Setup
-----
- Note for Debian users: you'll need the packages "metamail" and "expect" to
- run firma.
+ Note for Debian users: you'll need the "expect" package to run firma.
Firma installation is quite simple:
1 - Create a folder to store lists; by default firma use /usr/local/etc/lists
but you can use anything, just edit firma and change FIRMA_LIST_PATH
variable.
-
+
2 - Copy firma script to whatever you like, e.g. /usr/local/bin and check that
- it has no write permission
+ it has no write permission
3 - Create a list-wide config file (default is /usr/local/etc/firma.conf) with
the common definitions for all lists,
LISTS_DIR= path to the mailing lists directory
All those variables can be overwritten at each list's own config file;
- firma.conf should be chmoded as 600, chowned nobody.nobdy or whatever
+ firma.conf should be chmoded as 600, chowned nobody.nobody or whatever
user your MTA runs. If you run postfix, the user is specified by the
main.cf parameter "default_privs".
user per mailing list
GROUP= group that runs firma (usually the same as your MTA group);
- defaults to "nogroup"; you can also specify this parameter
+ defaults to "nobody"; you can also specify this parameter
in each mailing list config file if you plan to have one
group per mailing list
- LOG_TO_SYSLOG= set to "1" to log errors and warnings to syslog, else firma
+ LOG_TO_SYSLOG= set to '1' to log errors and warnings to syslog, else firma
will print errors to STDERR
LOGGER_BINARY= if logging to syslog, set the path to logger's binary
SYSLOG_PRIORITY= if logging to syslog, set a priority for the error messages
- (defaults to "user.err")
+ (defaults to 'user.err')
USE_GPG_HIDDEN_RECIPIENT_OPTION= set to '1' to use GnuPG's --hidden-recipient
option, available from version 1.4.0 onwards
KEYSERVER= default keyserver to import/export keys
(defaults to keyserver.noreply.org)
- REQUIRE_SIGNATURE= wheter messages sent to the list should be (yes) or dont
- need to be signed to be processed (no); defaults to yes;
- this doesnt affect the way email administration works,
+ REQUIRE_SIGNATURE= whether messages sent to the list should be (1) or don't
+ need to be (0) signed to be processed; defaults to '1';
+ this doesn't affect the way email administration works,
when signature is mandatory
For a list of all config parameters, type
unsubscribe all keys with email-address IDs (currently not
implemented)
- use email-address
+ use email-address
uses the given address for message delivery instead
of the primary address of a subscribed key
- Use ramdisk to FIRMA_LIST_PATH so all keys and passwords vanishes if the server friezes
- Use a big PASSPHRASE, 25+ chars with alpha-numeric and special ascii keys
-Design and features
+Design and features (OUTDATED)
-------------------
Firma is simple but its simplicity doesn't reflect in lack of design.
- Uses a gpg keyring to store both the keys and the subscribers options
-
+
- Command line is simple to avoid admin tasks resting in some .bash_history
- Non-pgp blocks in a message are discarded since we don't want to deal with
the message
- Firma doesn't use any disk write when processing a message; no temp files
- that may rest in the system; everything goes in memory (but take care,
- sometimes it will use the swap and then is best to make it encrypted)
+ that may rest in the system; everything goes in memory (but take care,
+ sometimes it will use the swap and then is best to make it encrypted)
- By default it doesn't archive messages in the server
- By default it removes the Subject header and put it inside the encrypted
message, as Subject are outside the PGP/MIME context
- - Messages appear to be sent To: Undisclosed Recipients
-
+ - Messages appear to be sent To: Undisclosed Recipients
+
Major features are:
- Keyring support
done
LIST_ADMIN="$valid_admins"
- if [[ "$REQUIRE_SIGNATURE" != "yes" && "$REQUIRE_SIGNATURE" != "no" ]]; then
- REQUIRE_SIGNATURE="yes"
+ if [[ "$REQUIRE_SIGNATURE" != "0" ]]; then
+ REQUIRE_SIGNATURE="1"
fi
if [[ -z "$LIST_REQUEST_ADDRESS" ]]; then
LIST_REQUEST_ADDRESS="$(echo $LIST_ADDRESS | cut -d @ -f 1)-request@$(echo $LIST_ADDRESS | cut -d @ -f 2)"
fi
- if [[ "$REPLAY_PROTECTION" == "yes" ]]; then
+ if [[ "$REPLAY_PROTECTION" == "1" ]]; then
if [[ -z "$REPLAY_COUNT" ]]; then
- REPLAY_COUNT="10"
+ REPLAY_COUNT="150"
fi
if [[ -z "$REPLAY_FILE" ]]; then
REPLAY_FILE="$REPLAY_DEFAULT_FILE"
# else, if the message was correctly encrypted but its signature is invalid,
#+send a warning about this to the list administrator(s) and to sender
- elif [[ "$ENCRYPTED_TO_LIST" == "1" && "$BAD_SIGNATURE" == "1" && "$REQUIRE_SIGNATURE" == "yes" ]]; then
+ elif [[ "$ENCRYPTED_TO_LIST" == "1" && "$BAD_SIGNATURE" == "1" && "$REQUIRE_SIGNATURE" == "1" ]]; then
GetSenderAddress
else
# if bounce processing is enabled, continue
- if [[ "$SILENTLY_DISCARD_INVALID_MESSAGES" != 1 ]]; then
+ if [[ "$SILENTLY_DISCARD_INVALID_MESSAGES" != "1" ]]; then
GetSenderAddress
if [[ -n "$SENDER_ADDRESS" ]]; then
# if the message was encrypted with the list's public key
- if [[ $ENCRYPTED_TO_LIST == 1 ]]; then
+ if [[ $ENCRYPTED_TO_LIST == "1" ]]; then
# then, if signature can't be checked, then probably the sender is not subscribed to the list
# send a bounce, if possible
- if [[ "$SIGNATURE_CHECKING_FAILED" == "1" && "$REQUIRE_SIGNATURE" == "yes" ]]; then
+ if [[ "$SIGNATURE_CHECKING_FAILED" == "1" && "$REQUIRE_SIGNATURE" == "1" ]]; then
# this is the body of the message to be sent, so no indentation here
MESSAGE_BODY="\
# or, if message can be decrypted but its signature can't be checked, then message wasn't signed
# send a bounce, if possible
- elif [[ $MESSAGE_DECRYPTION_OKAY == 1 ]]; then
+ elif [[ $MESSAGE_DECRYPTION_OKAY == "1" ]]; then
# this is the body of the message to be sent, so no indentation here
MESSAGE_BODY="\
questions."
ComposeAndSendBounceMessage
- elif [[ "$SIGNATURE_MADE_BY_SENDER" != "1" && "$REQUIRE_SIGNATURE" == "yes" ]]; then
+ elif [[ "$SIGNATURE_MADE_BY_SENDER" != "1" && "$REQUIRE_SIGNATURE" == "1" ]]; then
# this is the body of the message to be sent, so no indentation here
MESSAGE_BODY="\
local -i return_code=0
if [[ "$MODE" == "admin-non-interactive" ]]; then
- REQUIRE_SIGNATURE="yes"
+ REQUIRE_SIGNATURE="1"
fi
if [[ "$ENCRYPTED_TO_LIST" == "1" ]]; then
keyserver="$(EvalConfigParameter $LIST_CONFIG_FILE KEYSERVER)"
[[ -n "$keyserver" ]] && KEYSERVER="$keyserver"
- [[ "$1" == "help" ]] && echo -e "\tREQUIRE_SIGNATURE= wheter messages sent to the list should be (yes) or dont
-\t need to be signed to be processed (no); defaults to yes;
+ [[ "$1" == "help" ]] && echo -e "\tREQUIRE_SIGNATURE= whether messages sent to the list should be (1) or dont
+\t need to be (0) signed to be processed; defaults to '1';
\t this doesnt affect the way email administration works,
\t when signature is mandatory." || \
REQUIRE_SIGNATURE="$(EvalConfigParameter $LIST_CONFIG_FILE REQUIRE_SIGNATURE)"
\t all randomizing its delivery." || \
DELIVERY_RANDOMIZATION="$(EvalConfigParameter $LIST_CONFIG_FILE DELIVERY_RANDOMIZATION)"
- [[ "$1" == "help" ]] && echo -e "\tREPLAY_PROTECTION= when set to \"yes\", stores sha1sums
+ [[ "$1" == "help" ]] && echo -e "\tREPLAY_PROTECTION= when set to '1', stores sha1sums
\t of the last REPLAY_COUNT received messages; then,
\t if some message with an already stored sha1sum, then
\t its bounced back to the sender and considered as an attempt
REPLAY_PROTECTION="$(EvalConfigParameter $LIST_CONFIG_FILE REPLAY_PROTECTION)"
[[ "$1" == "help" ]] && echo -e "\tREPLAY_COUNT= number of messages to store sha1sums;
-\t defaults to 10 and only used when
-\t REPLAY_PROTECTION is set to \"yes\"." || \
+\t defaults to 150 and only used when
+\t REPLAY_PROTECTION is set to '1'." || \
REPLAY_COUNT="$(EvalConfigParameter $LIST_CONFIG_FILE REPLAY_COUNT)"
[[ "$1" == "help" ]] && echo -e "\tREPLAY_FILE= file to store sha1sums of messages;
-\t only used when REPLAY_PROTECTION is set to \"yes\";
+\t only used when REPLAY_PROTECTION is set to '1';
\t defaults to $REPLAY_DEFAULT_FILE." || \
REPLAY_FILE="$(EvalConfigParameter $LIST_CONFIG_FILE REPLAY_FILE)"
}
# returns: 0
#-------------------------------------------------------------
- if [[ "$REPLAY_PROTECTION" == "yes" ]]; then
+ if [[ "$REPLAY_PROTECTION" == "1" ]]; then
if [[ -f "$REPLAY_FILE" ]]; then
if [[ "$(wc -l $REPLAY_FILE | cut -d " " -f 1)" -gt "$REPLAY_COUNT" ]]; then
sed -i -e '1d' $REPLAY_FILE
local sha1
- if [[ "$REPLAY_PROTECTION" == "yes" ]]; then
+ if [[ "$REPLAY_PROTECTION" == "1" ]]; then
ReplayProtectionFlush
sha1="$(echo $GPG_MESSAGE | sha1sum | cut -d " " -f 1)"
if grep -q "^$sha1$" $REPLAY_FILE; then
projects / firma.git / commitdiff