albrecht.dress at arcor.de
Tue Aug 16 21:07:16 CEST 2005
Am 16.08.05 20:22 schrieb(en) Michael Nguyen:
> I'm creating a Postfix content filter for the company that automatically
> does GPG encryption/decryption on incoming and outgoing corporate mail.
This sounds like an ineresting idea!
However, are you sure you want to do this on the *mta* level? Most mua's
(balsa, evolution, kmail, thunderbird, ...) support encryption, which
seems to be the more logical approach to me. Apart from that, it offers
more security for the user, as incoming messages are decrypted only on the
user's machine and using a (hopefully really secure) passphrase only known
by the user.
> What I wanted to do is have the user's private and public key stored as
> a TEXT type in MySQL.
Why don't you use the usual gpg key ring for that, maybe with automatic
retreival of missing keys from a key server? You could store the
fingerprint as TEXT, but gpg(me) can use email addresses to fetch keys.
> - Content filter knows who's sending the email and who the recipients
Not sure if Postfix offers all recipients to the filter. But remember that
the bcc recipients *must* be treated separately, i.e. they must receive a
different message as the key id's of all "recipients" can be extracted
from the crypto envelope.
> - Filter uses this user information to encrypt the message
So the whole content is put into a rfc3156 multipart/encrypted container,
maybe signed by a "company key"?
If you are concerned about security and want to force the users to encrypt
messages, another approach might be to reject (bounce) unencrypted
messages (i.e. with a top-level MIME content type other than
multipart/encrypted) to certain recipients and/or incoming ones from
> I do something similar for incoming delivery (except that it's even
> easier because I don't have to search for recipients).
I wonder if this is a good idea... If I send someone an encrypted message,
I would assume that this is a "for her/his eyes only" one. IMHO some kind
of company-wide automatic decryption breaks privacy (and may even be
forbidden by law, at least in Europe).
Just my € 0.01...
Albrecht Dreß - Johanna-Kirchner-Straße 13 - D-53123 Bonn (Germany)
Phone (+49) 228 6199571 - mailto:albrecht.dress at arcor.de
GnuPG public key: http://home.arcor.de/dralbrecht.dress/pubkey.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : /pipermail/attachments/20050816/cbe5a3b8/attachment.pgp
More information about the Gnupg-devel