FIRMA

  1. install
  2. create list
  3. add subscribers
  4. add mail aliases
  5. test it out

Files:
  • /crypt/firma/firma: firm executable
  • /etc/firma.conf: firma configuration
  • /crypt/firma/lists: directory to hold lists

install

codecoop.org/projects/firma/

/etc/firma.conf:
GPG_BINARY=/usr/bin/gpg
MAIL_AGENT=/usr/sbin/sendmail
LISTS_DIR=/crypt/firma/lists
MAIL_AGENT_ARGS=-t

create list

firma -c listname

fill in these values:
  • list keyring folder: /crypt/firma/lists/listname
  • list email: listname@gpg.domain.org
  • list admins: whatever you want
  • list description: is set as the name for the list's public key.
  • password for the list keyring: it will accept most anything, but later choke unless it is long enough and includes numbers and symbols. here is a command to give you a good key:
    # pwgen -sy 50
    do not choose any key which has a single quote in it: these will not work!
NOTE: i have had to manually modify the list's configuration so that the passphrase is surrounded in single quotes.

change the permissions to be nobody (unless you have changed the postfix defaults):
# chown -R nobody /crypt/firmal lsts/listname

add subscribers

To subscribe someone you add their public key to the keyring of the list. Here a1%some examples of doing this:

# cd /crypt/firma/lists/listname
# gpg --homedir . --keyserver pgp.mit.edu --search my@address.xx
# gpg --homedir . --import publickeyfile.asc I8X

 NOTE: If you changed the permissions to *nobody* then you will probably get this error when you add someone at this 3
lnt:

[[
gpg: WARNING: unsafe ownership on homedir `.'
gpg: external program calls are disabled due to unsafe options file permissions
gpg: keyserver communications error: g& `ral error
gpg: keyserver search failed: general error

This is because you are running the gpg command as one useroEgut the home dir is owned by nobody. Changing the ownership, running the import of the key, and then changing the ownership back is one not so great way to solve this ugly situation. NoJnce the subscriber's public key is part of the lists keyring, you must remove all uids from the key other than the one fo1Eqhe email address which the subscriber wants to use.

For example, to remove the first uid of a particular subscriber's key:

# gpg --homedir . --edit-key <subscriber>
uid rh[ deluid
quit

NOTE: you must change the owner of the keyring to be 'nobody' each time you modify it. Otherwise, f*ha will choke but will not give you a reason why.

add mail aliases

/etc/postfix/main.cf:
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
5 wtual_maps = hash:/etc/postfix/virtual

/etc/postfix/virtual:
gpg.domain.org xxx
listname@gpg.domain.org          listname
listname-request@gpg.domain.org  listname-request I8X

then run:
[ # postmap /etc/postfix/virtual

/etc/aliases:

[[
listname: "| /crypt/firma/firma -p listname"
lis7 dme-request: "| /crypt/firma/firma -r listname"

then run:
# newaliases

test it out

get the public ke:Ejf the list:

# gpg --homedir /crypt/firma/lists/listname --armor --export listname@gpg.domain.org

get a dump of the subscriber list:

# gpg --homedir /crypt/firma/lis7*listname --list-keys

send encrypted mail to listname@gpg.domain.org, signed by you (assuming you are subscribed!).

No