mail-in-a-box / mailinabox

Mail-in-a-Box helps individuals take back control of their email by defining a one-click, easy-to-deploy SMTP+everything else server: a mail server in a box.
https://mailinabox.email/
Creative Commons Zero v1.0 Universal
14.05k stars 1.44k forks source link

GPG key distribution support #1877

Open githubatf2f10 opened 3 years ago

githubatf2f10 commented 3 years ago

Hi Josh,

I was wondering whether it's a small effort that you may have get the following features integrated.

  1. OpenPGP DNS RR: https://weberblog.net/pgp-key-distribution-via-dnssec-openpgpkey/
  2. GPG WKD: https://wiki.gnupg.org/WKDHosting

These are two methods that we may use to help facilitate our own GPG key distribution for others to retrieve.

Thank you! Peng

JoshData commented 3 years ago

IMO, DNSSEC and GPG are dying technologies and GPG in particular is extremely hard to do right in a novice-friendly environment like the one that Mail-in-a-Box strives for, so I don't think I would accept PRs for either of these features.

ddavness commented 3 years ago

I'd also argue that an issue of DNS records to serve PGP keys is that they can become way too big (beyond what's acceptable, in my opinion, for a record).

On the other hand, WKD is still technically a draft. While it hasn't changed much across the last 1.5 years, one can't quite consider it a stable thing yet.

This said, (shameless plug here, I am sorry) I am actually hacking around with some form of WKD distribution on my fork. Still far from a functional product, though (I still need to answer myself some design questions around it).

iuvbio commented 3 years ago

I think an easy way to do this yourself would be to use keys.openpgp.org 's WKD as a service. I haven't tested it myself yet, but it seems like setting a custom CNAME DNS record to wkd.keys.openpgp.org should be enough.

githubatf2f10 commented 3 years ago

Thanks all for the input! Thanks Josh for your thoughts! I just put some notes about what I did on my box for future reference for myself or some others. WKD: Advanced method: (I don't know how to do this in MAIB). This needs a subdomain, like openpgpkey.abc.com... This needs to have a structure like, .well-known/openpgpkey/abc.com/....

Direct method: (I manually did this on my own abc.com's root directory) /home/user-data/www/abc.com$ .well-known/openpgpkey/ hu/all the keys here.....
policy sudo chown -R user-data:root .well-known/

Add following to nginx-alldomains.conf: location ^~ /.well-known/openpgpkey { default_type "application/octet-stream"; add_header Access-Control-Allow-Origin * always; } do web-update:

ValdikSS commented 3 years ago

@JoshData, I agree that PGP in email is/was not straightforward to use and considered an advanced feature that is used by privacy-oriented tech-savvy users, but there were some upgrades of PGP key discovery infrastructure in the last years. For example, now you don't need to send the key or give an URL to the recipient beforehand, it could be discovered automatically via OpenPGP Web Key Directory (WKD) — just publish your key on the webserver of your domain in a special format and the email client would request it.

There's also newer key server infrastructure available, https://keys.openpgp.org/ for example. Add your key there and many email clients/providers with PGP support would discover and use it automatically.

Newer versions of Thunderbird now have built-in PGP support, works pretty good. I receive automatically encrypted emails from Protonmail users occasionally, and can reply encrypted as well.

githubatf2f10 commented 3 years ago

https://wiki.gnupg.org/WKDHosting https://wiki.gnupg.org/WKD

Since MAIB can support multiple domains and I would think Advanced Method for OpenPGP WKD works out best. We may only have created a default structure, like this, (This can be aliased in Nginx conf, probably "nginx-alldomains.conf") /home/user-data/openpgpkey ---->aliased to "/ .well-known/openpgpkey" for all domains. in /home/user-data, similar to ssl folder where we host each domain's ssl certs.

Whenever user adds a domain, there will autopopulate the followings, (or we could lump all these domains into only one openpgpkey/hu , to simply things, maybe. This will leverage Alias, but will this become Direct Method again? ) /home/user-data/openpgpkey/abc.com/hu/ /home/user-data/openpgpkey/abc.com/policy ... /home/user-data/openpgpkey/def.com/hu/ /home/user-data/openpgpkey/def.com/policy

Within each of these directories, are public gpg keys for those domains. (user can manually SCP into or we can add this function into Admin portal, if possible to deal with Read/Write attributes automatically) https://openpgpkey.abc.com/.well-known/openpgpkey/abc.com/hu/ ... https://openpgpkey.abc.com/.well-known/openpgpkey/abc.com/hu/

ddavness commented 3 years ago

With the infrastructure MIAB provides right now, you can easily set up a static WKD via direct method, provided you are willing to manually update the keys (this method doesn't work if you are hosting the website elsewhere, though):

Edit (or create) the /home/user-data/www/example.com.conf file and add in the following:

location = /.well-known/openpgpkey/policy {
        return 204; # 204 means No Content, so a 0 byte file
        add_header Access-Control-Allow-Origin "*" always;
}

location ~ ^/.well-known/openpgpkey/hu/([ybndrfg8ejkmcpqxot1uwisza345h769]*)$ {
        alias /where/you/store/the/keys/$1;
        add_header Access-Control-Allow-Origin "*" always;
}

If the file did not exist, you might want to update your web configuration in the admin panel (not sure). Otherwise a good old sudo nginx -s reload will do.