DownloadHere's the script:
How toTo make it work, you have to
- generate a gpg signature for the user that runs procmail,
- and import the public key you are going to the divert the mail to, and
- sign the recipient's public key
# su - pgprelay -s /bin/bash pgprelay@pizza:~$ gpg --gen-key gpg: directory `/home/pgprelay/.gnupg' created gpg: can't open `/gnupg/options.skel': No such file or directory gpg: keyring `/home/pgprelay/.gnupg/secring.gpg' created gpg: keyring `/home/pgprelay/.gnupg/pubring.gpg' created Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? 1 DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 2048 Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <email@example.com>" Real name: auto key Email address: firstname.lastname@example.org Comment: adsoijasdi You selected this USER-ID: "auto key (adsoijasdi) <email@example.com;>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. Enter Passphrase: whatever Repeat Passphrase: whateverGPG then spends a little while snapping truly random numbers out of the air to form your key that you are not really going to use:
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++..++++++++++++++++++++..++++++++++.+++++++++++++++++++++++++.+++++++ ++++..............................................+............. gpg: /home/pgprelay/.gnupg/trustdb.gpg: trustdb created gpg: key 914896D4 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 1024D/914896D4 2008-07-28 Key fingerprint = 35F0 0E74 CACC B599 C93F 9969 EAEB 1F4B 9148 96D4 uid auto key (adsoijasdi)Now you must import your public key which will receive the mail. If you don't have it, then gpg --export it:
sub 2048g/68B007A5 2008-07-28
gpg -a --export joeblogs > joeblogs.ascOn your shell account, import that key:
gpg --import < joeblogs.ascNow, edit the key you imported and sign it:
$ gpg --import < joeblogs.asc gpg: key A65F5E17: public key "joe blogs <firstname.lastname@example.org>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u # gpg --edit joeb pub 1024R/A65F5E17 created: 2007-07-22 expires: never usage: SCEA trust: unknown validity: unknown sub 2048R/26447505 created: 2007-07-22 expires: never usage: SCEA [ unknown] (1). "joe blogs <email@example.com>" Command> sign pub 1024R/A65F5E17 created: 2007-07-22 expires: never usage: SCEA trust: unknown validity: unknown Primary key fingerprint: E15B CD4D 6F14 E91D 1DD5 31A9 EA5F 4CD3 A65F 5E17 "joe blogs <firstname.lastname@example.org>" Are you sure that you want to sign this key with your key "auto key (adsoijasdi)Now you can test the encryption. If you get errors from this, then try to sort it out :)
" Really sign? (y/N) y You need a passphrase to unlock the secret key for user: "auto key (adsoijasdi) " 2048-bit DSA key, ID 914896D4, created 2008-07-28 Enter Passphrase: whatever Command> save
$ echo hi | gpg -a --encrypt --recipient joebl gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u -----BEGIN PGP MESSAGE----- Version: GnuPG v1.4.6 (GNU/Linux) hQEMA8KwiYImRHUFAQf7BAxgRXwudo+usdlGimqRZyFpve0kjvh/EXFe9TkaqAll iIQbimjdsQFUZqYxlf5CXFrTOzqkr1GSYSN+DVr4o8CZ/1/vs16ZVGCB4WKCdGUz hVSrGAk+/4e4IjsQhWD/BeLUxaYYejzX+0uOvrXx+x7M8SdeMr2znlyZHuDDKoFR TdvLhEtC28tmushmvNF9OMZgAIgTOR4vwG3WWmS/ZiDWS3W4Nx4cnQH4eCZQ+xUW /1PDNE/XeLhVOg+OcBtJobItt7tkEVO8OGCXIY/ogAwtSRnJHWJeA3rKPfgj0qeM bUV7d+/0Wen0HCpUSw3H0DsMisWPFU/NGvvBbTr/0tI4AeNgjmd1S1fOD/Svgeup hiJAIxdPVvTn2mDYAFDLTwSVwxV9qDV8lfrqtG+SfNvpl2/ggcbIPow= =1ckE -----END PGP MESSAGE-----That message can be decrypted with the private key.
Now, make sure it runs. To run from procmail, your .procmailrc should look like this (assuming you have installed pgp-relay.sh in $HOME for the user):
SHELL=/bin/sh # for other shells, this might need adjustment ADDRESS="email@example.com" NAME="Automailer" :0 W: vacation.lock # Mail loops are evil * !^X-Loop: $ADDRESS | $HOME/pgp-relay.sh $ADDRESS | $SENDMAIL -oi -t -F"$NAME" -f"$ADDRESS"That's it. Send a test mail, and see what happens.