Signing all outgoing mails on MTA, not on MUA
steve at srevilak.net
Sat Mar 28 16:51:34 CET 2009
-----BEGIN PGP SIGNED MESSAGE-----
grover> We'd like to be able to sign all our outgoing mails.
grover> But not on each client system, which would mean everyone has
grover> to install some plugin or gpg-aware mail client, but on the
grover> mailserver itself.
grover> This way nobody has to think about it and signing works
grover> transparently for everyone. We would have one key for all,
grover> like a corporate key.
cbabcock> The corporate value of public key cryptography is much more
cbabcock> readily attained using DKIM. Milter setup and key management
cbabcock> for signing DKIM mail is pretty straight forward. You place
cbabcock> your key in Text records in DNS. That establishes a
cbabcock> meaningful connection between the identity of the sender (or
cbabcock> at least ownership of the mail server) and the owner of the
cbabcock> domain. Setting up DKIM with Postfix was at least as easy as
cbabcock> setting up GPG with Claws and it makes an identity assertion
cbabcock> that is appropriate for a server environment.
I agree with Chris -- this seems like a good application for DKIM.
In addition to non-repudiation, some email service providers will be
much less likely to categorize DKIM-signed messages as spam (if that
kind of thing matters to you.)
One DKIM implementation I've used is
<http://sourceforge.net/projects/dkim-milter/>. dkim-milter is very
straightforward to set up with sendmail, and I know of people who've
used it with postfix (configured as a mail filter.)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (Darwin)
-----END PGP SIGNATURE-----
More information about the Gnupg-users