Menu
▾
▴
Re: [Fetchmail-users] Automatically decrypt fetched PGP/Mime mail?
|
From: Peter P. <ro...@ri...> - 2024-06-25 09:55:11
|
On Tue, Jun 25, 2024 at 11:10:31AM +0200, Carlos E. R. wrote: > On 2024-06-25 03:55, q17nsisr--- via Fetchmail-users wrote: > > Greetings fetchmail-users mailing list!! > > > > My mail fetching setup currently looks like this: > > remote mail server <-> fetch <-> local maildir <-> local mail server <-> local e-mail client > > > > Where email on the remote mail server is pgp/mime encrypted with the subject header hidden or replaced as supported by several of the email services listed below: > > https://www.privacyguides.org/en/email/ - Encrypted Private Email Recommendations - Privacy Guides > > https://www.privacyguides.org/en/email-aliasing/ - Email Aliasing - Privacy Guides > > > > I would like to alter the "... <-> fetch <-> local maildir <-> ..." part of my mail fetching setup so that the fetched email is automatically decrypted during or after the fetching process and before this mail is seen by the local mail server or email client. > > Does anyone on this mailing list have any advice or tips for doing this? > > Probably adding procmail and maybe formail. SCNR, but I would really, really, really strongly recommend against using procmail in the year 2024. Maildrop has a clear, easy to learn syntax, and it makes it much harder to make a mistake writing a rule or to forget about any kind of unspecified default behavior. Also, I think the real issue here would be the fact that unattended decryption would mean that there is a copy of the OpenPGP key that is either stored somewhere unprotected (no passphrase), or is loaded into some kind of agent, again, unprotected in memory. In either case this opens an avenue of attack for Somebody(tm) to use that unprotected copy of the key, either for decrypting other encrypted material they have obtained, or, if the key has multiple capabilities, even for signing things. Once that is dealt with (and "I don't care" is a way to deal with it, albeit one that I would very strong discourage), there is also the interesting aspect of making sure that the decrypted messages do NOT go into the same maildir or IMAP folder or whatever as any unencrypted messages received, because then there would be no way to tell if a certain message was encrypted and decrypted or just looks like one. There is also an additional interesting aspect that OpenPGP messages have more data in the OpenPGP structure, such as integrity hashes, possibly a signature from the sender, etc, and some of that data may be lost if only the decrypted copy is saved. G'luck, Peter -- Peter Pentchev ro...@ri... ro...@de... pe...@mo... PGP key: https://www.ringlet.net/roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 |