Added possibility to define a regex for finding recipients to decrypt for and also adding possibility to use default keys for domain ranges
This commit is contained in:
parent
5fdbabc3b3
commit
11f70fb241
2 changed files with 54 additions and 4 deletions
|
@ -35,6 +35,14 @@ mail_case_insensitive = no
|
||||||
# side effects. So if you want to take the risk set this to no.
|
# side effects. So if you want to take the risk set this to no.
|
||||||
no_inline_dec = yes
|
no_inline_dec = yes
|
||||||
|
|
||||||
|
# Here you can define a regex for which the gateway should try to decrypt mails.
|
||||||
|
# It could be used to define that decryption should be used for a wider range of
|
||||||
|
# mail addresses e.g. a whole domain. No key is needed here. It is even active if
|
||||||
|
# dec_keymap is set to yes. If this feature should be disabled, don't leave it blank.
|
||||||
|
# Set it to None. For further regex information please have a look at
|
||||||
|
# https://docs.python.org/2/library/re.html
|
||||||
|
dec_regex = None
|
||||||
|
|
||||||
[gpg]
|
[gpg]
|
||||||
# the directory where gpg-mailgate public keys are stored
|
# the directory where gpg-mailgate public keys are stored
|
||||||
# (see INSTALL for details)
|
# (see INSTALL for details)
|
||||||
|
@ -88,6 +96,22 @@ password = password
|
||||||
# You want the AAAAAAAAAAAAAAAA not BBBBBBBBBBBBBBBB.
|
# You want the AAAAAAAAAAAAAAAA not BBBBBBBBBBBBBBBB.
|
||||||
#you@domain.tld = 12345678
|
#you@domain.tld = 12345678
|
||||||
|
|
||||||
|
[enc_domain_keymap]
|
||||||
|
# This seems to be similar to the [enc_keymap] section. However, you
|
||||||
|
# can define default keys for a domain here. Entries in the enc_keymap
|
||||||
|
# and individual keys stored on the system have a higher priority than
|
||||||
|
# the default keys specified here.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
# You can find these by running the following command:
|
||||||
|
# gpg --list-keys --keyid-format long user@example.com
|
||||||
|
# Which will return output similar to:
|
||||||
|
# pub 1024D/AAAAAAAAAAAAAAAA 2007-10-22
|
||||||
|
# uid Joe User <user@example.com>
|
||||||
|
# sub 2048g/BBBBBBBBBBBBBBBB 2007-10-22
|
||||||
|
# You want the AAAAAAAAAAAAAAAA not BBBBBBBBBBBBBBBB.
|
||||||
|
#domain.tld = 12345678
|
||||||
|
|
||||||
[dec_keymap]
|
[dec_keymap]
|
||||||
# You can find these by running the following command:
|
# You can find these by running the following command:
|
||||||
# gpg --list-secret-keys --keyid-format long user@example.com
|
# gpg --list-secret-keys --keyid-format long user@example.com
|
||||||
|
|
|
@ -80,12 +80,21 @@ def gpg_decrypt( raw_message, recipients ):
|
||||||
|
|
||||||
keys = GnuPG.private_keys( cfg['gpg']['keyhome'] )
|
keys = GnuPG.private_keys( cfg['gpg']['keyhome'] )
|
||||||
|
|
||||||
|
if get_bool_from_cfg('default', 'dec_regex'):
|
||||||
|
dec_regex = cfg['default']['dec_regex']
|
||||||
|
else:
|
||||||
|
dec_regex = None
|
||||||
|
|
||||||
for fingerprint in keys:
|
for fingerprint in keys:
|
||||||
keys[fingerprint] = sanitize_case_sense(keys[fingerprint])
|
keys[fingerprint] = sanitize_case_sense(keys[fingerprint])
|
||||||
|
|
||||||
for to in recipients:
|
for to in recipients:
|
||||||
if to in keys.values() and not get_bool_from_cfg('default', 'dec_keymap_only', 'yes'):
|
if to in keys.values() and not get_bool_from_cfg('default', 'dec_keymap_only', 'yes'):
|
||||||
gpg_to.append(to)
|
gpg_to.append(to)
|
||||||
|
# Is this recipient defined in regex for default decryption?
|
||||||
|
elif not (dec_regex is None) and not (re.match(dec_regex, to) is None):
|
||||||
|
log("Using default decrytion defined in dec_regex for recipient '%s'" % to)
|
||||||
|
gpg_to.append(to)
|
||||||
elif get_bool_from_cfg('dec_keymap', to):
|
elif get_bool_from_cfg('dec_keymap', to):
|
||||||
log("Decrypt keymap has key '%s'" % cfg['dec_keymap'][to] )
|
log("Decrypt keymap has key '%s'" % cfg['dec_keymap'][to] )
|
||||||
# Check we've got a matching key! If not, decline to attempt decryption. The key is checked for safty reasons.
|
# Check we've got a matching key! If not, decline to attempt decryption. The key is checked for safty reasons.
|
||||||
|
@ -302,12 +311,29 @@ def gpg_encrypt( raw_message, recipients ):
|
||||||
else:
|
else:
|
||||||
log("Key '%s' in encrypt keymap not found in keyring for email address '%s'." % (cfg['enc_keymap'][to], to))
|
log("Key '%s' in encrypt keymap not found in keyring for email address '%s'." % (cfg['enc_keymap'][to], to))
|
||||||
|
|
||||||
|
# Check if key in keychain is present
|
||||||
if to in keys.values() and not get_bool_from_cfg('default', 'enc_keymap_only', 'yes'):
|
if to in keys.values() and not get_bool_from_cfg('default', 'enc_keymap_only', 'yes'):
|
||||||
gpg_to.append( (to, to) )
|
gpg_to.append( (to, to) )
|
||||||
else:
|
continue
|
||||||
if verbose:
|
|
||||||
log("Recipient (%s) not in PGP domain list for encrypting." % to)
|
# Check if there is a default key for the domain
|
||||||
ungpg_to.append(to)
|
splitted_address = address.split('@')
|
||||||
|
if len(splitted_address) > 1:
|
||||||
|
domain = splitted_address[1]
|
||||||
|
if get_bool_from_cfg('enc_domain_keymap', domain):
|
||||||
|
log("Encrypt domain keymap has key '%s'" % cfg['enc_dec_keymap'][domain] )
|
||||||
|
# Check we've got a matching key!
|
||||||
|
if cfg['enc_domain_keymap'][domain] in keys:
|
||||||
|
log("Using default domain key for recipient '%s'" % to)
|
||||||
|
gpg_to.append( (to, cfg['enc_domain_keymap'][domain]) )
|
||||||
|
continue
|
||||||
|
else:
|
||||||
|
log("Key '%s' in encrypt domain keymap not found in keyring for email address '%s'." % (cfg['enc_domain_keymap'][domain], to))
|
||||||
|
|
||||||
|
# At this point no key has been found
|
||||||
|
if verbose:
|
||||||
|
log("Recipient (%s) not in PGP domain list for encrypting." % to)
|
||||||
|
ungpg_to.append(to)
|
||||||
|
|
||||||
if gpg_to != list():
|
if gpg_to != list():
|
||||||
log("Encrypting email to: %s" % ' '.join( map(lambda x: x[0], gpg_to) ))
|
log("Encrypting email to: %s" % ' '.join( map(lambda x: x[0], gpg_to) ))
|
||||||
|
|
Loading…
Reference in a new issue