pgp-relay

pgp-relay gpg encrypts mail for a chosen recipient, and then transmits it as an attachment, with no identifying information in the header. Most of the complexity is in adding the correct headers, so that the mail gets passed as an attachment.

Download

Here's the script:

• pgp-relay.sh

How to

To make it work, you have to

1. generate a gpg signature for the user that runs procmail,
2. and import the public key you are going to the divert the mail to, and
3. sign the recipient's public key

Generating a key for the account you relay from looks like this:

# su - pgprelay -s /bin/bash
pgprelay@pizza:~$ gpg --gen-key
gpg: directory `/home/pgprelay/.gnupg' created
gpg: can't open `/gnupg/options.skel': No such file or directory
gpg: keyring `/home/pgprelay/.gnupg/secring.gpg' created
gpg: keyring `/home/pgprelay/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: auto key
Email address: aosijdoij@oaijsdoij.doij
Comment: adsoijasdi
You selected this USER-ID:
    "auto key (adsoijasdi) <aosijdoij@oaijsdoij.doij;>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

Enter Passphrase: whatever
Repeat Passphrase: whatever

GPG then spends a little while snapping truly random numbers out of the air to form your key that you are not really going to use:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++..++++++++++++++++++++..++++++++++.+++++++++++++++++++++++++.+++++++
++++..............................................+.............
gpg: /home/pgprelay/.gnupg/trustdb.gpg: trustdb created
gpg: key 914896D4 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   1024D/914896D4 2008-07-28
      Key fingerprint = 35F0 0E74 CACC B599 C93F  9969 EAEB 1F4B 9148 96D4
uid                  auto key (adsoijasdi) 
sub   2048g/68B007A5 2008-07-28

Now you must import your public key which will receive the mail. If you don't have it, then gpg --export it:

gpg -a --export joeblogs > joeblogs.asc

On your shell account, import that key:

gpg --import < joeblogs.asc

Now, edit the key you imported and sign it:

$ gpg --import < joeblogs.asc
gpg: key A65F5E17: public key "joe blogs <joeblogs@dilbertscompany.fu>" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

# gpg --edit joeb
pub  1024R/A65F5E17  created: 2007-07-22  expires: never       usage: SCEA
                     trust: unknown       validity: unknown
sub  2048R/26447505  created: 2007-07-22  expires: never       usage: SCEA
[ unknown] (1). "joe blogs <joeblogs@dilbertscompany.fu>" 

Command> sign

pub  1024R/A65F5E17  created: 2007-07-22  expires: never       usage: SCEA
                     trust: unknown       validity: unknown
 Primary key fingerprint: E15B CD4D 6F14 E91D 1DD5  31A9 EA5F 4CD3 A65F 5E17

     "joe blogs <joeblogs@dilbertscompany.fu>"

Are you sure that you want to sign this key with your
key "auto key (adsoijasdi) "

Really sign? (y/N) y

You need a passphrase to unlock the secret key for
user: "auto key (adsoijasdi) "
2048-bit DSA key, ID 914896D4, created 2008-07-28

Enter Passphrase: whatever

Command> save

Now you can test the encryption. If you get errors from this, then try to sort it out :)

$ echo hi | gpg -a --encrypt --recipient joebl
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.6 (GNU/Linux)

hQEMA8KwiYImRHUFAQf7BAxgRXwudo+usdlGimqRZyFpve0kjvh/EXFe9TkaqAll
iIQbimjdsQFUZqYxlf5CXFrTOzqkr1GSYSN+DVr4o8CZ/1/vs16ZVGCB4WKCdGUz
hVSrGAk+/4e4IjsQhWD/BeLUxaYYejzX+0uOvrXx+x7M8SdeMr2znlyZHuDDKoFR
TdvLhEtC28tmushmvNF9OMZgAIgTOR4vwG3WWmS/ZiDWS3W4Nx4cnQH4eCZQ+xUW
/1PDNE/XeLhVOg+OcBtJobItt7tkEVO8OGCXIY/ogAwtSRnJHWJeA3rKPfgj0qeM
bUV7d+/0Wen0HCpUSw3H0DsMisWPFU/NGvvBbTr/0tI4AeNgjmd1S1fOD/Svgeup
hiJAIxdPVvTn2mDYAFDLTwSVwxV9qDV8lfrqtG+SfNvpl2/ggcbIPow=
=1ckE
-----END PGP MESSAGE-----

That message can be decrypted with the private key.

Now, make sure it runs. To run from procmail, your .procmailrc should look like this (assuming you have installed pgp-relay.sh in $HOME for the user):

SHELL=/bin/sh    # for other shells, this might need adjustment
ADDRESS="joeblogs@dilbertscompany.fu"
NAME="Automailer"
:0 W: vacation.lock
 # Mail loops are evil
* !^X-Loop: $ADDRESS
| $HOME/pgp-relay.sh $ADDRESS | $SENDMAIL -oi -t -F"$NAME" -f"$ADDRESS"

That's it. Send a test mail, and see what happens.