[Mimedefang] Using Mail::GPG in filter to examine PGP attachments and message body

Paul Murphy pmurphy at ionixpharma.com
Mon Jul 5 14:08:35 EDT 2004


I'm trying to implement a corporate policy on use of encryption, with
restrictions in the filter to enforce the policy as much as possible.

The elements of the policy are:

1.  All mail to selected domains must be encrypted
2.  Encryption is to be all or nothing - if any unencrypted part is found, the
mail is to be rejected
3.  All messages must be encrypted to at least two internal keys, one of which
must be the corporate key to ensure that we can recover the message contents if
required.  The corporate key ID is 4B771017.

I have a working filter which is capable of spotting encrypted messages by the
presence of a .PGP or .ASC attachment, and also by the presence of a PGP message
block in a text/plain body, but in order to do the rest, I need to be able to
get some details about the keys in the message, and so I have to use something
like Mail::GPG to get the details.

Here is my sub-routine to check entities:

sub pgp_check($$$)
{
my ($entity,$fname,$type) = @_;

use Mail::GPG;
my $pass;
my $reciplist;

open(PASS,"</home/defang/.gpgpass") || die "Cannot open GNUPG passphrase file";

$pass=<PASS>;
my $gpg = Mail::GPG->new(default_key_id=>'4B771017', default_passphrase=>$pass,
	debug=>1,
	gnupg_hash_init=>{ armor   => 1,
                         batch   => 1,
                         homedir => '/home/defang'} );

# try to use GNUPG to work out the keyholders (!)
$encrypted = $gpg->is_encrypted (entity => $entity);

if ( $encrypted)
  {
  ($decrypted_entity, $result) = $gpg->decrypt (
             entity     => $entity,
             passphrase => $pass
             );

  $encrypted           = $result->get_is_encrypted;
  $decryption_ok       = $result->get_enc_ok;
  $encryption_key_id   = $result->get_enc_key_id;
  $encryption_mail     = $result->get_enc_mail;
  $signed              = $result->get_is_signed;
  $signature_ok        = $result->get_sign_ok;
  $signed_key          = $result->get_sign_key_id;
  $signed_mail         = $result->get_sign_mail;
  $signed_mail_aliases = $result->get_sign_mail_aliases;
  $stdout_sref         = $result->get_gpg_stdout;
  $stderr_sref         = $result->get_gpg_stderr;
  $gpg_exit_code       = $result->get_gpg_rc;
  if ($encrypted)
    {
    if ($decryption_ok)
      {
      ($key_id, $key_mail) = $gpg->query_keyring ( search => $encryption_key_id
);
      $reciplist = $reciplist.":$key_mail($encryption_mail/$key_id)";
      }
    if ($signed)
      {
      $gpgcomments = $gpgcomments." Signed by $signed_mail($signed_key)";
      }
    }
  $i=1;
  foreach $line( split(/\n/,$$stderr_sref) )
    {
    if ( $line =~ /encrypted with/ )
      {
      @words = split / /, $line;
      $key= $words[7];
      $key=~ s/,//g;
      ($key_id, $key_mail) = $gpg->query_keyring ( search => $key );
      $reciplist = $reciplist.":$key_mail($key_id)";
      }
    $i++;
    }
  }
# now log the details
if ( $encrypted )
  {
  md_syslog('info',"GnuPG debug - $Sender,$fname,$reciplist,$gpgcomments");
  }
return 1;
}

When running this check from filter(), the slave dies with the following
messages to STDERR:

gpg: CRC error; 53ae1d - dc353a
gpg: quoted printable character in armor - probably a buggy MTA has been used

However, the documentation for MIME::Parser and MIME::Tools suggests that the
entity should already have been decoded.  Testing with a script which creates a
MIME::Entity by calling parse_open on a captured mail file has similar results,
but if I manually take out the quoted-printable encoding (replacing =3D by = in
two places), then it works as expected.

Any idea why it thinks the entity is still encoded?

Best Wishes,

Paul.
__________________________________________________
Paul Murphy
Head of Informatics
Ionix Pharmaceuticals Ltd
418 Science Park, Cambridge, CB4 0PA

Tel. 01223 433741
Fax. 01223 433788


_______________________________________________________________________
DISCLAIMER:
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to which they
are addressed.  If you have received this email in error please contact
the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741
_______________________________________________________________________ 



More information about the MIMEDefang mailing list