The Secure List Server: an OpenPGP and S/MIME aware Mailman


This patch is an effort to include OpenPGP and S/MIME support in Mailman, as part of the Secure List Server project. The project is made possible by NLnet.

The Secure List Server project's home is at http://non-gnu.uvt.nl/mailman-pgp-smime/. Sources are available from http://non-gnu.uvt.nl/pub/mailman/.

Beware! This code has not been touched since 2010-09. Therefore, it's mainly obsolete.

DO NOT USE THIS CODE

.

If you're interested in hardening your mailing lists, be sure to check out Practical Encrypted Mailing Lists by Neal H. Walfield, feb 2016:

"Although email has been one of the most enduring electronic communication mediums and encrypted email has been possible for decades, encrypted mailing lists remain either a usability (and hence security) nightmare or are rather insecure. We propose a simple extension to OpenPGP that makes encrypted mailing lists both easy to use (the work flow is exactly the same as sending an encrypted email) and secure (the mailing list software doesn't require access to the plaintext nor can it recover the mailing list's private key by colluding with a subscriber). Further, updates to the mailing list are transparently handled by the existing key distribution infrastructure. In this paper, we describe how to add mailing list support to OpenPGP, discuss the workflow for both subscribers and the mailing list administrator, and examine how the mailing list software can improve the user experience and further enhance the system's security."

New versions of this patch will be announced on the Mailman developers list

This is Mailman patch #1167696.

Beware! This code is not mature, and not yet suitable for production use. Inspect the code to find out if it's good enough for you.

Specs

This patch handles both RFC 2633 (S/MIME) and RFC 2440 (OpenPGP) email messages.

A post will be distributed only if the PGP (or S/MIME) signature on the post is from one of the list members.

For sending encrypted email, a list member encrypts to the public key of the list. The post will be decrypted and re-encrypted to the public keys of all list members.

In order to achieve this, each list has a public and private key. (These private keys can optionally be protected by passphrases.) Furthermore, new list settings are defined:

Similar settings are defined for S/MIME.

Finally, each subscriber can upload her PGP and S/MIME public key using the webinterface.

Installation

Additional requirements: gpg binary in path of qrunner, GnuPGInterface python library from http://py-gnupg.sourceforge.net/ and (for now) openssl.

upgrading from earlier and/or unpatched versions

PGP and S/MIME support needs to store additional information for the mailing lists, thus new variables were introduced. Have a look at bin/update and search for "GPG" and "smime".

The automatic upgrade procedure occuring on a change of the version number is implemented yet untested. You can either modify the version number in Version.py to trigger the automatic patch, or run bin/update --force (worked for me, but I won't give any guarantees).

fresh installs

If you're installing on a Debian(-based) hosts, you can "apt-get install" the patched package from

deb http://non-gnu.uvt.nl/debian sarge mailman

If you're on another platform, you can apply the patch to a pristine official mailman tarball, and install using the official installation instructions.

setting up lists

Create a list. Go to the admin menu. Open "Privacy options", select "GPG options" and "S/MIME options". Make the settings appropriate for your list (yes, there is some help text!). Create a keypair for your list. Make sure the list-posting-address is in one of the keys identities. Publish the public key for your list, e.g. on the list info page. Ask all subscribers to upload their public key. A good idea is to set up the web interface to only run over https.

Very likely, you'd prefer "Confirm and approve" as subscribe_policy (Privacy Options; Subscribtion Rules).

Very likely, you'd prefer "No" for archive (Archiving Options): no effort was made to do something "sane" w.r.t. the archiving of encrypted posts. Just don't archive.

Subscribers who do not upload their public keys will miss posts. Errors show up in /var/log/mailman/smtp-failure:

Mar 24 15:29:28 2005 (5267) delivery to joe@example.com failed with
  code 550: Encryption forced, but no keys found

Tell your subscribers where to upload their keys: list Info Page, Subscribers section. Visit "Subscriber List", choose your address, list membership configuration, "Your GPG key for postings".

Distribute the list public key to your subscribers, e.g. by posting it to the list after they've subscribed, or by pasting it in "[General Options], info" in the list admin webinterface.

l10n

I only updated the english html template for the user preferences; that means that users using a different language setting will be unable to upload their public key. Either allow English only, or make the patches to other language templates (and send the diff to me).

lost emails

Users won't get warnings when mails are not delivered to them due to the encryption send policy. Failures to send due to a missing public key will be treated like bounces.

Hacking

If you're interested in helping with the work, you might like to subscribe to the developer list for a GPG/SMIME-enhanced mailman ssls-dev /a/ ulm.ccc.de. (Thanks a lot to Stefan Schlott for hosting this list.) If you'd like to contact the author directly, mail Joost van Baal on <joostvb-mailman-pgp-smime /a/ mdcc.cx>.

If you'd like to contribute patches, check out the code using Bazaar: See https://code.launchpad.net/~joostvb/mailman/2.1-pgp-smime for instructions.

A fancy webinterface to this version control system is available at Launchpad's Bazaar page.

History, credits, copyright

This patch is based upon prior work by Stefan Schlott in mailman-2.1.5-gpg_2005-02-22.diff.gz. Copyright on the code is held by Stefan Schlott (stuff from mailman-2.1.5-gpg_2005-02-22.diff.gz) and Tilburg University (stuff written by Joost van Baal), see the individual files for details. Some contributions are from Michael Feiri.

Biggest lumps of changes by Joost van Baal are in Mailman/GPGUtils.py (function verifyMessage added) and in Mailman/Handlers/Moderate.py (code which deals with gpg_post_sign added). These are likely nontrivial so copyright-able. Check with a specialist if you'd like to know for sure. Likely, Mailman upstream wants a copyright assignment to FSF before patch gets included.

In 2005, this project was known as the SURFnet Secure List Server (mailman-ssls). SURFnet and Tilburg University made the project possible. Since 2008, the project is made possible by NLnet.

See also

There are some alternative approaches on building a general re-encrypting secure list server (e.g. by integrating PGP and/or S/MIME with Mailman):

ChangeLog, BUGS, Roadmap and Reports

See NEWS.PGP-SMIME for user visible (and some other) changes. See TODO.PGP-SMIME for known bugs and plans for improvement. See the pgp-smime directory for some extra project documents (Security Audit reports, project reports).