diff --git a/gpg-mailgate.conf.sample b/gpg-mailgate.conf.sample index 3cfc116..6794460 100644 --- a/gpg-mailgate.conf.sample +++ b/gpg-mailgate.conf.sample @@ -35,6 +35,14 @@ mail_case_insensitive = no # side effects. So if you want to take the risk set this to no. no_inline_dec = yes +# Here you can define a regex for which the gateway should try to decrypt mails. +# It could be used to define that decryption should be used for a wider range of +# mail addresses e.g. a whole domain. No key is needed here. It is even active if +# dec_keymap is set to yes. If this feature should be disabled, don't leave it blank. +# Set it to None. For further regex information please have a look at +# https://docs.python.org/2/library/re.html +dec_regex = None + [gpg] # the directory where gpg-mailgate public keys are stored # (see INSTALL for details) @@ -88,6 +96,22 @@ password = password # You want the AAAAAAAAAAAAAAAA not BBBBBBBBBBBBBBBB. #you@domain.tld = 12345678 +[enc_domain_keymap] +# This seems to be similar to the [enc_keymap] section. However, you +# can define default keys for a domain here. Entries in the enc_keymap +# and individual keys stored on the system have a higher priority than +# the default keys specified here. +# +# +# You can find these by running the following command: +# gpg --list-keys --keyid-format long user@example.com +# Which will return output similar to: +# pub 1024D/AAAAAAAAAAAAAAAA 2007-10-22 +# uid Joe User +# sub 2048g/BBBBBBBBBBBBBBBB 2007-10-22 +# You want the AAAAAAAAAAAAAAAA not BBBBBBBBBBBBBBBB. +#domain.tld = 12345678 + [dec_keymap] # You can find these by running the following command: # gpg --list-secret-keys --keyid-format long user@example.com diff --git a/gpg-mailgate.py b/gpg-mailgate.py index aa0bdb9..4f0801b 100755 --- a/gpg-mailgate.py +++ b/gpg-mailgate.py @@ -80,12 +80,21 @@ def gpg_decrypt( raw_message, recipients ): keys = GnuPG.private_keys( cfg['gpg']['keyhome'] ) + if get_bool_from_cfg('default', 'dec_regex'): + dec_regex = cfg['default']['dec_regex'] + else: + dec_regex = None + for fingerprint in keys: keys[fingerprint] = sanitize_case_sense(keys[fingerprint]) for to in recipients: if to in keys.values() and not get_bool_from_cfg('default', 'dec_keymap_only', 'yes'): gpg_to.append(to) + # Is this recipient defined in regex for default decryption? + elif not (dec_regex is None) and not (re.match(dec_regex, to) is None): + log("Using default decrytion defined in dec_regex for recipient '%s'" % to) + gpg_to.append(to) elif get_bool_from_cfg('dec_keymap', to): log("Decrypt keymap has key '%s'" % cfg['dec_keymap'][to] ) # Check we've got a matching key! If not, decline to attempt decryption. The key is checked for safty reasons. @@ -302,12 +311,29 @@ def gpg_encrypt( raw_message, recipients ): else: log("Key '%s' in encrypt keymap not found in keyring for email address '%s'." % (cfg['enc_keymap'][to], to)) + # Check if key in keychain is present if to in keys.values() and not get_bool_from_cfg('default', 'enc_keymap_only', 'yes'): gpg_to.append( (to, to) ) - else: - if verbose: - log("Recipient (%s) not in PGP domain list for encrypting." % to) - ungpg_to.append(to) + continue + + # Check if there is a default key for the domain + splitted_address = address.split('@') + if len(splitted_address) > 1: + domain = splitted_address[1] + if get_bool_from_cfg('enc_domain_keymap', domain): + log("Encrypt domain keymap has key '%s'" % cfg['enc_dec_keymap'][domain] ) + # Check we've got a matching key! + if cfg['enc_domain_keymap'][domain] in keys: + log("Using default domain key for recipient '%s'" % to) + gpg_to.append( (to, cfg['enc_domain_keymap'][domain]) ) + continue + else: + log("Key '%s' in encrypt domain keymap not found in keyring for email address '%s'." % (cfg['enc_domain_keymap'][domain], to)) + + # At this point no key has been found + if verbose: + log("Recipient (%s) not in PGP domain list for encrypting." % to) + ungpg_to.append(to) if gpg_to != list(): log("Encrypting email to: %s" % ' '.join( map(lambda x: x[0], gpg_to) ))