[Mailman-Developers] PGP and Mailman

Stefan Schlott stefan.schlott at informatik.uni-ulm.de
Tue Mar 1 21:01:06 CET 2005

Hi Joost,

> I will write and publish a patch which integrates PGP signature
> validation and re-encryption of encrypted posts to mailman.  Specs are:

Don't duplicate work which has already been done :-)  I made 
modifications to mailman 2.1.5 for encrypted mailinglists, but I kept 
quiet for testing. The test installation seems to behave pretty stable 
now, so this seems to be a goot point making the patch public.

The patch (and a german status of the project) is here:

Direct link to the patch:

> - A post will be distributed only if the PGP signature on the post is from
>   one of the list members.

Not implemented in my patch. Signatures are recognised but not used as 
means of authentication for sending to the list.

> - For sending encrypted email, a list member encrypts to the public key of
>   the list.  The post will be decrypted and re-encrypted to the public keys
>   of all list members.


> (Later, the patch will handle RFC 2633 (S/MIME) messages too, next to
> RFC 2440 (OpenPGP)).

Modular extension of my patch should be possible.

Features of the patch:
- Web interface for key upload (list key, users' keys)
- Several policies for accepting and delivering mails:
   - Incoming mail must not / may / must be encrypted
   - Outgoing mails must not / may / must be encrypted
- Information on poster's signature embedded in redistributed message
- Incoming mail formats: Inline-PGP and PGP/MIME
- Outgoing mail formats: Currently PGP/MIME only

Current problems: Inline-PGP has never been standardised. This is awful. 
Every mailer does it a little bit different (content type of mail, 
encryption of attachments, treatment of encoding scheme). There is still 
work to do.

> So, the plan:
> I think one way to implement it would be to add two modules to
> GLOBAL_PIPELINE: in front, before SpamDetect, there would be 'PGPCheck'.

At this place, I implemented decryption (and encryption policy enforcement).

> A second new module in GLOBAL_PIPELINE would be 'PGPRecrypt', to be
> called after CookHeaders' and before 'ToDigest'.  This would, if needed,
> decrypt the message and reencrypt it to all recipients, and would sign
> it.

I found no elegant way for distributing encrypted mails, so I patched a 
copy of the SMTPDirect handler. Currently, every mail is delivered 
separately (as done for personalised mails); I didn't figure out at 
first glance how chunking works... otherwise, a mail might be encrypted 
to several recipients - increasing its length by several bytes, but 
reducing the number of forks of gpg processes.

> For all PGP handling, I plan to use Frank J. Tobin's GnuPGInterface (
> http://py-gnupg.sourceforge.net/ ). 

That's what I used. Mind that py-gnupg (and gpgme, too) forks a gpg 
process for every operation. In large lists, this is pretty costly.

What do you think? The whole signature thing you planned is still 
missing, and inline-pgp needs some more work.


More information about the Mailman-Developers mailing list