Re: [Exim] Integrating PGP with Exim

Top Page

Reply to this message
Author: Jeffrey Goldberg
To: Phil White
CC: exim-users
Subject: Re: [Exim] Integrating PGP with Exim
On May 5, 2000 Phil White <data_medica@???> wrote:

> I administer a central mail server for the ITMagic domain, and am
> pondering on the possibility of adding in transparent PGP support.

> My requirements are :
>     The service, once set up, should be as transparent as possible.
>     The service is only needed to sign emails, not encrypt them.

Hmmm. There are two problems I see. One is MIME. Ignoring attachments,
you might have something that is already, say, quoted-printable. Is that
what gets signed or do you decode, sign, and reencode. I guess I don't
really get the PGP/MIME stuff. Maybe the things you are looking at have
solutions to that. I once tried to come up with a semi-postmarking
scheme, but I couldn't get anything simple and useful.

The second problem is ...

>     As this is a central mail relay, no users will be logged in.
>         This is my main area of concern. I have to attempt to
>         ensure that I can guarantee authenticity of a sender,
>         prior to the signing process.

Where are people submitting from? Would you trust inetd on those systems?
Alternatively, you could use SMTP-AUTH and make people enter a password to
send mail, but is that not transparent enough?

You either have to trust the clients very much or do AUTH SMTP as far as
I can see.

Alternatily your server could sign a statement about the headers and what
it knows. Basically it could introduce a header which is effectively a
signature of everything below that header. That way you are only signing
for yourself and signing something you believe.


Jeffrey Goldberg                +44 (0)1234 750 111 x 2826
 Cranfield Computer Centre      FAX         751 814
Relativism is the triumph of authority over truth, convention over justice.