Future of CTM
Klaus T. Aehlig
aehlig at linta.de
Sun Sep 13 09:29:26 UTC 2015
> {
>
> :0 c: ${MAILDIR}/ctm-ports.${LOCKEXT}
> | rcvstore +ctm-ports -nounseen
>
> :0 c
> | gpg --no-default-keyring --keyring ${PMDIR}/ctm.key --verify
>
> :0 a
> | ctm_rmail -p ${HOME}/ctms/ports/pieces -d ${HOME}/ctms/ports/deltas -l ${PMDIR}/ctm.log
> }
If I read your example correctly (I'm not familiar with procmail), you're
only verifying that there is a part with a good signature by the right key
but you pass on the whole mail. Isn't this vulnerable to someone taking a
well-signed mail (e.g., one of those saying the delta is too big and should
be received via ftp) and appending a non-signed clear-text malicious ctm delta?
To avoid those kind of attacks I only take the "decrypted" contents of the
mail and verify the status fd to check that the mail only contains the parts
I expect (one block followed by a good signature with the correct key
and nothing else following). The script is attached (all the mentioned directories
under /usr/ctm can only be written to by the uucp user). Note, however, that my
set-up is slightly different, as I forward the ctm mails from my mail server
to my FreeBSD machines via uucp.
Regards,
Klaus
-------------- next part --------------
#!/usr/local/bin/perl -w
umask 0022;
my $name = `date +%Y-%m-%d-%H:%M:%S`;
chomp($name);
$name .= "-$$";
open(DROP,">","/usr/ctm/incomming/$name")
or die "Failed to open $name in dropdir ($!)\n";
while(<STDIN>) {
print DROP $_;
}
close(DROP)
or die "Failed to close $name in dropdir ($!)\n";
## Check signatures
my $dropname = "/usr/ctm/incomming/$name";
my $plainname = "/usr/ctm/sigs/" . $name . "-plain";
my $logname = "/usr/ctm/sigs/" . $name . "-log";
my $statusname = "/usr/ctm/sigs/" . $name . "-status";
my $keyring = "/root/uucpkeyring";
system "gpg --no-default-keyring --keyring \Q$keyring\E --status-fd 3 -d < \Q$dropname\E > \Q$plainname\E 2> \Q$logname\E 3> \Q$statusname\E";
## Interpret signature check
open(STATUS,"<",$statusname);
$line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] PLAINTEXT 74 0/ or exit 0;
$line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] NEWSIG/ or exit 0;
$line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] SIG_ID/ or exit 0;
$line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] GOODSIG D047A1D765FE4840/ or exit 0;
$line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] VALIDSIG 57C2E2F809F114312EB326F9D047A1D765FE4840/ or exit 0;
$line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] TRUST/ or exit 0;
$line = <STATUS>; ! $line or exit 0;
close(STATUS);
## if reached here, signature is good and we can trust $plainname
my $goodname = "/usr/ctm/goodmails/" . $name;
rename $plainname, $goodname;
exit 0;
More information about the ctm-users
mailing list