Added possibility to define a regex for finding recipients to decrypt for and also adding possibility to use default keys for domain ranges

This commit is contained in:
fkrone 2015-05-29 23:13:05 +02:00
parent 5fdbabc3b3
commit 11f70fb241
2 changed files with 54 additions and 4 deletions

View file

@ -35,6 +35,14 @@ mail_case_insensitive = no
# side effects. So if you want to take the risk set this to no. # side effects. So if you want to take the risk set this to no.
no_inline_dec = yes no_inline_dec = yes
# Here you can define a regex for which the gateway should try to decrypt mails.
# It could be used to define that decryption should be used for a wider range of
# mail addresses e.g. a whole domain. No key is needed here. It is even active if
# dec_keymap is set to yes. If this feature should be disabled, don't leave it blank.
# Set it to None. For further regex information please have a look at
# https://docs.python.org/2/library/re.html
dec_regex = None
[gpg] [gpg]
# the directory where gpg-mailgate public keys are stored # the directory where gpg-mailgate public keys are stored
# (see INSTALL for details) # (see INSTALL for details)
@ -88,6 +96,22 @@ password = password
# You want the AAAAAAAAAAAAAAAA not BBBBBBBBBBBBBBBB. # You want the AAAAAAAAAAAAAAAA not BBBBBBBBBBBBBBBB.
#you@domain.tld = 12345678 #you@domain.tld = 12345678
[enc_domain_keymap]
# This seems to be similar to the [enc_keymap] section. However, you
# can define default keys for a domain here. Entries in the enc_keymap
# and individual keys stored on the system have a higher priority than
# the default keys specified here.
#
#
# You can find these by running the following command:
# gpg --list-keys --keyid-format long user@example.com
# Which will return output similar to:
# pub 1024D/AAAAAAAAAAAAAAAA 2007-10-22
# uid Joe User <user@example.com>
# sub 2048g/BBBBBBBBBBBBBBBB 2007-10-22
# You want the AAAAAAAAAAAAAAAA not BBBBBBBBBBBBBBBB.
#domain.tld = 12345678
[dec_keymap] [dec_keymap]
# You can find these by running the following command: # You can find these by running the following command:
# gpg --list-secret-keys --keyid-format long user@example.com # gpg --list-secret-keys --keyid-format long user@example.com

View file

@ -80,12 +80,21 @@ def gpg_decrypt( raw_message, recipients ):
keys = GnuPG.private_keys( cfg['gpg']['keyhome'] ) keys = GnuPG.private_keys( cfg['gpg']['keyhome'] )
if get_bool_from_cfg('default', 'dec_regex'):
dec_regex = cfg['default']['dec_regex']
else:
dec_regex = None
for fingerprint in keys: for fingerprint in keys:
keys[fingerprint] = sanitize_case_sense(keys[fingerprint]) keys[fingerprint] = sanitize_case_sense(keys[fingerprint])
for to in recipients: for to in recipients:
if to in keys.values() and not get_bool_from_cfg('default', 'dec_keymap_only', 'yes'): if to in keys.values() and not get_bool_from_cfg('default', 'dec_keymap_only', 'yes'):
gpg_to.append(to) gpg_to.append(to)
# Is this recipient defined in regex for default decryption?
elif not (dec_regex is None) and not (re.match(dec_regex, to) is None):
log("Using default decrytion defined in dec_regex for recipient '%s'" % to)
gpg_to.append(to)
elif get_bool_from_cfg('dec_keymap', to): elif get_bool_from_cfg('dec_keymap', to):
log("Decrypt keymap has key '%s'" % cfg['dec_keymap'][to] ) log("Decrypt keymap has key '%s'" % cfg['dec_keymap'][to] )
# Check we've got a matching key! If not, decline to attempt decryption. The key is checked for safty reasons. # Check we've got a matching key! If not, decline to attempt decryption. The key is checked for safty reasons.
@ -302,12 +311,29 @@ def gpg_encrypt( raw_message, recipients ):
else: else:
log("Key '%s' in encrypt keymap not found in keyring for email address '%s'." % (cfg['enc_keymap'][to], to)) log("Key '%s' in encrypt keymap not found in keyring for email address '%s'." % (cfg['enc_keymap'][to], to))
# Check if key in keychain is present
if to in keys.values() and not get_bool_from_cfg('default', 'enc_keymap_only', 'yes'): if to in keys.values() and not get_bool_from_cfg('default', 'enc_keymap_only', 'yes'):
gpg_to.append( (to, to) ) gpg_to.append( (to, to) )
else: continue
if verbose:
log("Recipient (%s) not in PGP domain list for encrypting." % to) # Check if there is a default key for the domain
ungpg_to.append(to) splitted_address = address.split('@')
if len(splitted_address) > 1:
domain = splitted_address[1]
if get_bool_from_cfg('enc_domain_keymap', domain):
log("Encrypt domain keymap has key '%s'" % cfg['enc_dec_keymap'][domain] )
# Check we've got a matching key!
if cfg['enc_domain_keymap'][domain] in keys:
log("Using default domain key for recipient '%s'" % to)
gpg_to.append( (to, cfg['enc_domain_keymap'][domain]) )
continue
else:
log("Key '%s' in encrypt domain keymap not found in keyring for email address '%s'." % (cfg['enc_domain_keymap'][domain], to))
# At this point no key has been found
if verbose:
log("Recipient (%s) not in PGP domain list for encrypting." % to)
ungpg_to.append(to)
if gpg_to != list(): if gpg_to != list():
log("Encrypting email to: %s" % ' '.join( map(lambda x: x[0], gpg_to) )) log("Encrypting email to: %s" % ' '.join( map(lambda x: x[0], gpg_to) ))