3

I'm trying to setup GNU Anubis to act as a sort of proxy to sign/encrypt emails coming from a service. The service is currently configured to send email using our SMTP server. The idea would be to point the service to Anubis and then point Anubis to the SMTP server. Anubis would then sign/encrypt messages before sending them on to the SMTP server.

I setup Anubis and as an initial test, set it up to modify the subject line. That worked just fine. When I changed it to sign emails, I started getting an error message in the Anubis debug output.

Here is the Anubis config:

#
# The "CONTROL" section.
# User configuration file.
#

---BEGIN CONTROL---
bind localhost:2525
remote-mta SMTP_SERVER_INFO
ssl-oneway yes 
---END---

#
# The Rule System (The RULE section)
# User configuration file only. Examples:
#

---BEGIN RULE---

gpg-passphrase "test1234"

# Process the (E)SMTP commands.

if command["mail from"] ".*<?root@localhost>?"
 STOP
fi

# Process a message header lines.

if header[From] ".*noreply.*"
  # modify [Subject] "[Anubis Proxy] &" # This action works
  gpg-sign default # This action has an error
fi

---END---

Here is the portion of the debug output related to GPG:

Protocol: OpenPGP
Executable: /usr/bin/gpg2
Version: 2.0.22
Required Version: 1.4.0
Protocol: CMS
Executable: /usr/bin/gpgsm
Version: 2.0.22
Required Version: 1.9.6
Protocol: GPGCONF
Executable: /usr/bin/gpgconf
Version: 2.0.22
Required Version: 2.0.4
Protocol: Assuan
Executable: /tmp/gpg-7KgHae/S.gpg-agent
Version: 1.0
Required Version: 1.0
[2319] GPGME: General error.

I'm sure gpg is setup correctly as gpg --sign --armor from the command line lets me sign a message (after entering the password).

What have I done wrong to make this not work correctly?

update
I should mention that I compiled Anubis from source (version 4.2) and that the results of ./configure showed GPGME support enabled.

mikeazo
  • 149
  • 4
  • Given that output it's pretty tough to guess what's going on: All I can tell you is it's dead, and it was a cat ("GPGME encountered some kind of 'general error'", which is a bloody worthless error message - thanks GPG!) – Is there any other output either on the console or in a log file somewhere? – voretaq7 Jun 19 '15 at 15:35
  • @voretaq7, no, but I did throw in some printf's into anubis' gpg.c file to see where it was crashing, it was crashing on a call to *gpgme_op_sign*. The returned error code is *117440513*, which, of course, has no error string, hence the 'general error'. Very annoying. – mikeazo Jun 19 '15 at 15:50
  • Bleh :-/ If I had to spitball guesses I'd say maybe it can't find (or read, or decrypt?) the private key it should be signing with - that's just where I'd start looking but it's totally a wild guess. – voretaq7 Jun 19 '15 at 15:55
  • 1
    Taking a step back: What are your goals here? What security does this afford? How do you lock down what can pass through this PGP-signing proxy? I suggest you consider [DKIM](https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail) and [DMARC](https://en.wikipedia.org/wiki/DMARC) instead since they were designed for server-side signing. – Adam Katz Aug 29 '16 at 22:24
  • 1
    @AdamKatz, My goal is not signing, I want end-to-end encryption. I want to be able to give Anubis everyone's public keys and have it encrypt outgoing messages to them. The idea is to run anubis on localhost so only that machine can use it as a proxy. Any applications running on that machine that send automated emails responding to events on that machine would then automatically be encrypted as they would be pointing to localhost as the SMTP server. – mikeazo Aug 29 '16 at 23:51
  • Got it. That goal sounds laudable, and I assume that using something like [Enigmail](https://enigmail.net/index.php/en/) or [Mailvelope](https://www.mailvelope.com/) is out of the question. Good luck, Anubis is old but likely still the best tool for your task. – Adam Katz Aug 30 '16 at 00:38

0 Answers0