[Feature] Add support for Web Key Service

[dashohoxha]

WKS is a way to publish GnuPG public keys by storing them on the mailserver (instead of using public keyservers, which are deprecated).

If user foo@example.org sends you a gpg signed message, your MUA (mail client) can automatically look up the public key of this user on https://example.org/.well-known/openpgpkey/hu/... and verify the signature. If you need to send an encrypted message to foo@example.org, your MUA can automatically find the public key of foo@example.org the same way. Enigmail, KMail, Outlook, Mailvelope, already support this.

For this to work, the owner of the account foo@example.org should send his public key by email to key-submission@example.org, then reply to the confirmation message. This may also be done automatically by his mail client (Enigmail, KMail, Outlook, already support this).

Finally, this needs WKS to be installed on the server. This page describes the installation steps: https://wiki.gnupg.org/WKS.

Would it be possible to add a WKS container to mailcow-dockerized, that implements this service?

[Fastidious]

There is no traction for GPG. At least not for email, there never was. This is something that less than 1% will ever use. S/MIME is much better, less convoluted, cleaner, and leaves nothing to do server side.

[dashohoxha]

There is no traction for GPG. At least not for email, there never was. This is something that less than 1% will ever use. S/MIME is much better, less convoluted, cleaner, and leaves nothing to do server side.

Is this your opinion or something else?

[Fastidious]

@dashohoxha both, my opinion, and my perception of what I have seeing for many years. Don't read what I wrote with a bad tone, I simply believe something like this will bloat the cow with something that isn't a mail server duty to do.

As a sign of good will, I will remove my thumbs down.

[Adorfer]

i do not like the 10+ years old fight "smime vs gpg" here. it's just derailing. and it feels like "don't support outlook/applemail but only thunderbird setup" there is no reason not to support both and leave the choice users (and their mail receivers).

[dashohoxha]

Don't read what I wrote with a bad tone, I simply believe something like this will bloat the cow with something that isn't a mail server duty to do.

It can be optional (if possible).

As a sign of good will, I will remove my thumbs down.

Please also add a thumbs up.

i do not like the 10+ years old fight "smime vs gpg" here.

I think that gpg supports smime too, but this is not relevant to this topic.

[jonaharagon]

It should be noted that WKS is merely one way to automate the creation of a Web Key Directory (which is ultimately just a collection of keys in a .well-known directory on a webserver). WKD could be implemented in Mailcow without WKS at all.

Even just allowing users to upload a public PGP key in the user control panel could work, and might be simpler. Although you'd still need to verify that the key only contains addresses on @example.com that the user is authorized to receive mail at.

[alexanderadam]

There's also a seemingly mighty email solution for OpenBSD, called caesonia. It seems to have WKS support, so it might be a helpful reference.

[andryyy]

Clean PRs are welcome.

[dashohoxha]

I have implemented a standalone docker based WKD+WKS server, which can be integrated with any mailserver: https://gitlab.com/docker-scripts/webkey

It can also be used as a working example or reference for implementing your own solution: https://gitlab.com/docker-scripts/webkey/-/blob/master/scripts/setup.sh

[dashohoxha]

An article about WKD and WKS: https://www.researchgate.net/publication/351286585_OpenPGP_Web_Key_Directory