mirror of https://github.com/tLDP/LDP
914 lines
36 KiB
Plaintext
914 lines
36 KiB
Plaintext
<!doctype linuxdoc system>
|
|
|
|
<article>
|
|
|
|
<title>Mutt-i, GnuPG and PGP Howto
|
|
<author>Andrés Seco <htmlurl url="mailto:AndresSH@ctv.es"
|
|
name="AndresSH@ctv.es"> and J.Horacio M.G.
|
|
<htmlurl url="mailto:homega@ciberia.es" name="homega@ciberia.es">
|
|
<date>v1.2, February 2000
|
|
<abstract>
|
|
This document briefly explains how to configure <em/Mutt-i/, <em/PGP/ and
|
|
<em/GnuPG/ in its diferents versions (2.6.x, 5.x and GnuPG), noting the
|
|
common problems that can occur while sending signed or encrypted mail to
|
|
be read by mail clients not PGP/MIME compliants as defined in RFC2015 and
|
|
in other operating systems. It also includes an example of procmail
|
|
configuration to send the public keys automatically to received e-mails
|
|
asking for it, as a key servers does.
|
|
</abstract>
|
|
|
|
<toc>
|
|
|
|
<sect>Introduction
|
|
<p>
|
|
This document explains how to configure <em/Mutt-i/, <em/PGP/ and
|
|
<em/GnuPG/ in its diferents versions (2.6.x, 5.x and GnuPG) to quickly
|
|
start using a mail reader with encryption and digital signing
|
|
capabilities.
|
|
|
|
For this purpose, example configuration files will be included to help you
|
|
starting with it. To obtain maximum performance and to use all the
|
|
features of the programs that we will be using, it will be necesary to
|
|
read its documentation and to reconfigure the example files.
|
|
|
|
Also, some problems derived from not using RFC2015 about PGP/MIME by many
|
|
mail user agents in Linux and other operating systems will be comented.
|
|
|
|
An aditional procmail configuration example will be showed to enable our
|
|
mail client to send a public key on request.
|
|
|
|
This document has been translated from the Spanish original by Andrés Seco
|
|
<htmlurl url="mailto:AndresSH@ctv.es" name="AndresSH@ctv.es">, and revised
|
|
and corrected by Jordi Mallach Pérez <htmlurl
|
|
url="mailto:jordi-sd@softhome.net" name="jordi-sd@softhome.net"> and
|
|
J.Horacio M.G. <htmlurl url="mailto:homega@ciberia.es"
|
|
name="homega@ciberia.es">. It was finished in October 1999. We would like
|
|
to thanks Roland Rosenfeld <htmlurl url="mailto:roland@spinnaker.de"
|
|
name="roland@spinnaker.de">, Christophe Pernod <htmlurl
|
|
url="mailto:xtof.pernod@wanadoo.fr" name="xtof.pernod@wanadoo.fr">,
|
|
Denis Alan Hainsworth <htmlurl url="mailto:denis@cs.brandeis.edu"
|
|
name="denis@cs.brandeis.edu"> and Angel Carrasco <htmlurl
|
|
url="mailto:acarrasco@jet.es" name="acarrasco@jet.es"> for their
|
|
corrections and suggestions.
|
|
|
|
<sect>Copyright and discharge of responsability
|
|
<p>
|
|
This document is <tt>copyright © 1999 Andres Seco and J.Horacio
|
|
M.G.</tt>, and it's free. You can distribute it under the terms of the
|
|
<bf/GNU General Public License/, which you can get at <htmlurl
|
|
url="http://www.gnu.org/copyleft/gpl.html"
|
|
name="http://www.gnu.org/copyleft/gpl.html">. You can get unofficial
|
|
translated issues somewhere in the internet, as well as the Spanish
|
|
translated copy at <htmlurl
|
|
url="http://visar.csustan.edu/~carlos/gpl-es.html"
|
|
name="http://visar.csustan.edu/~carlos/gpl-es.html"> or Lucas <htmlurl
|
|
url="http://www.lucas.org" name="http://www.lucas.org">.
|
|
|
|
Information and other contents in this document are the best of our
|
|
knowledge. However, we may have make errors. So you should determine if
|
|
you want to follow the instructions given in this document.
|
|
|
|
Nobody is responsible for any damage in your computers and any other loss
|
|
derived from the use of the information contained herein.
|
|
|
|
THE AUTHORS AND MAINTAINERS ARE NOT RESPONSIBLE FOR ANY DAMAGE INCURRED
|
|
DUE TO ACTIONS TAKEN BASED ON INFORMATION CONTAINED IN THIS DOCUMENT.
|
|
|
|
Of course, we are open to all type of suggestions and corrections on the
|
|
content of this document.
|
|
|
|
<sect>Sending mail to and receiving mail from the internet
|
|
<p>
|
|
This document does not deal with exchanging mail messages between local
|
|
machine and other nodes (inside a local area network or over the
|
|
internet). This exchange should be carried out by messages transfer agents
|
|
(MTAs) such as <tt/sendmail/ <htmlurl url="http://www.sendmail.org"
|
|
name="http://www.sendmail.org">, <tt/qmail/ <htmlurl
|
|
url="http://www.qmail.org" name="http://www.qmail.org">, <tt/exim/
|
|
<htmlurl url="http://www.exim.org" name="http://www.exim.org">, <tt/smail/
|
|
<htmlurl url="ftp://ftp.planix.com/pub/Smail"
|
|
name="ftp://ftp.planix.com/pub/Smail">, etc.
|
|
|
|
In this document it is presupposed that this method of send/receive
|
|
messages outside of the local computer is already installed and working in
|
|
a correct way. If you can send a message and read your mail with the
|
|
<tt/mail/ command from the command line in your computer,
|
|
|
|
<tscreen>$ mail -s <subject> <user@domain.net>&nl;
|
|
write here the text, and finish with an alone point in the next line&nl;
|
|
.</tscreen>
|
|
|
|
you must have installed any type of MTA that is doing the messages
|
|
transfer. In other way, you can get documentation about setting it up in
|
|
the manual pages of <em/smail/:
|
|
|
|
<tscreen>$ man smail</tscreen>
|
|
|
|
or the MTA that you have, and <em/fetchmail/:
|
|
|
|
<tscreen>$ man fetchmail</tscreen>
|
|
|
|
or in other similar document that makes reference to those programs.
|
|
|
|
<sect>Mutt configuration
|
|
<p>
|
|
Next file is a valid example to start using <em/Mutt/ in a basic way,
|
|
including paths for alias file, sent messages and postponed messages. You
|
|
can further personalize it attending to the <em/Mutt/ manual indications
|
|
and <tt>/usr/doc/mutt/</tt> or <tt>/usr/doc/mutt-i/</tt>.
|
|
|
|
Simple example of <tt>˜/.muttrc</tt>:
|
|
|
|
<tscreen><verb>
|
|
set folder=~/Mail
|
|
set alias_file=.alias
|
|
set postponed=.postponed
|
|
set record=SendMessages
|
|
set signature=.signature
|
|
my_hdr From: Name Surname <Name@domain.com>
|
|
source =.alias
|
|
</verb></tscreen>
|
|
|
|
It is necesary that the directory <tt>˜/Mail</tt> exists, that is
|
|
the one that appears as an "equal to" sign in the configuration file
|
|
<tt/.muttrc/ (that is, <tt/=.alias/ is to <em/Mutt/ as
|
|
<tt>˜/Mail/.alias</tt>, and <tt/=.postponed/ is to <em/Mutt/
|
|
<tt>˜/Mail/.postponed</tt>). Nevertheless it is possible to have
|
|
these files in another directory provided we indicate the complete path in
|
|
<tt>˜/.muttrc</tt>, and we have the necesary permissions to work in
|
|
this directory.
|
|
|
|
It is also necesary to personalize the <tt/my_hdr/ line with the name and
|
|
electronic mail address you need. In the <tt>˜/Mail/.signature</tt>
|
|
file you caninclude the signature that will appear in all the messages
|
|
that are sent.
|
|
|
|
This configuration file can end up being made very big, so it is common to
|
|
separate some of its commands in different files. For the time being, the
|
|
<em/PGP/ or <em/GnuPG/ configuration lines are easily detachable, and the
|
|
keyboard macros that we will personalize. To do that, it will be necesary
|
|
to add the following lines to the <tt>˜/.muttrc</tt> file:
|
|
|
|
<tscreen><verb>
|
|
source = ~/Mail/.mutt.macros
|
|
source = ~/Mail/.gnupgp.mutt
|
|
</verb></tscreen>
|
|
|
|
and to use the <tt>˜/Mail/.mutt.macros</tt> and
|
|
<tt>˜/Mail/.gnupgp.mutt</tt> files to put in them the keyboard
|
|
macros and the <em/PGP/ or <em/GnuPG/ configuration that are commented
|
|
forward.
|
|
|
|
To get a more extensive and complete information over the use and
|
|
configuration of <em/Mutt/, and about advanced features, see the Mutt
|
|
manual <htmlurl url="http://www.mutt.org" name="http://www.mutt.org">.
|
|
|
|
<sect>PGP and GnuPG
|
|
<p>
|
|
To use anyone of the versions of <em/PGP/ with <em/Mutt-i/, first it will
|
|
be necesary to configure <em/PGP/ properly in the way that the public keys
|
|
file (public keys ring) and the private keys file (private keys ring) will
|
|
exist. It is convenient to previously test PGP from the command line to
|
|
assure that it signs and encrypt correctly.
|
|
|
|
Remember that the <em/PGP/ versions that exist for <em/Unix/ are <tt/2.6.3(i)/ and <tt/5.0(i)/, that we call <bf/PGP2/ and <bf/PGP5/ respectively forward. <bf/GnuPG/ is a new encrypt system, being developed in these days, in an advanced state of development, open source and free, in many aspects better than <bf/PGP/ (see GnuPG mini howto <htmlurl url="http://www.dewinter.com/gnupg_howto" name="http://www.dewinter.com/gnupg_howto">).
|
|
|
|
We will also clarify that <em/PGP/, as being a program developed in the
|
|
US, is restricted by certain exporting laws about programs that include
|
|
cryptographic code; this is the reason for the existance of an
|
|
international version to almost all binary versions, and it is noted with
|
|
the &dquot;<bf/i/&dquot; letter (<bf/pgp - pgpi/).
|
|
|
|
<sect1>PGP2
|
|
<p>
|
|
<em/PGP2/ generates keys with the RSA <htmlurl url="http://www.rsa.com"
|
|
name="http://www.rsa.com">,algorithm and it uses IDEA <htmlurl
|
|
url="http://www.ascom.ch" name="http://www.ascom.ch"> as the encryption
|
|
algorithm. Both are propietary algorithms and its use is restricted by its
|
|
respectives patents.
|
|
|
|
To run it correctly, you must have it installed, as well as having a directory called <tt>˜/.pgp</tt>, containing the configuration file <tt/pgp-i.conf/ and the private and public keys rings files, <tt/pubring.pgp/ and <tt/secring.pgp/ respectively.
|
|
|
|
<sect1>PGP5
|
|
<p>
|
|
The keys generated by <em/PGP5/ are <bf>DSS/DH</bf> (Digital Signature
|
|
Standard / Diffie-Helman). PGP5 uses <bf/CAST/, <bf/Triple-DES/, and
|
|
<bf/IDEA/ as encrypt algorithms. PGP5 can work with encrypted or signed
|
|
data with <em/RSA/ (PGP2), and use that keys to sign or encrypt (with the
|
|
keys generated with PGP2, because PGP5 can not generate that type of
|
|
keys). In the other hand, PGP2 can not use the <em>DSS/DH</em> keys from
|
|
PGP5; this creates incompatibility problems, because many users continue
|
|
using PGP2 with <em>Unix/Linux</em>.
|
|
|
|
To run PGP5 correctly, in the <tt>˜/.pgp</tt> directory you will
|
|
have the public and private key rings (<tt/pubring.pkr/ and
|
|
<tt/secring.skr/ respectively), and the configuration file <tt/pgp.cfg/.
|
|
|
|
In the case that you have installed the both versions of <em/PGP/ (PGP2
|
|
installed and configured before PGP5), we will create the configuration
|
|
file <tt>˜/.pgp/pgp.cfg</tt> of PGP5 as a simbolic link to the
|
|
<tt>˜/.pgp/pgp-i.conf</tt> configuration file,
|
|
|
|
<tscreen>˜/.pgp$ ln -s pgp-i.conf pgp.cfg</tscreen>
|
|
|
|
adding the following lines at the end of the file
|
|
<tt>˜/.pgp/pgp-i.conf</tt>:
|
|
|
|
<tscreen><verb>
|
|
PubRing = "~/.pgp/pubring.pkr"
|
|
SecRing = "~/.pgp/secring.skr"
|
|
RandSeed = "~/.pgp/randseed.bin"
|
|
</verb></tscreen>
|
|
|
|
The files with the keys rings of the different versions can cohexist
|
|
without any problem in the same directory.
|
|
|
|
<sect1>GnuPG
|
|
<p>
|
|
<bf/GnuPG/ is a program with the same functions that the previous. The
|
|
difference with <em/PGP/, <em/GnuPG/ do not uses algorithms with
|
|
restrictive patents. <em/PGP/ is free for personal uses but not comercial
|
|
jobs and its development is closed. <em/GnuPG/ is free to be used in any
|
|
job and it is open source, as our favorite operating system (also its
|
|
implementation and development is made mainly in <em/Linux/).
|
|
|
|
The keys generated by <em/GnuPG/ are of the type <bf>DSA/ElGamal</bf>
|
|
(<em/Digital Signature Algorithm/, also known as <em/DSS/). Is totaly
|
|
compatible with <em/PGP/, except with the use of restricted patents
|
|
algorithms <em/RSA/ and <em/IDEA/. Anyway, it is posible to implement
|
|
certain compatibility with that (see GnuPG mini howto <htmlurl
|
|
url="http://www.dewinter.com/gnupg_howto"
|
|
name="http://www.dewinter.com/gnupg_howto"> to get it interacting with
|
|
PGP2 and PGP5).
|
|
|
|
<sect>PGP and Mutt integration
|
|
<p>
|
|
The operation to carry out in the outgoing messages (sign, encrypt or
|
|
both) is chosen exactly before presing &dquot;<tt/y/&dquot; to send the
|
|
message, inside the option menu that is visible with the
|
|
&dquot;<tt/p/&dquot; option. Once you have choosen the operation to carry
|
|
out, only the line <em/PGP/ in the message header showed in the screen
|
|
will change, but until you send the message with &dquot;<tt/y/&dquot; you
|
|
won't be asked to insert the pass phrase to activate the sign of the
|
|
message or the public keys to use to encrypt in the case that no receptors
|
|
were found in our public keys ring.
|
|
|
|
<bf/NOTE:/ In the case that the pass phrase was mistyped when it was asked
|
|
for, <em/Mutt/ seems to be "hung", but that's not true, it is
|
|
waiting for it to be retyped. To do this, push the <tt/<Enter>/ key
|
|
and delete the pass phrase from memory with <tt/<Ctrl>F/. Next we
|
|
repeat the message sending with (&dquot;<tt/y/&dquot;) and retype the pass
|
|
phrase.
|
|
|
|
Through this procedure, <em/Mutt/ will use <em>PGP/MIME</em> to send the
|
|
message, and one more file will appear in the list of files to be sent
|
|
with the sign (if we only select to sign) or it will encrypt the complete
|
|
message (all its <em/MIME/ parts) and it will only leave two MIME parts,
|
|
the first with the PGP/MIME version and the second with the encrypted
|
|
message (with all its MIME parts inside) and signed (if we selected to do
|
|
it).
|
|
|
|
<bf/Note:/ By some reasons, if the receptor mail user agent can not use
|
|
<em/MIME/, we may need that the sign will be included inside the message
|
|
body. See section about <em>application/pgp</em> with <ref
|
|
id="sec-app-pgp" name="PGP5"> and with <ref id="sec-app-gpg"
|
|
name="GnuPG">.
|
|
|
|
<em/Mutt/ will try to verify the sign or decrypt automatically the
|
|
incoming messages that use <em>PGP/MIME</em>. See section <ref
|
|
id="sec-procmail.2" name="Procmail notes and tips">, in which it is
|
|
commented how to change the <em/MIME/ type automatically to the incoming
|
|
messages that do not set its <em/MIME/ type correctly.
|
|
|
|
<sect1>Optional configuration files
|
|
<label id="sec-opcion">
|
|
<p>
|
|
In the next sections you can find modifications to the <em/Mutt/
|
|
configuration file to use <ref id="sec-conf-pgp2" name="PGP2">, <ref
|
|
id="sec-conf-pgp5" name="PGP5">, and <ref id="sec-conf-gpg" name="GnuPG">
|
|
easily.
|
|
|
|
To do that, a new configuration file that we called <tt/.gnupgp.mutt/
|
|
(that's our name, you can call it any other name setting the name of this
|
|
file into the main configuration file <tt>˜/.muttrc</tt>).
|
|
|
|
This can be done including the complete path (its location) of the
|
|
configuration file <tt/.gnupgp.mutt/, in a line at the end of the
|
|
<tt>˜/.muttrc</tt> file. The directory in which we put this and
|
|
other optional configuration files can be anywhere, if we have correct
|
|
permissions (in a previous section we included it inside the
|
|
<tt>˜/Mail/</tt>) directory, or any other inside our home directory,
|
|
with any name:
|
|
|
|
<tscreen>˜$ mkdir mutt.varios</tscreen>
|
|
|
|
in which we copy (or create) the optional configuration file
|
|
<tt/.gnupgp.mutt/, and next we set the origin of this file in the
|
|
<tt/.muttrc/ file with the <tt/source/ command, like the following:
|
|
|
|
<tscreen><verb>
|
|
source ~/mutt.varios/.gnupgp.mutt
|
|
</verb></tscreen>
|
|
|
|
Now <em/Mutt/ will accept configuration variables in <tt/.gnupgp.mutt/ as if it were in <tt/.muttrc/ directly.
|
|
|
|
This method is a good way to avoid having a very big, unsorted
|
|
configuration file, and can be used to set any other group of
|
|
configuration variables in other separate file. For example, as before, if
|
|
we use <em/vim/ as the default editor in <em/Mutt/, we can tell to
|
|
<tt/.muttrc/ to use a different configuration file <tt/.vimrc/ that we use
|
|
when using <em/vim/ from the command line. First, copy
|
|
<tt>˜/.vimrc</tt> to our optional configuration files directory
|
|
<tt>˜/mutt.varios/</tt> and set it with other name (ex.
|
|
<tt/vim.mutt/):
|
|
|
|
<tscreen>
|
|
$ cd /home/user
|
|
˜$ cp .vimrc mutt.varios/vim.mutt
|
|
</tscreen>
|
|
|
|
next change the configuration variables that we want to be different in
|
|
<em/vim/ as the <em/Mutt/ editor, and finally modify <tt/.muttrc/ to
|
|
reflect this change:
|
|
|
|
<tscreen><verb>
|
|
set editor="/usr/bin/vim -u ~/mutt.varios/vim.mutt"
|
|
</verb></tscreen>
|
|
|
|
With this last line we are setting <tt/Mutt/ to use an external editor,
|
|
<em/Vim/, with the needed configuration options.
|
|
|
|
<sect1>General Configuration Variables
|
|
<label id="sec-conf-gen">
|
|
<p>
|
|
There are some variables that we will use globally with the three public
|
|
key encrypt programs with <em/Mutt/. These variables are boolean, and can
|
|
be <bf/set/ (activated) or <bf/unset/ (deactivated).
|
|
|
|
In the configuration file (<tt>˜/.muttrc</tt>, or
|
|
<tt>˜/mutt.varios/.gnupgp.mutt</tt>, or whatever you use), the sign
|
|
(<bf/#/) is a comment and will be ignored. So, we will use it from
|
|
here in advance to comment each variable:
|
|
|
|
<descrip>
|
|
<tag/unset pgp_autosign/
|
|
|
|
# if this variables is set, <em/Mutt/ will ask to sign all the&nl;
|
|
# outbound messages. <ref id="uno" name="(1)">
|
|
|
|
<tag/unset pgp_autoencrypt/
|
|
|
|
# if this variable is set, <em/Mutt/ will ask to encrypt all the&nl;
|
|
# outbound messages. <ref id="uno" name="(1)">
|
|
|
|
<tag/set pgp_encryptself/
|
|
|
|
# save an encrypted copy of all sent messages that we want to encrypt&nl;
|
|
# (need the general configuration variable <tt/set copy=yes/).
|
|
|
|
<tag/set pgp_replysign/
|
|
|
|
# when you answer a signed message, the response message will be&nl;
|
|
# signed too.
|
|
|
|
<tag/set pgp_replyencrypt/
|
|
|
|
# when you answer an encrypted message, the response message&nl;
|
|
# will be encrypted too.
|
|
|
|
<tag/set pgp_verify_sig=yes/
|
|
|
|
# Do you want to automatically verify incoming signed messages?&nl;
|
|
# Of course!
|
|
|
|
<tag/set pgp_timeout=<n>/
|
|
|
|
# delete pass phrase from the memory cache <n> seconds&nl;
|
|
# after typing it.<ref id="dos" name="(2)">
|
|
|
|
<tag/set pgp_sign_as="0xABC123D4"/
|
|
|
|
# what key do you want to use to sign outgoing messages?&nl;
|
|
# <bf/Note:/ it is posible to set it to the user id, but&nl;
|
|
# this can be confuse if you have the same user id with different keys.&nl;
|
|
|
|
<tag/set pgp_strict_enc/
|
|
|
|
# use &dquot;quoted-printable&dquot; when PGP requires it.&nl;
|
|
|
|
<tag/unset pgp_long_ids/
|
|
|
|
# Do not use 64 bits key ids, use 32 bits key ids.&nl;
|
|
|
|
<tag/set pgp_sign_micalg=<some>/
|
|
|
|
# message integrity check algorithm, where&nl;
|
|
# <some> is something from the next:<ref id="tres" name="(3)">
|
|
|
|
<itemize>
|
|
<item><bf/pgp-mda5/&nl;
|
|
to RSA keys
|
|
<item><bf/pgp-sha1/&nl;
|
|
to DSS (DSA) keys
|
|
<item><bf/pgp-rmd160/&nl;
|
|
</itemize>
|
|
</descrip>
|
|
|
|
In the three next sections the configuration variables to each of the PGP
|
|
versions will be explained. The fourth section will explain how to modify
|
|
the variables if you use more than one PGP version.
|
|
|
|
(1)<label id="uno"> as <em/Mutt/ requires to type the passphrase every
|
|
time you want to sign or select the receipts if you want to encrypt, it
|
|
may be unconvenient to set this variable. Possibly you may want to unset
|
|
this variable. This is specially true encrypting messages, as you don't
|
|
have all the public keys of the message receipts.
|
|
|
|
(2)<label id="dos"> depending on the number of messages that we sign or
|
|
decrypt, we would like to maintain the pass phrase in cache memory more or
|
|
less time. This option avoid you from type the pass phrase each time you
|
|
sign a new message or decrypt an incoming message. <bf/Warning:/
|
|
maintaining the pass phrase in cache memory is not secure, specially in
|
|
network connected systems.
|
|
|
|
(3)<label id="tres"> this is only necesary with the key that we use to
|
|
sign. When the key is selected from the compose menu, <em/Mutt/ will
|
|
calculate the algoritm.
|
|
|
|
<sect1>PGP2 configuration variables
|
|
<label id="sec-conf-pgp2">
|
|
<p>
|
|
To use PGP2 with <em/Mutt-i/ you need to add the following lines to the
|
|
<tt>˜/mutt.varios/.gnupgp.mutt</tt> file:
|
|
|
|
<tscreen><verb>
|
|
set pgp_default_version=pgp2
|
|
set pgp_key_version=default
|
|
set pgp_receive_version=default
|
|
set pgp_send_version=default
|
|
set pgp_sign_micalg=pgp-md5
|
|
set pgp_v2=/usr/bin/pgp
|
|
set pgp_v2_pubring=~/.pgp/pubring.pgp
|
|
set pgp_v2_secring=~/.pgp/secring.pgp
|
|
</verb></tscreen>
|
|
|
|
As you know, the <tt>˜/.pgp/pubring.pgp</tt> and <tt/secring.pgp/
|
|
files must exist. More information on PGP2 with the <tt/man pgp/ command.
|
|
|
|
<sect1>PGP5 configuration variables
|
|
<label id="sec-conf-pgp5">
|
|
<p>
|
|
To use PGP5 with <em/Mutt-i/ you need to add the following lines to the
|
|
<tt>˜/mutt.varios/.gnupgp.mutt</tt> file:
|
|
|
|
<tscreen><verb>
|
|
set pgp_default_version=pgp5
|
|
set pgp_key_version=default
|
|
set pgp_receive_version=default
|
|
set pgp_send_version=default
|
|
set pgp_sign_micalg=pgp-sha1
|
|
set pgp_v5=/usr/bin/pgp
|
|
set pgp_v5_pubring=~/.pgp/pubring.pkr
|
|
set pgp_v5_secring=~/.pgp/secring.skr
|
|
</verb></tscreen>
|
|
|
|
As you know, the <tt>˜/.pgp/pubring.pkr</tt> and <tt/secring.pkr/
|
|
files must exist. More information on PGP 5 with the <tt/man pgp5/
|
|
command.
|
|
|
|
<sect1>GnuPG configuration variables
|
|
<label id="sec-conf-gpg">
|
|
<p>
|
|
To use <em/GnuPG/ with <em/Mutt-i/ you need to add the following lines to
|
|
the <tt>˜/mutt.varios/.gnupgp.mutt</tt> file:
|
|
|
|
<tscreen><verb>
|
|
set pgp_default_version=gpg
|
|
set pgp_key_version=default
|
|
set pgp_receive_version=default
|
|
set pgp_send_version=default
|
|
set pgp_sign_micalg=pgp-sha1
|
|
set pgp_gpg=/usr/bin/gpg
|
|
set pgp_gpg_pubring=~/.gnupg/pubring.gpg
|
|
set pgp_gpg_secring=~/.gnupg/secring.gpg
|
|
</verb></tscreen>
|
|
|
|
As you know, the <tt>˜/.gnupg/pubring.gpg</tt> and <tt/secring.gpg/
|
|
files must exist. More information on GnuPG with the <tt/man gpg.gnupg/,
|
|
<tt/man gpgm/, and <tt/man gpg/ commands.
|
|
|
|
<sect1>Mixed configuration variables
|
|
<label id="sec-conf-mix">
|
|
<p>
|
|
If you want to use more than one PGP software you need to modify some of
|
|
the variables that we have commented previously. Really, it is only to
|
|
remove the redundant version variables.
|
|
|
|
If, for example, you want to use GnuPG as the default signing tool, all
|
|
menu commands in <em/Mutt/ to use GnuPG/PGP would call to this program to
|
|
the signing, decrypting, encrypting, verifying, etc... operations&nl;
|
|
To do that you must set the configuration variable <tt/$set_pgp_default/ <bf/once/, so:
|
|
|
|
<tscreen><verb>
|
|
set pgp_default_version=gpg
|
|
</verb></tscreen>
|
|
|
|
now, to use the all three programs, the
|
|
<tt>˜/mutt.varios/.gnupgp.mutt</tt> file could be like this:
|
|
|
|
<tscreen><verb>
|
|
set pgp_default_version=gpg # default version to use
|
|
|
|
set pgp_key_version=default # default key to use
|
|
# in this case, gnupg defines it
|
|
|
|
set pgp_receive_version=default # default version to decrypt will be the default
|
|
set pgp_send_version=default # version defined in the first line (gpg)
|
|
|
|
set pgp_gpg=/usr/bin/gpg # where to find the GnuPG binary
|
|
set pgp_gpg_pubring=~/.gnupg/pubring.gpg # public key file to GnuPG
|
|
set pgp_gpg_secring=~/.gnupg/secring.gpg # secret key file to GnuPG
|
|
|
|
set pgp_v2=/usr/bin/pgp # where to find the PGP2 binary
|
|
set pgp_v2_pubring=~/.pgp/pubring.pgp # public key file to PGP2
|
|
set pgp_v2_secring=~/.pgp/secring.pgp # secret key file to PGP2
|
|
|
|
set pgp_v5=/usr/bin/pgp # where to find the PGP5 binary
|
|
set pgp_v5_pubring=~/.pgp/pubring.pkr # public key file to PGP5
|
|
set pgp_v5_secring=~/.pgp/secring.skr # secret key file to PGP5
|
|
</verb></tscreen>
|
|
|
|
<sect>Interesting Macros for Mutt
|
|
<p>
|
|
<em/Mutt/ is highly configurable and its working mode can be modified in a
|
|
very flexible manner if the configuration variables inside <tt/.muttrc/
|
|
are well configured.
|
|
|
|
Here you can see some macros that help you to generate signed messages
|
|
avoiding the <em>PGP/MIME</em> standard, to send it to receipts that don't
|
|
support this type of signed messages following the <em>PGP/MIME</em>
|
|
standard, and to edit the alias file and reload it without exiting
|
|
<em/Mutt/ (this last macro is not related to <em>PGP/GnuPG</em>, it is
|
|
presented only as an example to show the macro power in <em/Mutt/).
|
|
|
|
It is possible to tell Mutt the key bindings you want to use with
|
|
<em>PGP/GnuPG</em>. Even when some of this options are yet configured, we
|
|
can change it or add others easily modifiying the configuration file.
|
|
|
|
<sect1>Signing on the message body without using PGP/MIME with PGP5
|
|
<label id="sec-app-pgp">
|
|
<p>
|
|
Before existing <em>PGP/MIME</em>, the signature in a message was included
|
|
in the message body. This is a very common form of sending signed messages
|
|
in many mail user agents.
|
|
|
|
If we want to sign like this, we have two options, leave the <em/MIME/
|
|
type of the message or modify it as <tt>application/pgp</tt>.
|
|
|
|
To implement this two forms of signing in <em/Mutt/, we will add the
|
|
following lines to the <tt>˜/mutt.varios/mutt.macros</tt> file.
|
|
Previously, we have to set this option file path in the <tt/.muttrc/ main
|
|
configuration file (see <ref id="sec-opcion" name="Optional configuration
|
|
files">):
|
|
|
|
<tscreen><verb>
|
|
macro compose \Cp "F/usr/bin/pgps\ny"
|
|
macro compose S "F/usr/bin/pgps\ny^T^Uapplication/pgp; format=text; x-action=sign\n"
|
|
</verb></tscreen>
|
|
|
|
and now, pressing <tt/<Ctrl>p/ or <tt/S/ we can include the
|
|
signature into the message part that has the cursor on it, just before
|
|
send the message.
|
|
|
|
<sect1>Signing on the message body without using PGP/MIME with GnuPG
|
|
<label id="sec-app-gpg">
|
|
<p>
|
|
As in the previous case, but with GnuPG. The macros are:
|
|
|
|
<tscreen><verb>
|
|
macro compose \CP "Fgpg --clearsign\ny"
|
|
macro compose \CS "Fgpg --clearsign\ny^T^Uapplication/pgp; format=text; x-action=sign\n"
|
|
</verb></tscreen>
|
|
|
|
<sect1>Modifying the alias file and reloading it
|
|
<p>
|
|
With this macro included in <tt>˜/mutt.varios/macros.mutt</tt> you
|
|
can edit with <em/vi/ (changing the line you can use other editor) the
|
|
alias file without exiting <em/Mutt/ pressing <tt/<Alt>a/.
|
|
|
|
<tscreen><verb>
|
|
macro index \ea "!vi ~/Mail/.alias\n:source =.alias\n"
|
|
</verb></tscreen>
|
|
|
|
<sect1>More macro examples
|
|
<p>
|
|
The next listing has been obtained from Roland Rosenfeld and it shows
|
|
macros to change the default signing/encrypting software and to sign
|
|
without PGP/MIME with GnuPG:
|
|
|
|
<tscreen><verb>
|
|
# ~/Mail/.muttrc.macros
|
|
# keyboard configuration file for Mutt-i
|
|
# copied, modified and translated from the original:
|
|
#
|
|
################################################################
|
|
# The ultimative Key-Bindings for Mutt #
|
|
# #
|
|
# (c) 1997-1999 Roland Rosenfeld <roland@spinnaker.rhein.de> #
|
|
# #
|
|
# $ Id: keybind,v 1.36 1999/02/20 19:36:28 roland Exp roland $ #
|
|
################################################################
|
|
#
|
|
# To use it, add the next line to ~/.muttrc:
|
|
# source ~/Mail/.muttrc.macros
|
|
#
|
|
|
|
# Generic keybindings
|
|
# (for all the Mutt menus, except the pager!)
|
|
# With the next three we can change the encrypting default selected software:
|
|
|
|
# <ESC>1 to use GnuPG
|
|
macro generic \e1 ":set pgp_default_version=gpg ?pgp_default_version\n"\
|
|
"Switch to GNU-PG"
|
|
|
|
# <ESC>2 to use PGP2
|
|
macro generic \e2 ":set pgp_default_version=pgp2 ?pgp_default_version\n"\
|
|
"Switch to PGP 2.*"
|
|
|
|
# <ESC>5 to use PGP5
|
|
macro generic \e5 ":set pgp_default_version=pgp5 ?pgp_default_version\n"\
|
|
"Switch to PGP 5.*"
|
|
|
|
#NOTE: Be careful with the last backspace at the end of the previous
|
|
macros. If you write that line and the next in the same line, do not write
|
|
it.
|
|
|
|
# index, OpMain, MENU_MAIN
|
|
# (Main menu)
|
|
# The next macro only runs from the main menu (the one that appears when
|
|
# you starts Mutt). The keys <CTRL>K permit us to extract the public keys
|
|
# from a message if it has (this is known because it has the K letter in
|
|
# the message line):
|
|
|
|
macro pager \Ck ":set pipe_decode pgp_key_version=pgp2\n\e\ek:set pgp_key_version=pgp5\n\e\ek:set pgp_key_version=gpg\n\e\ek:set pgp_key_version=default nopipe_decode\n"\ "Extract PGP keys to PGP2, PGP 5, and GnuPG keyrings"
|
|
|
|
|
|
# pager, OpPager, MENU_PAGER
|
|
# (Pager menu)
|
|
# It permits the same operations that previous, with the same key combinations,
|
|
# but in this case from the pager menu:
|
|
|
|
macro pager \e1 ":set pgp_default_version=gpg ?pgp_default_version\n"\
|
|
"switch to GNUPG"
|
|
|
|
macro pager \e2 ":set pgp_default_version=pgp2 ?pgp_default_version\n"\
|
|
"switch to PGP 2.*"
|
|
|
|
macro pager \e5 ":set pgp_default_version=pgp5 ?pgp_default_version\n"\
|
|
"switch to PGP 5.*"
|
|
|
|
|
|
# compose, OpCompose+OpGerneric, MENU_COMPOSE
|
|
# (Compose menu)
|
|
# The next operations are used from the compose menu.
|
|
# That is, after you have composed your message and you close it to send it,
|
|
# just before pressing the "Y" key that allows us to send it to the MTA.
|
|
|
|
# In this case, we create a menu that appears when you press "P".
|
|
# The options in this menu are going to be bound to MENU_PGP. This are the
|
|
# main use options (encryption and signing).
|
|
|
|
bind compose p pgp-menu
|
|
|
|
# As many programs can't use PGP/MIME (especially from M$), the <CTRL>P key
|
|
# will allow us to sign "as in the old times" (Application/PGP):
|
|
|
|
macro compose \CP "Fgpg --clearsign\ny"
|
|
|
|
# The next, <CTRL>S will allow us to sign using PGP/MIME with the private key
|
|
# that we have defined as default. This macro is not necesary, as we can
|
|
# do the same from the "P" menu:
|
|
macro compose \CS "Fgpg --clearsign\ny^T^Uapplication/pgp; format=text; x-action=sign\n"
|
|
</verb></tscreen>
|
|
|
|
You can add more macros, and some other are yet configured as default in
|
|
newer versions of Mutt. Some other options include:
|
|
|
|
<itemize>
|
|
<item><CTRL>K (extract public keys from a message)
|
|
<item><ESC>K (adjunt a public key to a message)
|
|
<item><CTRL>F (when using the key phrase to sign or decrypt a message, it is still in memory. With this you can delete it from memory)
|
|
<item>etc...
|
|
</itemize>
|
|
|
|
To see what other options are activated, you must go to the help menu (?)
|
|
from the menu where you were.
|
|
|
|
<sect>Procmail notes and tips
|
|
|
|
<sect1>Configuring Procmail to send automatically your public keys
|
|
<label id="sec-procmail.1">
|
|
<p>
|
|
As this is not the objetive of this Howto, we will comment that the
|
|
securest way to get the public key from anybody is that he gives it to us
|
|
directly by hand.
|
|
|
|
As many times this is not an easy method (how long they are) the people
|
|
can send the public key by electronic mail, or searching it in a key
|
|
server, but none of those methods assure that the obtained key is really
|
|
from whom it seems to be. If you use other communication media considered
|
|
"secure" (searching the owner in the phone listing and asking
|
|
him to read his key "fingerprint" to contrast with the fingerprint from
|
|
the key we have obtained from the non-secure path).
|
|
|
|
What we are going to see is a "tip" to put into the <tt>.procmailrc</tt>
|
|
from the Procmail mail processor to get back automatically your publick
|
|
key to the remitent when you get a message with a determined text in the
|
|
<tt>Subject</tt> line:
|
|
|
|
<tscreen><verb>
|
|
:0 h
|
|
* ^Subject:[ ]+\/(|send)[ ]+key pub\>.*
|
|
| mutt -s "Re: $MATCH" `formail -rtzxTo:` </clau/mykey.asc
|
|
</verb></tscreen>
|
|
|
|
What it is said in the previous paragraph is: we have a copy in ASCII of
|
|
our public key, in any directory (in this case the <tt>/clau</tt>
|
|
directory) in a file named <tt>mykey.asc</tt>; when procmail gets a
|
|
message that include "send key pub" in the <tt>Subject:</tt> line, send
|
|
the file to the remitent.
|
|
|
|
IMPORTANT: what you have between the brackets is <bf>an space</bf> and
|
|
<bf>a tab</bf>.
|
|
|
|
<sect1>Verify and decrypt automatically messages without PGP/MIME
|
|
<label id="sec-procmail.2">
|
|
<p>
|
|
When you receive a signed message that uses PGP/MIME and you open it with
|
|
your preferred MUA (Mutt, isn't it?), it recognizes the message as
|
|
PGP/MIME and checks the signature if you have the remitent public key.
|
|
These messages are the ones that have the "S" in the first part of the
|
|
message line in Mutt:
|
|
|
|
<tscreen><verb>
|
|
36 S 05/09 Andres Seco Her ( 12K) Al fin
|
|
</verb></tscreen>
|
|
|
|
while the encrypted messages have the "P":
|
|
|
|
<tscreen><verb>
|
|
12 P 03/24 Andres Seco Her (6,3K) Re: FW: Re: Mutt - pgp/gnupg
|
|
</verb></tscreen>
|
|
|
|
But if the message is signed and has the &dquot;application/pgp&dquot;
|
|
MIME type, when you open it Mutt doesn't check its sign, and this sign is
|
|
into the message body, as here:
|
|
|
|
<tscreen><verb>
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
Date: Tue, 25 May 1999 13:04:26 +0200
|
|
From: La Corporación <bill@reboot.com>
|
|
Subject: Actualización S.O.
|
|
To: Sufrido Usuario <pepe@casa.es>
|
|
|
|
|
|
Sufrido usuario:
|
|
|
|
le comunicamos que puede usted adquirir la última actualización del
|
|
programa O.E. con la adquisición de nuestro sistema operativo reboot99
|
|
por el módico precio de ... etc.
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.3ia
|
|
Charset: noconv
|
|
|
|
iKBGNpUBX0235VapRBUy1KklAQGl9wQA3SBMio0bbbajHAnyKMOlx3tcgNG7/UVC
|
|
AbqXcUnyGGOo13Nbas95G34Fee3wsXIFo1obEfgiRzqPzZPLWoZdAnyTlZyTwCHe
|
|
6ifVpLTuaXvcn9/76rXoI6u9svN2cqHCgHuNASKHaK9034uq81PSdW4QdGLgLoeB
|
|
vnGmxE+tGg32=
|
|
=Xidf
|
|
-----END PGP SIGNATURE-----
|
|
</verb></tscreen>
|
|
|
|
To verify it, you must save it and use the command line. But, it is
|
|
possible to convert this MIME messages type with <em/Procmail/ to allow
|
|
<em/Mutt/ to recognize it as <em>PGP/MIME</em>. You only need to add this
|
|
to <tt/.procmailrc/:
|
|
|
|
<tscreen><verb>
|
|
:0
|
|
* !^Content-Type: message/
|
|
* !^Content-Type: multipart/
|
|
* !^Content-Type: application/pgp
|
|
{
|
|
:0 fBw
|
|
* ^-----BEGIN PGP MESSAGE-----
|
|
* ^-----END PGP MESSAGE-----
|
|
| formail \
|
|
-i "Content-Type: application/pgp; format=text; x-action=encrypt"
|
|
|
|
:0 fBw
|
|
* ^-----BEGIN PGP SIGNED MESSAGE-----
|
|
* ^-----BEGIN PGP SIGNATURE-----
|
|
* ^-----END PGP SIGNATURE-----
|
|
| formail \
|
|
-i "Content-Type: application/pgp; format=text; x-action=sign"
|
|
}
|
|
</verb></tscreen>
|
|
|
|
As you can see, this is valid to signed messages and to encrypted messages
|
|
with application/pgp.
|
|
|
|
<sect1>Change MIME type for messages with keys inside without PGP/MIME
|
|
<p>
|
|
When you receive a public key block from a non <em>PGP/MIME</em> compliant
|
|
MUA, you must save the message body in your disk and then insert it into
|
|
your public key ring, but, including this lines into your <tt/.procmailrc/
|
|
file, you can include it directly from mutt.
|
|
|
|
<tscreen><verb>
|
|
:0 fBw
|
|
* ^-----BEGIN PGP PUBLIC KEY BLOCK-----
|
|
* ^-----END PGP PUBLIC KEY BLOCK-----
|
|
| formail -i "Content-Type: application/pgp-keys; format=text;"
|
|
</verb></tscreen>
|
|
|
|
Thanks to Denis Alan for this procmail note.
|
|
|
|
<sect>Interchanging signed/encrypted messages with different MUAs and platforms
|
|
<p>
|
|
In the first days, the PGP sign was included inside the text to sign.
|
|
Later, it was included the <tt>application/pgp</tt> MIME type to show that
|
|
the next attach was the sign or the encrypted PGP message, and finally,
|
|
with the PGP/MIME specification, it was possible to isolate the sign from
|
|
the original affected, to not modify absolutelly and somebody that didn't
|
|
have PGP could view the message as it was originally (only for signed
|
|
messages), without any added text in the beginning or in the end from PGP.
|
|
|
|
The actual situation is that only a few mail user agents (MUAs) are
|
|
capable to integrate PGP to use the PGP/MIME standard, and it is necesary
|
|
to send messages using the old time PGP sign when you know that the
|
|
recipient doesn't recognize PGP/MIME.
|
|
|
|
In Linux, the available mail user agents that are PGP/MIME compliant are
|
|
mutt-i and pine. In Windows, only the Eudora mail client versions 3.x and
|
|
4.x can use PGP/MIME. If you know any other mail user agent that supports
|
|
it, tell us by mail, to include it here.
|
|
|
|
<sect>Programs and versions used
|
|
<p>
|
|
To write this document we have used the next Mutt versions:
|
|
|
|
<itemize>
|
|
<item>Mutt 0.93i - you can not use GnuPG with this version.
|
|
<item>Mutt 0.95.3i - all PGP and GnuPG versions can be used.
|
|
</itemize>
|
|
|
|
And the next PGP and GnuPG versions:
|
|
|
|
<itemize>
|
|
<item>PGPi 5.0
|
|
<item>GnuPG 0.4.3
|
|
<item>GnuPG 0.9.4
|
|
</itemize>
|
|
|
|
<sect>More information
|
|
<p>
|
|
The original documentation from where this document has been obtained can
|
|
be found in the man pages from "mutt", "pgp", "pgp5", "gnupg", "procmail",
|
|
in the respectives directories in /usr/doc and in the world wide web
|
|
sites:
|
|
|
|
<itemize>
|
|
<item>Mutt Official Home Page - <htmlurl url="http://www.mutt.org"
|
|
name="http://www.mutt.org">
|
|
<item>GnuPG Main Page - <htmlurl url="http://www.gnupg.org"
|
|
name="http://www.gnupg.org">
|
|
<item>PGP International Page - <htmlurl url="http://www.pgpi.com"
|
|
name="http://www.pgpi.com">
|
|
<item>Procmail Official Home Page - <htmlurl url="http://www.procmail.org"
|
|
name="http://www.procmail.org">
|
|
</itemize>
|
|
|
|
The recommendations (request for comments, RFC) that are referenced in
|
|
this document are:
|
|
|
|
<itemize>
|
|
<item>1847 - Security Multiparts for MIME: Multipart/signed and Multipart/encripted
|
|
<item>1848 - MIME Object Security Services
|
|
<item>1991 - PGP Message Exchange Formats
|
|
<item>2015 - MIME Security with Pretty Good Privacy (PGP)
|
|
<item>2440 - OpenPGP Message Format
|
|
</itemize>
|
|
|
|
and can be found in /usr/doc/doc-rfc and in various sites in the world
|
|
wide web, like <htmlurl url="http://metalab.unc.edu"
|
|
name="http://metalab.unc.edu"> and <htmlurl url="http://nic.mil"
|
|
name="http://nic.mil">. You can get information from RFCs in <htmlurl
|
|
url="mailto:RFC-INFO@ISI.EDU" name="RFC-INFO@ISI.EDU">
|
|
|
|
</article>
|
|
|