yourself) and send one copy of the 
mail to all or send one mail per recipient (using stream_by_recipient()).

Long time ago I looked at to sign the first text part of each outgoing 

Re: PGP encyption of outging email

Steffan wrote:

> I wonder why you don't want to encrypt/sign in the MUA. It is more 
> flexible and, well, works most of the time.

Because users are incapable of getting it right, and the time they forget to
encrypt the message may also be the time they send company B's confidential
data to company A.  At one point I was seeing ~10 messages per week which the
users had forgotten to encrypt, and I saw 2 in 6 months go to the wrong
company without encryption.

I looked at this a long time ago, and got a system working which verified
that messages to and from designated domains were encrypted.  It was a bit
messy, but it worked.  It also ensured that the corporate key had been
included in the encryption targets, so we could enforce use of this key for
message recovery purposes.  It did this by trying to decrypt any encrypted
parts using the corporate key.  Coincidentally, this also stopped employees
using encryption to any domain except those we expressly permitted it to -
otherwise our confidential data could walk out of the door, and we'd be none
the wiser.

The issue, as Steffan has already pointed out, is that you have to trust your
mail server with the passphrase to your private key, or in our case, to the
company's private key.  In our circumstances, this was more acceptable than
the breaches of security caused by incapable users, but you may not be able
to make that argument.

Best Wishes,

Re: PGP encyption of outging email

Steffen Kaiser <skmimedefang <at> smail.inf.fh-bonn-rhein-sieg.de> wrote:

> On Wed, 6 May 2009, pete wrote:
>
>> Is there a method for encrypting outgoing email using PGP (or other
>> methods). I am thinking of doing this on a per recipient basis. I.e encrypt
>> email to people I regularly email and leave plain the rest.
>
> If you search CPAN, you find tons of PGP / GnuPG modules unfortunatly. I 
> made a quick search for PGP & MIME (so you don't fiddle with the MIME 
> structure yourself) and there are a few as well, e.g. Mail::GnuPG.
>
> The most problem I see is that you have to open your secret key to 
> MIMEDefang. As I understand your mail so, that you are using a 
> single-person system, this drops down to how secure your server is and if 
> you trust the system to hold your key without passphrase or in
> pgp-agent.

To encrypt outgoing email only public key (of the recipient) is required.
Secret/private key (of sender) is required for *signing*.

> [...]

--

-- 
[pl>en: Andrew] Andrzej Adam Filip : anfi <at> onet.eu
The time spent on any item of the agenda [of a finance committee] will be
in inverse proportion to the sum involved.
  -- C. N. Parkinson

Re: PGP encyption of outging email

On Thu, 2009-05-07 at 09:17 +0100, Paul Murphy wrote:
> Steffan wrote:
> 
> > I wonder why you don't want to encrypt/sign in the MUA. It is more 
> > flexible and, well, works most of the time.
> 
> Because users are incapable of getting it right, and the time they forget to
> encrypt the message may also be the time they send company B's confidential
> data to company A.

You might want to consider checking that the message is encrypted and
rejecting if it is not. That's probably WAY simpler and has the
side-effect of educating users on your policy.

Richard

On Thu, 2009-05-07 at 09:17 +0100, Paul Murphy wrote:
> Steffan wrote:
> 
> > I wonder why you don't want to encrypt/sign in the MUA. It is more 
> > flexible and, well, works most of the time.
> 
> Because users are incapable of getting it right, and the time they forget to
> encrypt the message may also be the time they send company B's confidential
> data to company A.

You might want to consider checking that the message is encrypted and
rejecting if it is not. That's probably WAY simpler and has the
side-effect of educating users on your policy.

Mimedefang + Spamassassin but no X-Spam-Score

I've been getting emails with bad attachments being dropped by Mimedefang.  The issue is that the email is
SPAM but is not being tested by Spamassassin since there doesn't seem to be an X-Spam-Score in the
headers.  The original message size is about 120KB according the sendmail logs.  Is it a Mimedefang
config option that I'm missing?  I would like Mimedefang to still have Spamassassin test the email even
if there was a dropped attachment.

Thanks.

Re: Mimedefang + Spamassassin but no X-Spam-Score

Am Donnerstag Mai 7 2009 19:35 schrieb Ngo, Toan:
> I've been getting emails with bad attachments being dropped by
> Mimedefang.  The issue is that the email is SPAM but is not being tested
> by Spamassassin since there doesn't seem to be an X-Spam-Score in the
> headers.  The original message size is about 120KB according the sendmail
> logs.  Is it a Mimedefang config option that I'm missing?  I would like
> Mimedefang to still have Spamassassin test the email even if there was a
> dropped attachment.

are you sure, you get the X-Spam-Score-Header everytime the mail is scanned 
by spamassassin via mimedefang? Setting of this header is defined in sub 
filter_end() and usually the header is set only if the score is high 
enough...

Jürgen
--

-- 
Diese E-Mail wurde klimafreundlich
und atomstromfrei erzeugt:
http://www.atomausstieg-selber-machen.de/

Re: Mimedefang + Spamassassin but no X-Spam-Score

Yes, X-Spam scores are put in all the emails through my server.  Here is the header for your reply.

Message-Id: <200905081401.24714.juergen.kleff <at> gmx.de>
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.67
X-Spam-Score: -0.001 () SPF_PASS
X-Scanned-By: MIMEDefang 2.67 on 192.168.200.200

Toan

-----Original Message-----
From: Juergen Kleff [mailto:juergen.kleff <at> gmx.de] 
Sent: Friday, May 08, 2009 5:01 AM
To: mimedefang <at> lists.roaringpenguin.com
Cc: Ngo, Toan
Subject: Re: [Mimedefang] Mimedefang + Spamassassin but no X-Spam-Score

Am Donnerstag Mai 7 2009 19:35 schrieb Ngo, Toan:
> I've been getting emails with bad attachments being dropped by
> Mimedefang.  The issue is that the email is SPAM but is not being tested
> by Spamassassin since there doesn't seem to be an X-Spam-Score in the
> headers.  The original message size is about 120KB according the sendmail
> logs.  Is it a Mimedefang config option that I'm missing?  I would like
> Mimedefang to still have Spamassassin test the email even if there was a
> dropped attachment.

are you sure, you get the X-Spam-Score-Header everytime the mail is scanned 
by spamassassin via mimedefang? Setting of this header is defined in sub 
filter_end() and usually the header is set only if the score is high 
enough...

Re: Mimedefang + Spamassassin but no X-Spam-Score

I figured out my issue.  By default, MD will only scan emails smaller than 100KB.  I was trying to find where
that was set.  I edited mimedefang-filter and upped the email size limit.  Currently testing to see what the
load is like on the server with the new limit.

Toan

-----Original Message-----
From: mimedefang-bounces <at> lists.roaringpenguin.com
[mailto:mimedefang-bounces <at> lists.roaringpenguin.com] On Behalf Of Ngo, Toan
Sent: Friday, May 08, 2009 7:39 AM
To: Juergen Kleff; mimedefang <at> lists.roaringpenguin.com
Subject: Re: [Mimedefang] Mimedefang + Spamassassin but no X-Spam-Score

Yes, X-Spam scores are put in all the emails through my server.  Here is the header for your reply.

Message-Id: <200905081401.24714.juergen.kleff <at> gmx.de>
X-Y-GMX-Trusted: 0
X-FuHaFi: 0.67
X-Spam-Score: -0.001 () SPF_PASS
X-Scanned-By: MIMEDefang 2.67 on 192.168.200.200

Toan

-----Original Message-----
From: Juergen Kleff [mailto:juergen.kleff <at> gmx.de] 
Sent: Friday, May 08, 2009 5:01 AM
To: mimedefang <at> lists.roaringpenguin.com
Cc: Ngo, Toan
Subject: Re: [Mimedefang] Mimedefang + Spamassassin but no X-Spam-Score