[Mimedefang] Using Mail::GPG in filter to examine PGP attachments and messagebody

[Richard Laager]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> $pass=<PASS>;
> my $gpg = Mail::GPG->new(default_key_id=>'4B771017', 
> default_passphrase=>$pass,
> 	debug=>1,
> 	gnupg_hash_init=>{ armor   => 1,
>                          batch   => 1,
>                          homedir => '/home/defang'} );

Are you really sure you want to do this? The whole point of
end-to-end encryption is to protect from attacks along the way. If
you have the private key and passphrase available on the mail server,
it becomes a single point of failure that would break the encryption
on all of the messages, past and future.

I would recommend that you simply check that the message was
encrypted to the corporate key. Don't actually decrypt it. This does
mean that someone could edit the PGP data to make it look like the
message was encrypted to the corporate key when it wasn't. If this
happens, what is lost? The original recipient can still read the
message, you simply can't decrypt it later with the corporate key.
This may or may not be a problem in your situation.

By the way, E3AA17BD actually looks more like the corporate key (by
its name and the fact that it can revoke your key). For either key,
you've got one subkey setup -- size 2048, never expires. Especially
for a long-life corporate key, you should setup multiple encryption
subkeys with expiration dates. That way, the compromise of one subkey
will only compromise messages that were encrypted to that subkey.


Richard Laager

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
Comment: If you don't know what this is, you can safely ignore it.

iQA/AwUBQOm/Tm31OrleHxvOEQJ7FwCg2YPuTb/p3xZGa3ZS0BgnOJbEvLEAoKhU
qdbzlcw8IUvOs4C6PuAZHLO/
=QpMk
-----END PGP SIGNATURE-----