Re: Mail processing tool

To: debian-security@lists.debian.org
Subject: Re: Mail processing tool
From: Lars Ellenberg <l.g.e@web.de>
Date: Sun, 25 Jan 2004 19:58:50 +0100
Message-id: <[🔎] 1FC3waYd7O3QMqFeq+wdjNk=lge@web.de>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20040125180608.GB8900@infidel.spots.ab.ca>
References: <[🔎] WorldClient-F200401251049.AA49440031@starcomitalia.com> <[🔎] 16403.63772.183751.532794@nyaga.init.se> <[🔎] 20040125180608.GB8900@infidel.spots.ab.ca>

/ 2004-01-25 11:06:08 -0700
\ s. keeling:
> > This sounds like an ideal job for the combination of the rather
> > appropriately named tools fetchmail and procmail, which - to no big
> > surprise - are suitable to fetch and process mail.
> 
> Agreed.  Add on gnupg for signature verification and decryption
> (perhaps callable by procmail).
> 
> I'm not surprised there isn't one monolithic tool to do what you ask;
> you're asking a lot.  Chaining one existing specific tool after
> another to build up your overall system is the way to go.

maybe below helps ;)

	Lars Ellenberg

# --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--

#!/bin/bash

# Example proof of concept script to sign and encrypt a bash script,
# decrypt it, and execute it when it verifies ok.
#
# you obviously want to add some error handling, archive and log functionality,
# and work in some exclusive, (maybe `mktemp -d`ed ?) directory.
#
# of course you want to have more than one key, and a more
# interessting passphrase ...
#
# copyleft today, no rights reserved ;)
#

KEYRING=./foo
GPGOP="--no-default-keyring --keyring $KEYRING.pub --secret-keyring $KEYRING.sec"
MANTRA=abc
REALNAME="Joe Tester"
EMAIL="joe@foo.bar"
COMMENT="with stupid passphrase"

SAMPLE_SCRIPT=./dummy-script

umask 077
export LANG=
export PATH=/bin:/usr/bin

#
# --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
#

#
# CAREFULL! this does             rm $KEYRING.*
#
gen_key()
{
	rm "$KEYRING".*
	cat <<-___ > $KEYRING.mantra
	$MANTRA
	___
	cat <<-___ | gpg --batch --gen-key
	%echo Generating a standard key
	Key-Type: DSA
	Key-Length: 1024
	Subkey-Type: ELG-E
	Subkey-Length: 1024
	Name-Real: $REALNAME
	Name-Comment: $COMMENT
	Name-Email: $EMAIL
	Expire-Date: 0
	Passphrase: $MANTRA
	%pubring $KEYRING.pub
	%secring $KEYRING.sec
	# Do a commit here, so that we can later print "done" :-)
	%commit
	%echo done
	___
}

encrypt() 
{
	10<$KEYRING.mantra \
	gpg $GPGOP --passphrase-fd 10 --no-encrypt-to --batch \
		-u "$REALNAME" -r "$REALNAME" \
		--sign --encrypt --armor --output - "$1"
}

decrypt() 
{
	10<$KEYRING.mantra \
	gpg $GPGOP --passphrase-fd 10 --decrypt --batch "$1"
}



# gen_key                # <<=== uncomment for the first run


PUBID=`gpg $GPGOP --with-colons --list-keys "$REALNAME" | grep ^pub: | head -1 | cut -d: -f 5`
SECID=`gpg $GPGOP --with-colons --list-keys "$REALNAME" | grep ^sub: | head -1 | cut -d: -f 5`
GPGOP="$GPGOP --trusted-key $SECID"

#
# this is used later to verify the authenticity of the message.
# you may need to adjust it if your gpg version has a different
# output format. This is for "gpg (GnuPG) 1.0.7"
#
CREATION_DATE="*" # put here the creation data, if you like
EXPECTED_GPG_OUTPUT="\
gpg: encrypted with 1024-bit ELG-E key, ID ${SECID: -8}, created $CREATION_DATE
      \"$REALNAME ($COMMENT) <$EMAIL>\"
gpg: Signature made * using DSA key ID ${PUBID: -8}
gpg: Good signature from \"$REALNAME ($COMMENT) <$EMAIL>\"\
"

#
# --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
#

#
# prepare a demo script
# 
rm "$SAMPLE_SCRIPT"{,.asc,.clear}
cat <<-'___' > "$SAMPLE_SCRIPT"
	echo "executing dummy-script"
	echo " as $0 $*"
	echo "done."
___

#
# encrypt it
#
encrypt "$SAMPLE_SCRIPT" > "$SAMPLE_SCRIPT".asc

#
# --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
#
# mail it: mail -s "asdf" "$TARGET" < "$SAMPLE_SCRIPT".asc 
# the nice thing about gpg -se --armor is, that the gpg --decrypt
# later ignores the additional mail headers...
#
# receive it: fetchmail ...
#
# if you choose to let fetchmail deliver into maildir, you
# can simply have a daemon process check ./new/ every so often,
# then process every single file, and move it to ./cur/ if you are
# done with it...
#
# --=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--
#
# now:

#
# decrypt it, capture the gpg output
#
OUTPUT=`decrypt "$SAMPLE_SCRIPT".asc 2>&1 > "$SAMPLE_SCRIPT".clear`

if [[ $OUTPUT == $EXPECTED_GPG_OUTPUT ]] ; then
	# maybe you rather choose to:
	# /bin/bash -e "$SAMPLE_SCRIPT".clear	
	/bin/bash "$SAMPLE_SCRIPT".clear	
	# don't forget to cleanup now
	exit 0
else
	exec 1>&2
	echo =============
	echo "$OUTPUT"
	echo =============
	echo FAILED
	# don't forget to cleanup now
	exit 77 # which according to /usr/include/sysexits.h is EX_NOPERM
fi

Reply to:

References:
- Mail processing tool
  - From: "Raffaele D'Elia" <R.DElia@starcomitalia.com>
- Re: Mail processing tool
  - From: Jonas J Linde <jonas@init.se>
- Re: Mail processing tool
  - From: "s. keeling" <keeling@spots.ab.ca>

Prev by Date: Re: (php?) bug exploit report
Next by Date: Re: Mail processing tool
Previous by thread: Re: Mail processing tool
Next by thread: Re: Mail processing tool
Index(es):
- Date
- Thread