OPENPGP DNS & Milter
# yum install hash-slinger
# rpm -qil hash-slinger
Name : hash-slinger
Version : 2.7
Release : 1.el7
Architecture: noarch
Install Date: Fri 22 Jan 2016 10:12:33 AM CET
Group : Applications/Internet
Size : 88902
License : GPLv2+
Signature : RSA/SHA256, Sun 03 Jan 2016 04:05:07 AM CET, Key ID 6a2faea2352c64e5
Source RPM : hash-slinger-2.7-1.el7.src.rpm
Build Date : Sun 03 Jan 2016 01:34:40 AM CET
Build Host : buildppcle-05.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager : Fedora Project
Vendor : Fedora Project
URL : http://people.redhat.com/pwouters/hash-slinger/
Summary : Generate various DNS records such as RFC-4255 SSHFP and RFC-698 TLSA
Description :
This package contains various tools to generate special DNS records:
sshfp Generate RFC-4255 SSHFP DNS records from known_hosts files
or ssh-keyscan
tlsa Generate RFC-6698 TLSA DNS records via TLS
openpgpkey Generate draft-ietf-dane-openpgpkey DNS records from OpenPGP
keyrings
ipseckey Generate RFC-4025 IPSECKEY DNS records on Libreswan
IPsec servers
This package supersedes 'sshfp' and 'swede'
/usr/bin/ipseckey
/usr/bin/openpgpkey
/usr/bin/sshfp
/usr/bin/tlsa
/usr/share/doc/hash-slinger-2.7
/usr/share/doc/hash-slinger-2.7/BUGS
/usr/share/doc/hash-slinger-2.7/CHANGES
/usr/share/doc/hash-slinger-2.7/COPYING
/usr/share/doc/hash-slinger-2.7/README
/usr/share/man/man1/ipseckey.1.gz
/usr/share/man/man1/openpgpkey.1.gz
/usr/share/man/man1/sshfp.1.gz
/usr/share/man/man1/tlsa.1.gz
$ openpgpkey --fetch --uid 2 michael@nausch.org
-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: michael@nausch.org key obtained from DNS
Comment: key transfer was protected by DNSSEC
Version: GnuPG v2.0.22 (GNU/Linux)
mQINBFI9/U0BEACfpc7ClI9gjdYZ4dU4oRq7OytIMJCqd9f/82zXLav2R282a+Ne
k997kartujdknbuAsVKpqh4kVjj7SA1/4ITkuE+d7Ski2XZZVAJQlqXgpqVmCP2w
Gq2zODnopuueIp0VZlKc+WlspS0NGfNiIrywEEt7joL25YqgDwejsmYiWlbd3Qnh
TKqlAXn6g7VZA1Bk3K7OBkV6RY7vlIrKmeefHkLrU4B2+02Two2w4tP15l9iXOUT
o/6bdnJYzcnGWU2cavmpxF6VoSId984rgIWNvqsJbvD+T5/fKh1ev8GfIcIANYbg
v0QJlplFXIvIyMJMnrKD7z+AmuACwZoAUnG9IXipb439axPje1lQMN/qpXxxzumQ
lsc+ctGAOmPrIVBZaeBznu5bMx+l0y2nb/dNY3mNywED4ixiCEYYez1QlXN/1NZN
Oo5ZFY/0ZIv+pPUF1+Th77LOo8vL7fUBKQCz1SdsZB5whe0z4GYQp8qHfJLm2Trm
Tmyfcs71HdUGOcr2D++HPjF6XFOPvmJ/MXEWNPYL4ne/1dvkJJIkya8B7+nXKvKs
ot/MWXEcuC2q9MaLbDGjNKqagJTrPmZavi5nAuQgfGbQCmDrbDX+DaX1TmTMtQ0h
ceDbEnuV5J0+OdZRwQurZdbDA0w7N+6Q7hdPKS6pCjQEJXGHthz1ojO0qQARAQAB
tCNNaWNoYWVsIE5hdXNjaCA8bWljaGFlbEBuYXVzY2gub3JnPokCPQQTAQgAJwUC
Uj39TQIbAwUJBKKGAAULCQgHAwUVCgkICwUWAwIBAAIeAQIXgAAKCRAHTs9hUKa/
7bVYD/wLgjtz9l3tsyPbuqG3d9vqSfwCcHyMXako+fB3Llq3ImOmJ2YoYYGCmx6m
FF2zzK3HeiofyVTAMkYtLxZcmAQw32YtTvSEa9RyibOl21ayCuVyeYSpjcsOYglS
G3I82uPpMj8ob/ich3QARqU1EPpCMqQsxPnP9At6glcldZ2BIK6poDdGnHwS0JKJ
zqQ8ImKNJlA8CfuRTGlpaxoh3VP0sjKIUhqC3yuw64fAU/gl5KGQVzp9jFgWKqw4
hHKhdwMj9gmh/MkvmaL/cITSh3uTcs/xEL/e9keTPQ8E3JbiGy2UuChJdwHoYE//
6RUP5XXpHPgcl8ffQJEq51rZHs8YXWQnFvGL9+T2YK2AXPrEHP1FeS8MWTX1GKWa
Rs4r5Ax5iosw+h/1dDRd6Ph3z2dD+QIbLg2t8ALtzbKUr1rsQ9NrLta1zt7P4lj3
Qr0PCwWMp9QXw/nkIiSYmfxuzUWE3oR1H2W7Ol2jSzslW2RBOpqVSd7bwyNUGg3t
AWGCvRSSucBV+nCr1/r+HpnFIWm6rkpQKjbozt+4z+CoozytNLD/jwAoTBukSOmN
5vEpukoRLYmLiNhsfm1wJeqjhCvfrec48t1jLYQDkC+O2+uuVMvbdA6eR8T1WCpk
lxcnyP0KZbRellLoFzxQbQl6rBU1I1axyxz4VbkXzEfRISeaDLQ2TWljaGFlbCBO
YXVzY2ggKGFrYSBEamFuZ28gW0JPZkhdKSA8ZGphbmdvQG5hdXNjaC5vcmc+iQI9
BBMBCAAnBQJSPgXoAhsDBQkEooYABQsJCAcDBRUKCQgLBRYDAgEAAh4BAheAAAoJ
EAdOz2FQpr/t+4sP/jRt0dc5fTM5ZaZ7Dnmb1K5O9XR7T5ByLbflHb27LRWNkYEk
jsKoJ6Z/h8E59r5d6zR13UeW2LTr7THU3uk70s0BAEBkI5HkI1MMYX3ZhVK8W5mi
gWpNIT7gXa7ngfipgrVXZGUZwU0roRdqZ1CZ94e76FtYUjMNnZ6KlbPJQZCN3S/w
91DoQGCJrVpWqNOTHB5nZaHFGyWWdIAYBr5pjFboHzTGtYU1W6y248bmUafIyBk6
Z6p4oMVyPsGFes7IRseUBJhClEPYYCY8+fFbmpGTvfpHM5X/zIdJqQAk7OX9ttlw
o4MskoQHNKz5kDzIF4uDUNIQq8ZkoxvuiPlaZsk4/AiCAwM+D0rng88/i0sbxxRi
iuEuqz+MdtQQz3TwogVc2VPC5JtrQEWWC9cikTVX71l9DpisP/uwC0/LtmnmSLix
h/zLN75SJ/PCfZbaT6r8ANob5+LxX/MHdfyv54qQaPlB4w2UDc0QJSPB2+bR2wDq
ueJRp92M93WaQzvxsTD6kurPxkvTTlaGo7LHf/04flvRNILH1mdavvFO+DKrat2w
C5NITtBaLcXiJvAmZS3ZfhSsiK8YdQF+BJi+B7mjZGqcqUT+gZsPKQuahcX+2SbE
2X0ID5QznRmX1HWCm+CQcATaErNTJT+Ika037kDN2kq233H4UTOIZcHLjV/ntDNN
aWNoYWVsIE5hdXNjaCAoYWthIEJpZ0NoaWVmKSA8YmlnY2hpZWZAb21uaTEyOC5k
ZT6JAj0EEwEIACcFAlI+BiACGwMFCQSihgAFCwkIBwMFFQoJCAsFFgMCAQACHgEC
F4AACgkQB07PYVCmv+1jFA//XPJSEQkXdsHlMfofK7cUG5ZU6LZwU1zfi5hbYizc
1z6rD3+5v4HS7Oz7nUv8SOYkB/ot99AXfqgbh6Iin3RfRi5gSx1DJuhRNhzOW+1F
ocjYPXHvWdGLVmbwCmPLjoA72ct4SH4gyLRNZH0dvUPT8vfXEKRIaiCNB7ht93UJ
XcDn97DY54q+EfxkywVmlK1EYmNN+3EUuBPNVpumC+6Zy3u/plphxUZa6LEZEihp
I+d2EPSBOw1MYihYfqYLRKGziTTEJmvUEt5pnI5S9uE0IqedAOUTdjwhOnzyJk+P
ulEGnhtoJ1v0DIYEYiIEaVPIp8Pax151QbnYDSPIe+WlOpbG3C1Yb8CTz65FpcwS
jG84GjoTrapePWj07PwwAC5+/Yvqr1AAKIzqEJkfIv5qW5OCwAWkChL3rATWyDaP
HwYStsZ3Xgn/oUkx7StOstwqqrdmd0vJJKKnMYV9wjE/W0SYoT0UDwzK0XSUCFPN
rHCHML0CINa7/rX9NYCSX6K55APnslqoHh1c1gIhaZ2srs7sryfTDy65V32Stxg7
oAXO9DJn6AcgAJHSpopQJgTqfez8djL5j34kjiGXncqv3CZNDiVzeoTTjDG41Rmy
HhSUKpyo8WGkvmhIXWzbcMrxEueclyppMgSqb2JCl0iIFu1Uu7Wg7qRPygZLXAdT
kuq5Ag0EUj39TQEQAMIfFbJQ8x/gRrmRRlO3AmSHZfI1I0+OU97iXhYPDc5ncWh+
BWYq1q2j3NiQAljpWyc4sX/uJtPtsiTms7hp4P8H0zlHGZHiGDRZ/kWn7j7mioaY
6/8tXBM07hRe21rngt247icBRX927RnHO813JaNjb6/aEpyO9qkOr2SrQfBSysbd
1XNc/I4cxGEUCqghJcrh6fcYA1z4Pek6UBziBocSPSZ4hfXEE4pS4P0l1OQpEngT
pTb4jKRClj2grOyUfyPs4vLbWta5T4H2JLsD289JmRSOFu9KRQwqc0hDHnYFs1Uu
90HPJHzQ/BIrOdGUfnjzsOcL5CUQDi/09Mm2Duz6F3U8WyIc6vLTAG8ciFkAGTj0
VcwjHFdq7uijJrjkzl3LI3OC7wIX5XDk2kTh2fmp/dEo5LAjfJHUimQKDibkznJt
suLWlgJD6MorOB8qyA3hSjAhA/I6sqGd/nbHsFTvJWB/VPjXxDHIYGfEG55ur5rD
O6xEALS8SKruVL97avxulLQ5X1vc7JgM1C/AF7L6wCQAfa7QkGoBDvLZyKOsCxxi
ELotiG1QaGtocgH2dNnDklwx4RJ0W5IJGxei9fUA2YOvy9SvAYINpmWKZJuDiiNO
YR5OjcywXvTcYglxgcDwpSk0xw/IKjZevR90/xIItWGAkFpsOqv6s2i6npE5ABEB
AAGJAiUEGAEIAA8FAlI9/U0CGwwFCQSihgAACgkQB07PYVCmv+3glQ//VpUYontl
CsnPPrEUZNYbdvawm4EN0jEtNYc0EFY/13shsHEBX+x28HzqE3M87B5xBU5KNwkE
VKZVK1CYKJ5kG8Gv3sTzlTbvC1i1xFH9HO+NZFQqG1WupG8zVKsLJoIHUkplA7lO
ZfA0z262VH4JJaQU6tv7WQXbEEaXUpa0hsoJmvei/ShaYpDZiDhl6dVbDGw3hJ54
t4H1YQGZk7sely/DyUXhmRlyTqB6AH4ZFGDeysQk4D1iPqGnhCOJnsyJ/UwRRdSn
kUjAF8EB3kw2cyB++LgOyrqVFbxkO/JTepDDWwfzAlcQ18dc/DBhdOVNhLH7AFxp
CS+64+snMskT88mvkRkcc7OBYhITKnn2XDuSBkWiw6UAFFoKgb1ZCBnMMnG086ZD
WMLZkCQ1nL8pX7wPdyUU9YP9U5YvTYeuCrNpNy7xM3l5BEFK/Y91fygnvy4UBtJ0
LymqM80MuSVRgQrFdxJAFgHN+ziRw9v+VRijWzmufeHkqUo77BVot9mDmouAiUGw
cK1hGL0Nl34rgN6gOETPzGLiOLBmytVW/fGZ0hwerRuE7rk0W5lapE2lQeQPjCiL
2LeJPxcPjsBJa3h05QwIaZo18Wb9esnjBjzjV4fRY0+akiJw/w6+V893FGbZnHIv
/cDg8Z+10RIiBZa9qC50NNTfhPD70lV+HRc=
=usnJ
-----END PGP PUBLIC KEY BLOCK-----
# yum install openpgpkey-milter -y
# rpm -qil openpgpkey-milter
Name : openpgpkey-milter
Version : 0.5
Release : 1.el7
Architecture: noarch
Install Date: Fri 29 Jan 2016 12:35:15 PM CET
Group : System Environment/Daemons
Size : 50233
License : GPLv3+
Signature : RSA/SHA256, Mon 04 Jan 2016 04:56:06 PM CET, Key ID 6a2faea2352c64e5
Source RPM : openpgpkey-milter-0.5-1.el7.src.rpm
Build Date : Mon 04 Jan 2016 01:08:27 AM CET
Build Host : bvirthost02-nfs.phx2.fedoraproject.org
Relocations : (not relocatable)
Packager : Fedora Project
Vendor : Fedora Project
URL : ftp://ftp.nohats.ca/openpgpkey-milter
Summary : OPENPGPKEY basd automatic encryption of emails using the milter API
Description :
The openpgpkey-milter package provides a milter plugin for sendmail or postfix
that will automatically encrypt plaintext emails if the target recipient is
publishing an OPENPGPKEY record protected with DNSSEC. This is currently an
IETF draft (draft-wouters-dane-openpgp)
/etc/tmpfiles.d/openpgpkey-milter.conf
/usr/lib/systemd/system/openpgpkey-milter.service
/usr/sbin/openpgpkey-milter
/usr/share/doc/openpgpkey-milter-0.5
/usr/share/doc/openpgpkey-milter-0.5/LICENSE
/usr/share/doc/openpgpkey-milter-0.5/README
/var/run/openpgpkey-milter
/var/run/openpgpkey-milter/openpgpkey-milter.sock
/var/spool/openpgpkey-milter
README
# less /usr/share/doc/openpgpkey-milter-0.5/README
WARNING ======= This is pre-release software. It's only been testing by me on my personal postfix server. Running this anywhere on a production machine might cost you your job, although afterwards please do let me know how it failed you so I can fix it. openpgpkey-milter ----------------- openpgpkey-milter is a sendmail/postfix milter service that will attempt to automatically OpenPGP encrypt plaintext emails received by the MTA/MUA before relaying the message further towards the recipient(s). These can be messages received from the network, or generated locally. Requirements ------------ Apart from requiring a milter compatible mail server (postfix or sendmail), openpgpkey-milter requires: * python-unbound / unbound-python (in all major distros) * python-milter / python-pymilter (in all major distros) * [python-gnupg](http://pythonhosted.org/python-gnupg/) (older versions might need a [patch](http://code.google.com/p/python-gnupg/issues/detail?id=94) * gnupg, libmilter, etc which are dragged in dependancies by the above packages Recommended ----------- The [hash-slinger](http://people.redhat.com/pwouters/hash-slinger/) package contains an "openpgpkey" command that allows you to generate and verify your own OPENPGPKEY records. How does it work ---------------- openpgpkey-milter detects when a message is not encrypted with gpg and then checks all the recipients to see if they published the special [OPENPGPKEY](http://tools.ietf.org/html/draft-ietf-dane-openpgpkey) DNS record. Configuration of the milter service ----------------------------------- To use openpgpkey-milter with postfix, add to `/etc/postfix/main.cf` smtpd_milters = inet:127.0.0.1:8890 non_smtpd_milters = $smtpd_milters milter_default_action = tempfail milter_protocol = 2 If you run `opendkim`, ensure you add openpgpkey-milter **before** opendkim or you'll break the opendkim signatures. For the fedora/rhel configuration where opendkims uses port 8891, you can use the following: smtpd_milters = inet:127.0.0.1:8890, inet:127.0.0.1:8891 non_smtpd_milters = $smtpd_milters milter_protocol = 2 milter_default_action = accept Mailing list and bug reports ---------------------------- There is no mailing list yet. Please send questions and bug reports to paul@nohats.ca. However if you run openpgpkey-milter on your mail server and it broke, you might be better of mailing me at the unsigned domain paul@cypherpunks.ca.
openpgpkey-milter
nix zu tun
# vim /etc/tmpfiles.d/openpgpkey-milter.conf
- /etc/tmpfiles.d/openpgpkey-milter.conf
D /var/run/openpgpkey-milter 0770 root mail -
# systemctl start openpgpkey-milter
# systemctl status openpgpkey-milter
● openpgpkey-milter.service - OPENPGPKEY auto encryption milter Loaded: loaded (/usr/lib/systemd/system/openpgpkey-milter.service; disabled; vendor preset: disabled) Active: active (running) since Fri 2016-01-29 12:45:19 CET; 22s ago Main PID: 3880 (openpgpkey-milt) CGroup: /system.slice/openpgpkey-milter.service ├─3880 /usr/bin/python /usr/sbin/openpgpkey-milter └─3886 /usr/bin/python /usr/sbin/openpgpkey-milter Jan 29 12:45:19 vml000087.dmz.nausch.org systemd[1]: Started OPENPGPKEY auto encryption milter. Jan 29 12:45:19 vml000087.dmz.nausch.org systemd[1]: Starting OPENPGPKEY auto encryption milter... Jan 29 12:45:20 vml000087.dmz.nausch.org openpgpkey-milter[3880]: openpgpkey-milter: failed to setproctitle - python-setproctitle missing? Jan 29 12:45:20 vml000087.dmz.nausch.org openpgpkey-milter[3880]: starting daemon [3880] version 0.5 on port 8890 at /var/spool/openpgpkey-milter with timeout 600