kuvert - automatically sign and/or encrypt mail based on the recipients

reads mails from its queue, analyzes the recipients, decides to whom it should encrypt and/or sign the mail using the PGP-MIME framework defined in RFC3156 and sends the mail using your real MTA. kuvert can use both old-style 2.x pgp() and modern gpg() at the same time, or can coerce gpg into producing pgp-2.x-compatible signatures/encrypted data.

The mail submission into the queue is usually done by kuvert_mta_wrapper(1) .

The option -r causes an already running kuvert process to reload the configuration file and the keyring(s). This is done by sending a SIGUSR1 to the running process.

The option -d activates debugging output to syslog. kuvert does not fork when in debugging mode and processes just the first mail in the queue, after which it terminates.

If the option -b is given, then kuvert will send an error mail to the user whenever fatal errors are encountered.

The option -k makes kuvert kill an already running process.

With the option -n kuvert does not fork() but keeps running in the foreground.

The option -v makes kuvert output its version number and exit immediately.

At startup kuvert reads the keyring(s) and the configuration file, then usually forks and runs the queue once every 60 seconds. Whenever there is a file with a name consisting of digits only in the queue, kuvert will parse the mime structure into a temporary directory using MIME::Parser(3pm) .

kuvert then decides whether the mail shall be left as is, clear-text signed or signed and encrypted according to RFC3156. This decision is done independently for every recipient of the mail and works as follows:

•

If a public key of the recipient is known, sign and encrypt.

•

If no public key of the recipient is known, just sign.

There are some options governing or overriding this basic setup, see the section for details.

Please note that kuvert uses the and headers to determine the recipients. Recipients listed in a header are handled separately from all other recipients and do not affect the choice of actions for other recipients (ie. handling of -force options). Additionally, if there is a header, kuvert will do no signing/encryption and send the mail just as it is to the recipients indicated in the header.

Afterwards the parsed MIME entity is amended with the signature or replaced with the encrypted data and is sent off using the MTA. The temporary directory is cleaned and kuvert processes either the next queued message or waits for new messages.

If there are problems, kuvert disables further processing of the respective queuefile (it adds a at the beginning of the filename, thus making the file ignored for further queue-runs) and sends an error message back to the sender.

needs some configuration directives in its configuration file ~/.kuvert . This file is read at startup and whenever you have kuvert reread things using -r. Empty lines and lines starting with are ignored, as well as lines containing directives kuvert can not interpret.

Directives can either be:

•

a directive name followed by whitespace and then a value,

•

or a regular expression matching an email address, followed by whitespace and an action keyword.

The list of directives kuvert understands:

PGPPATH path

defines the old-style compatible pgp executable to be used. Default: /usr/bin/pgp

GPGPATH path

defines the gnupg-compatible new-style pgp executable to be used. Default: /usr/bin/gpg

USEPGP number

if number is not 0, kuvert will use the old-style pgp executable to generate old-style encryption/signatures. If it is 0, kuvert will use gpg in a compatibility mode to produce the old-style stuff. Please note: gpg needs the gnupg-extension gpg-idea for this compatibility mode. You also have to setup gpg to automatically load this extension. Default: 0

MTA path-and-args

defines the Mail Transfer Agent kuvert should use. The MTA must read the mail text from stdin, support the flag -t , and also support multiple recipients given in separate arguments. Default: /usr/lib/sendmail -om -oi -oem

SECRETONDEMAND number

If SECRETONDEMAND is 1, kuvert will ask for the key passphrases on demand and just before signing. If SECRETONDEMAND is 0, then kuvert will query for passphrases on startup and store them itself (which is not very secure). SECRETONDEMAND is automatically set to 0 if GETSECRET or DELSECRET are not set. Default: 0

GETSECRET path-and-args

DELSECRET path-and-args

define what program to run to deal with externally stored passphrases, if SECRETONDEMAND is set; ignored otherwise. The path-and-args must contain "%s" which will be replaced with the key id in question. The program must print the passphrase on its standard output. GETSECRET is executed to retrieve a passphrase, while DELSECRET is used to delete passphrases. Default: none

ALWAYSTRUST number

if 1, add the alwaystrust parameter to gpg's invocation. See gpg(1) for details about this parameter. Default: 0

LOGFILE path

sets the file kuvert logs its actions to. The logs are appended to that file. Default: kuvert usually logs to syslog.

QUEUEDIR path

sets the directory where kuvert_mta_wrapper and kuvert put the queue of mails to be processed. Default: ~/.kuvert_queue

TEMPDIR path

sets the directory kuvert uses for temporary storage of the parts of the parsed MIME entity. Default: /tmp/kuvert.<uid>.<pid>.

INTERVAL number

sets the queue check interval. the unit of measurement is seconds. Default: 60 seconds

IDENTIFY number

if non-zero, kuvert adds a header to all mails it processes. Default: 0

NGKEY keyid

sets the owner's key id for new-style pgp/gpg. To disable new-style pgp/gpg completely, set the keyid to "0". Default: the first private DSA key found is used.

STDKEY keyid

sets the owner's key id for old-style pgp. To disable old-style pgp completely, set the keyid to 0. Default: the first private RSA key found is used.

DEFAULT action

specifies the action to be taken for unspecified recipient addresses. See the next paragraphs for an explanation of the action argument.

All lines not starting with the pound sign or a recognized directive are interpreted as a perl() regular expression followed by whitespace and an action keyword.

The regular expressions are applied to the email address of the recipients of the mail, and the action keyword describes how to modify kuvert Ns 's behavious for a recipient.

The regular expression has to be written without the bracketing -characters. The regular expressions are evaluated case-insensitively, and in the order given in the configuration file. The first matching regexp ends the evaluation sequence.

The default action is to do not encrypt or sign at all, so you should set a default that is reasonable for you by using the directive.

The known action keywords are:

none

Send it as it is, do not sign or encrypt at all. The MIME structure of the mail is not changed in whatever way before sending. This is the default action. This option is An explicitly set action of is by any of the -force options or by the override header.

std

Use just old-style pgp. If there is an old-style key known, encrypt and sign using this old-style key and the owner's old-style key, otherwise just sign using the owner's old-style key.

ng

Use just new-style pgp, similar to the above.

stdsign

Never encrypt, just sign using the owner's old-style key.

ngsign

Never encrypt, just sign using the owner's new-style key.

fallback

Encrypt with new-style, old-style or sign with new-style (or std-style if no new-style private key is available). If there is a new-style key of the recipient known, encrypt and sign with this key, else if there is an old-style key, encrypt and sign with this key. Otherwise just sign with the owner's new-style key or (as last resort) the old-style key.

none-force

Force no encryption/signing for all recipients of this mail.

fallback-force

Force a fallback-type action for the recipients of this mail: encrypt and sign with new-style or old-style pgp if keys for recipients are available or sign with new-style pgp. Recipients with an action set to are by fallback-force. Also note that a mixture of old-style and new-style encryption is possible with fallback-force.

ngsign-force , stdsign-force

Sign only for all affected recipients, with new-style or old style pgp respectively. Again recipients with action are

ng-force

Encrypt and sign for all recipients of this mail if there is a new-style key available for all of them, otherwise just sign for all of them using new-style pgp. The difference between this action and fallback-force is that there's no mixing of old-style and new-style pgp possible here. Again recipients with action are

std-force

like ng-force , but with old-style pgp. Again recipients with action are

Additionally, you can specify an override for a single mail by adding a header to the mail of the form where action is one of the action keywords just listed above. This override will be applied to all recipients of the given mail and will override all action specifications given in the configuration file, except the explicit s. Before final sending an email kuvert will remove any existing override header from the email.

The various -force actions are intended for users who want to avoid sending cleartext (signed) and encrypted variants of the same mail to different recipients: You can either turn off encryption or signing completely, or use the maximum amount of privacy that is possible for a given set of recipients by checking for keys for everybody before deciding whether to encrypt or just sign.

The special handling for does break this paradigma a bit, but is necessary to make any -force option a safe choice for your action: Otherwise kuvert would send stuff signed or encrypted to recipients you know to be completely unable/unwilling to accept signed or encrypted mail (like mail robots). Therefore these were made unaffected (and disregarded) by the -force options.

~/.kuvert

configuration file for kuvert and kuvert_mta_wrapper(1) .

~/.kuvert_queue

the default queue directory for kuvert if the configuration file does not specify an alternative.

/tmp/kuvert.pid.<uid>

holds the pid of a running process.

gpg1, pgp1, RFC3156, RFC2015, RFC2440

Currently kuvert needs something sendmail-like in /usr/lib/sendmail that understands -t, -om, -oi and -oem .

Multiple -force actions won't work.