Future of CTM

Klaus T. Aehlig aehlig at linta.de
Sun Sep 13 09:29:26 UTC 2015

> {
>         :0 c: ${MAILDIR}/ctm-ports.${LOCKEXT}
>         | rcvstore +ctm-ports -nounseen
>         :0 c
>         | gpg --no-default-keyring --keyring ${PMDIR}/ctm.key --verify
>         :0 a
>         | ctm_rmail -p ${HOME}/ctms/ports/pieces -d ${HOME}/ctms/ports/deltas -l ${PMDIR}/ctm.log
> }

If I read your example correctly (I'm not familiar with procmail), you're
only verifying that there is a part with a good signature by the right key
but you pass on the whole mail. Isn't this vulnerable to someone taking a
well-signed mail (e.g., one of those saying the delta is too big and should
be received via ftp) and appending a non-signed clear-text malicious ctm delta?

To avoid those kind of attacks I only take the "decrypted" contents of the
mail and verify the status fd to check that the mail only contains the parts
I expect (one block followed by a good signature with the correct key
and nothing else following). The script is attached (all the mentioned directories
under /usr/ctm can only be written to by the uucp user). Note, however, that my
set-up is slightly different, as I forward the ctm mails from my mail server
to my FreeBSD machines via uucp.

-------------- next part --------------
#!/usr/local/bin/perl -w

umask 0022;

my $name = `date +%Y-%m-%d-%H:%M:%S`;
$name .= "-$$";

	or die "Failed to open $name in dropdir ($!)\n";
while(<STDIN>) {
	print DROP $_;
	or die "Failed to close $name in dropdir ($!)\n";

## Check signatures

my $dropname = "/usr/ctm/incomming/$name";
my $plainname = "/usr/ctm/sigs/" . $name . "-plain";
my $logname = "/usr/ctm/sigs/" . $name . "-log";
my $statusname = "/usr/ctm/sigs/" . $name . "-status";
my $keyring = "/root/uucpkeyring";

system "gpg --no-default-keyring --keyring \Q$keyring\E --status-fd 3 -d < \Q$dropname\E > \Q$plainname\E 2> \Q$logname\E 3> \Q$statusname\E";

## Interpret signature check

$line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] PLAINTEXT 74 0/ or exit 0;
$line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] NEWSIG/ or exit 0;
$line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] SIG_ID/ or exit 0;
$line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] GOODSIG D047A1D765FE4840/ or exit 0;
$line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] VALIDSIG 57C2E2F809F114312EB326F9D047A1D765FE4840/ or exit 0;
$line = <STATUS>; chomp($line); $line =~ /^\[GNUPG:\] TRUST/ or exit 0;
$line = <STATUS>; ! $line or exit 0;

## if reached here, signature is good and we can trust $plainname

my $goodname = "/usr/ctm/goodmails/" . $name;

rename $plainname, $goodname;

exit 0;

More information about the ctm-users mailing list