Centralized Email Encryption with Anubis

Home , Enigmail, GnuTLS, GNU Privacy Guard, Pretty Good Privacy, Wire (software)

SYSADMIN Anubis

Centralized email encryption with Anubis xperts acknowledge the danger of transmitting plans, personal Edata, and confidential agree- ments in clear text across the Internet, but end users rarely heed their warnings. EGYPTIAN Users typically don’t turn to tools such as PGP, GnuPG [2], and S/Mime by choice. CTOs can either bemoan their fate or take proactive steps: so-called PGP servers provide centralized user key ENCRYPTION management and handle the encryption and decryption processes. These services remove the need for time-consuming The Anubis mail manipulation daemon lets you centralize encryption installation and configuration of a PGP client on every user workstation. for outgoing mail. BY DANIEL S. HAISCHT Linux admins have a choice of free encryption programs such as GPG-Relay [3] or Kuvert [4], and there are a number of commercial applications (such as [5] and [6]), some of which are also available for Windows. But if you prefer to avoid specialized applications, your best option may be the universal mail manipulation program, GNU Anubis [1]. Anubis, which is named after an ancient Egyptian god, is an SMTP pre-processing daemon. The Anubis daemon receives messages from a Mail User Agent (such as the Mutt client shown in Figure 2), then modifies the messages before pass- ing them to the Mail Transfer Agent (such as the Postfix server shown in Fig- ure 2). Anubis can process messages in a number of different ways, but in this case, one of Anubis’ more useful tricks is the ability to encrypt mail using GnuPG. The Anubis mail manipulation tool is a mature, Open Source solution that allows admins to set up a centralized PGP infrastructure. Automatic decryption of incoming mail or the use of the PGP/Mime standard to process file attachments requires a program such as GPG-Relay or Kuvert, but Anubis is the www.sxc.hu

64 ISSUE 63 FEBRUARY 2006 WWW.LINUX- MAGAZINE.COM Anubis SYSADMIN

MUA 1 MTA 1 MUA 1 GNU MTA 1 (Mutt) (Exim) (Mutt) Anubis (Postfix)

MUA 2 MTA 2 Inbox Inbox (Mozilla) (Postfix)

ᕡ ᕢ ᕣ ᕡ ᕢ ᕣ

Figure 1: In a legacy email infrastructure, each client (MUA, Mail User Figure 2: GNU Anubis sits between the MUA and MTA. From the cli- Agent) passes messages to a SMTP server (MTA, Mail Transfer ent’s point of view, Anubis is the mail server. In this position, Anubis Agent) which handles delivery. can manipulate traffic arbitrarily. perfect choice for encrypting and signing MTA. Users just need to configure the authentication is always included outgoing mail. Anubis machine as the mail server on • Guile (Scripting) their email clients (see the “SMTP • OpenSSL or GnuTLS (SSL support) SMTP Relay Functionality Tricks” box). • GPG (GNU Privacy Guard) and A most common technique for encrypt- GPGme ing or signing email messages is for each Installation • MySQL (database) client to use a PGP plugin such as Enig- Thanks to autoconf, Anubis is really • PostgreSQL (database) mail [9]. A tool like Anubis, on the other easy to configure and install. But make • GDBM and text file (these database hand, offers an alternative approach. sure you specify in advance which data- variants are always included) Anubis provides centralized processing base will hold the user data. In Pixie Other components are optional and only that is often easier to manage for a large mode, you can additionally authenticate make sense in specific scenarios: user base. The client no longer sends users via an Ident daemon running on • PAM (authentication) mail directly to the mail provider, but the local workstation. This variant does • Libwrap (TCP Wrapper) routes the message instead to the Anubis not need a relational database. It is also • SOCKS (SOCKS support) software. Anubis acts as a proxy, reshap- possible to compile all the modules and • NLS (Internationalization) ing the message content, signing or en- decide on a setup later: • PCRE (Regex with Perl syntax) crypting the message, and finally for- • Regex (support for regular expres- Unfortunately, Anubis does not have warding the message to the provider. sions) LDAP directory service support. This Anubis can run on a separate server, • GSASL (user authentication) would be a useful feature to have, as or on the same machine as the client or • The module for Ident daemon-based both user data and PGP keys are often

Table 1: Abbreviations used Listing 1: Pixie Mode in this Article 01 #> Reading system 09 #> [68244] UID:65534 (nobody), BLOB Binary Large Object configuration file /usr/local/ GID:65534, EUID:65534, GPG GNU Privacy Guard etc/anubis/anubisrc... EGID:65534 Guile GNU’s Ubiquitous Intelligent 02 #> UID:0 (root), GID:0, 10 #> [68244] Getting remote host Language for Extensions EUID:0, EGID:0 information... Mime Multipurpose Internet Mail 03 #> GNU Anubis bound to 11 #> [68244] Connected to Extensions 192.168.1.6:24 192.168.1.6:25 MTA Mail Transfer Agent (Mailserver) MUA Mail User Agent (Mailclient) 04 #> [68239] GNU Anubis is 12 #> [68244] Transferring NLS Native Language System running... message(s)... PAM Pluggable Authentication Mod- 05 #> [68239] Connection from 13 #SERVER >>> 220 smtp. ules 192.168.120.239:1310 abyssworld.de ESMTP Postfix PGP Pretty Good Privacy 06 #> [68244] IDENT: connected to (2.2.3)(46) SASL Simple Authentication and Secu- 192.168.120.239:113 14 #CLIENT <<< 220 smtp. rity Layer 07 #SERVER >>> 1310, 24 : USERID abyssworld.de (GNU Anubis S/Mime Secure Mime : UNIX : haischt(36) v4.0) ESMTP Postfix SMTP Simple Mail Transfer Protocol (2.2.3)(64) SSL Secure Sockets Layer 08 #> [68244] IDENT: resolved TLS Transport Layer Security remote user to haischt.

WWW.LINUX- MAGAZINE.COM ISSUE 63 FEBRUARY 2006 65 SYSADMIN Anubis

Listing 2: Dixie Configuration input and output channels in normal daemon mode. 01 #---BEGIN CONTROL--- 12 ### Relational MySQL Database

02 ## ... 13 #sasl-password-db mysql:// Pixie Authentication Anubis has a number of approaches to 03 #mode auth mail:access4anubis@mysql. abyssworld.de/ identifying users. Pixie mode is one of 04 ## ... mail;table=anubis_user the more simple approaches to authenti- 05 #---END--- cation. Pixie mode is enabled by the 14 #sasl-allowed-mech NTLM GSSAPI mode transparent entry in the control 06 # DIGEST-MD5 CRAM-MD5 block of the the global configuration file. 07 #---BEGIN AUTH--- 15 #---END--- In this setup, an Ident daemon (AUTH 08 #smtp-greeting-message ESMTP 16 # protocol) runs on the user workstation. Anubis requires the user to authenticate Anubis (4.0.0) 17 #---BEGIN TRANSLATION--- before handling mail (see Figure 3.) 09 #smtp-help-message help 18 ##translate [USER@]ADDRESS However, this technique only makes message into USERNAME sense in a very specific scenario. The 10 ### Simple text database: 19 #translate [email protected]. server has to trust the Ident daemon, and this type of client-side security 11 ## sasl-password-db file:/usr/ haischt.name into haischt check only works if the workstation is local/etc/anubisdb.txt 20 #---END--- used by responsible admins who know their users, and who can be sure that no- available via OpenLDAP or an Active Di- template file in the Anubis source code body will tamper with the network set- rectory server. For a long time, the package. tings. Best practices would suggest Anubis application only used text or avoiding the use of this operating mode. GDBM-based databases; support for rela- Personal Configuration tional systems is still fairly new to Additionally, users who need the ability Practical but Insecure Anubis. So let’s hope that LDAP support to send mail via the Anubis daemon can Although the protocol name, AUTH, will soon follow. create a ~/.anubisrc file in their home might suggest otherwise, Identd does not You can check the config.log after you directories. examples/1anubisrc gives actually perform authentication. The complete the ./configure stage to see if you an example. daemon is designed for tracking attacks: the modules were configured as expec- For initial testing, the Anubis daemon the administrator of the attacked system ted. After completing the installation, also has a debug mode: can use Ident to check the ID of the typing anubis -show-config-options tells users on a source machine in a TCP con- you if the required modules really are anubis --altrc U nection. Based on this data, the adminis- available. /usr/local/etc/anubis/anubisrcU trator can then contact the administrator Anubis expects to find its configura- --mode=transparent -v -D -f responsible for the source machine. tion data in /etc/anubisrc. This path is Many Ident implementations simply use hard-coded in src/header.h, but you can This tells Anubis to run in transparent a default ID ([7], [8]). modify the location on the fly using the mode without authentication, to provide Listing 1 shows an Anubis session in --altrc file. The make install stage does verbose output (-v), create debugging Pixie mode. Lines 6 (Ident authentica- not actually create a configuration file; output (-D), and run in the foreground tion attempt) and 8, where the mail user however, there is a examples/2anubisrc (-f), instead of avoiding the standard is mapped to the local haischt Unix ac-

MUA 1 GNU MTA 1 MUA 1 GNU MTA 1 (Mutt) Anubis (Postfix) (Mutt) Anubis (Postfix)

? ?

Ident- Inbox Inbox Daemon RDBMS

ᕡ ᕢ ᕣ ᕡ ᕢ ᕣ

Figure 3: In Pixie mode, Anubis first asks the Ident daemon on the Figure 4: In Dixie mode the Anubis server uses the SMTP-AUTH sender’s workstation to identify the user who opened the connection method to provide secure user authentication. The server needs to before accepting and processing the message. store the user credentials in a database.

66 ISSUE 63 FEBRUARY 2006 WWW.LINUX- MAGAZINE.COM Anubis SYSADMIN

count, are of interest. After the authentication phase, the GNU Anubis daemon passes the message on to the mail server (Lines 11 through 14). Windows XP client systems often have an integrated firewall that can cause trouble during the test phase. In the default configuration, the firewall under- standably restricts all Ident requests to port 113. This needs to be changed (by unblocking port 113 or disabling the firewall.) Additionally, the mail program can’t use SMTP-AUTH user names in Pixie mode. Dixie, the Preferred Alternative Dixie mode (Figure 4) is newer and bet- ter than Pixie mode. The Dixie alternative is based on the SMTP-AUTH standard. Anubis reads the username, pass- Figure 5b: The MySQL table has the user credentials for haischt, who uses Dixie to authenti- word, and other credentials from a data- cate. The Unix account for this user has the same name, and the configuration file is located base (a simple text file or a relational da- in /home/haischt/ .anubisrc. tabase system). The text variant includes the user ID (SMTP-AUTH-ID), the pass- to manage a larger number of users, you anubisadm --create U word and optionally the Unix account, might prefer to work with a database 'mysql://mail:access4anubisU and the path to the user-specific configu- instead of a text file. Figure 5a shows an @mysql.abyssworld.de/mail;U ration (Table 2). appropriate table schema for this data- table=anubis_test' U The text file has a line for each user; base. < /usr/local/etc/U the fields are blank-separated. According The authid is defined as the primary anubis/anubisdb.txt to the official documentation, the fields key; the fields are all text type. As you should be colon-separated, but this syn- can see in Figure 5b, the table content The command specifies the target table tax does not even work in Anubis 4.0. reflects the text file. The following com- as a URL parameter – the notation is The text variant is fine for initial testing mand imports the text file to the MySQL confusing, as the parameters are not sep- and smaller environments. If you need database: arated by ampersands (&), as they would be in an HTTP address, but by semico- lons. The URL and the parameters must be quoted to prevent shell mangling. Integrating the Database To tell Anubis to use the new table, the administrator has to change the authentication mode from mode transparent to mode auth in the control section of the global anubisrc configuration (see List- ing 2, lines 1 through 5). It is also neces- sary to add the path to the user credentials to the AUTH section (lines 7 through 15). Listing 2 shows you how to do this for a MySQL database. Addition- ally, users have to tell their mail programs to use SMTP-AUTH authentication when sending mail. Listing 3 shows a working Dixie session. Line 7 and following show a mail program talking to the Anubis daemon. Figure 5a: PHP MyAdmin showing the MySQL table structure used as the Dixie data reposi- The client can use the SASL mechanisms tory for Anubis. All four fields contain text entries: user ID, password, Unix name, and the DIGEST-MD5 and CRAM-MD5 to authen- path to the configuration file ticate. Both approaches transmit a pass-

WWW.LINUX- MAGAZINE.COM ISSUE 63 FEBRUARY 2006 67 SYSADMIN Anubis

word hash across the wire rather than a domain to a Table 2: Dixie Database Fields the cleartext password. shared name In Line 9, you can see the mail pro- (translate Domain Field Meaning gram issuing the STARTTLS command to into User.) Authid Corresponds to the name set by the user in the mail pro- establish a secure SSL connection to the Dixie mode is gram preferences. This field is required for SMTP authentication. Anubis daemon. This fails because useful, as it lever- Passwd The user also sets a password in the mail client, which Anubis is not yet configured for secure ages current stan- again is required for authentication by SMTP. SSL. In line 16, the mail program and dards such as Account Corresponds to the Unix account. This field maps the mail Anubis agree on the SASL mechanism SMTP-AUTH, and it user’s name to the matching Unix account, in order to find CRAM-MD5. The daemon then searches gives mail users an Anubis configuration file in the user’s home directory, the MySQL database for a record that without Unix ac- for example. matches the user haischt‘s credentials, counts access to Config This field has the path (absolute or relative) to the Anubis and finds the record (Lines 18 through the service. This configuration file for this user. Relative paths start in the user’s home directory. 20.) said, it is also true Line 20 has an interesting detail. This that the current im- line is where Anubis maps the user with plementation of the Anubis Dixie mode As Anubis has the user’s credentials, the mail address [email protected] has a few annoying weaknesses: targeted message processing is now pos- cht.name to the local user haischt. The Passwords in the database are stored sible; for example, you can configure TRANSLATION section takes care of in the clear. The database field for the Anubis to sign or encrypt email. To mapping mail addresses to local names user’s Anubis configuration file points to allow this to happen, users need to add (see the last four lines of Listing 2.) This an existing file. It would be more practi- entries to the RULE section of their TRANSLATION section of the configurat- cal to store parameters in a BLOB field or ~/.anubisrc files. You'll find that it is ion file can also map all the addresses in in a separate table. quite simple to add attributes to the

SMTP Tricks Listing 3: Dixie Session Some mail programs, Mutt for example, 01 #> Reading system 15 #CLIENT >>> AUTH CRAM-MD5(15) call the sendmail binary directly to send configuration file /usr/local/ 16 #SASL mech=CRAM-MD5, inp=NULL mail. In this case, it is impossible to etc/anubis/anubisrc... 17 #CLIENT <<< 334 PDE0MTU0NTMyOT change the SMTP host and port in the 02 #> UID:0 (root), GID:0, UzMDA2MzI0MTIzLjBAbG9jYWxob3N0 mail client configuration, as sendmail EUID:0, EGID:0 behavior is configured by the adminis- Pg==(54) trator. Additionally, some mail clients do 03 #> GNU Anubis bound to 18 #CLIENT >>> aGFpc2NodCA5ZmQ1MD not support authentication based on the 192.168.1.6:24 hkYTYzYzQ3ODRiOGUwMzMzZTNhMmUy SMTP-AUTH mechanism. 04 #> [68643] GNU Anubis is M2VjZQ==(58) Programs such as MSMTP [10] or running... 19 #> [68647] Found record for ESMTP [11] can help by acting as mail `haischt'. proxies. Users can configure these 05 #> [68643] Connection from command line tools individually, with 192.168.120.10:40501 20 #> [68647] Authentication the ~/.esmtprc configuration file in 06 #CLIENT <<< 220 abyssone. passed. User name haischt, ESMTP’s case: abyssworld.de GNU Anubis Local user haischt. Welcome! hostname = U ESMTP; Identify yourself(64) 21 #CLIENT <<< 235 Authentication successful.(32) anubis.abyssworld.de:24 07 #CLIENT >>> EHLO username = "haischt" [192.168.121.2](22) 22 #> [68647] UID:1001 (haischt), GID:20, EUID:1001, EGID:20 password = "access4anubis" 08 #CLIENT <<< 250-Anubis is starttls = disabled pleased to meet you.(36) 23 #> [68647] Reading user configuration file /home/ The service sends mail to the Anubis 09 #CLIENT <<< 250-STARTTLS(14) server (anubis.abyssworld.de, port 24) haischt/.anubisrc... 10 #CLIENT <<< 250-AUTH and authenticates with the user’s cre- 24 #> [68647] Getting remote host DIGEST-MD5 CRAM-MD5 (31) dentials. STARTTLS encryption is dis- information... abled. Mutt needs to know that it should 11 #CLIENT <<< 250 HELP(10) 25 #> [68647] Connected to call ESMTP rather than the sendmail 12 #CLIENT >>> STARTTLS(10) binary: 192.168.1.6:25 13 #[68647] anubis.pem: No such 26 #> [68647] Starting SMTP set sendmail=U file or directory session... "/usr/local/bin/esmtp" 14 #CLIENT <<< 454 TLS not 27 #SERVER >>> 220 smtp. This line in the Mutt configuration file available due to temporary abyssworld.de ESMTP Postfix tells the email client which service to reason(47) use. (2.2.3)(46)

68 ISSUE 63 FEBRUARY 2006 WWW.LINUX- MAGAZINE.COM Anubis SYSADMIN

email header using the add header if header [Subject] U thus supports extremely flexible tech- [name] value notation: "^ *\\[sig\\](.*)" niques for processing email headers remove [Subject] and content. This software’s true add header[X-Processed-By] U add [Subject] "\1" strength is its ability to perform any kind "GNU Anubis" signature-file-append yes of mail manipulation you can imagine. At the same time, integrated PGP/ Anubis also understands conditional ex- This if instruction checks if the subject GnuPG support saves you a lot of config- ecution. If an email has a with-signature line starts with [sig] (Posix extended uration work. header that contains an arbitrary value syntax, as not precisely specified). It User authentication still has much (regular expression .*, see the “Regular then removes the subject line entirely room for improvement. (Pixie mode Expression Formats” box), the following and adds a new line that reflects the part applies the insecure Ident approach, lines are all it takes to remove the header of the original subject that followed and Dixie mode stores cleartext pass- and add a text-based signature at the [sig]. To do this, the \1 references the words in the database.) PGP keyrings end of the message: string in round brackets passed by the and user-specific configurations are regular expression. stored in the filesystem rather than in if header [with-signature] U The subject line is so useful for com- the database. And add to this the lack :re ".*" mands that Anubis has its own syntax of LDAP and PGP/Mime support, along remove [with-signature] to handle this: Trigger. Users can trigger with the fact that Anubis is not yet capa- signature-file-append yes events via mail by appending the com- ble of decrypting incoming messages. mand at the end of the subject line fol- We’ll hope that ongoing development signature-file-append yes adds a separa- lowing two at characters (@), such as work will continue to improve this wily tor -- , followed by the content of the anystring@@sign. The following trigger god of outgoing mail. I ~/.signature file, and body-append adds takes care of everything else: the content of an arbitrary file at the end INFO of a message, whereas body-clear-append trigger "sign" [1] GNU Anubis: removes the original message text before gpg-sign meU http:// www. gnu. org/ software/ anubis/ doing so. @daniel.stefan.haischt.name [2] GNU Privacy Guard: done Commands in the Subject http:// www. gnupg. org Line The gpg-sign command signs the email [3] GPG Relay: Some mail clients make it difficult for body with the specified key ID. To allow http:// sites. inka. de/ tesla/ gpgrelay. html users to add headers. Anubis simplifies this to happen, the user’s GPG keyring [4] Kuvert: this process for users by parsing the must be available in the ~/.gnupg direc- http:// www. snafu. priv. at/ mystuff/ subject line: tory, and the user’s ~/.anubisrc config kuvert/ file must contain the GPG password [5] PGP Universal: Regular Expression Formats (gpg-passphrase "mypassword"). GPG http:// www. pgp. com/ products/ universal/ Anubis understands a few variants of needs the user’s key ID for encrypting. regular expressions. The configuration An extended trigger that parses addi- [6] GPG Shell (Windows): uses the following tags to identify regu- tional subject line data can handle this: http:// www. jumaros. de/ rsoft/ lar expressions: [7] Python Ident Daemon: U • :regex or :re: Simple regular expres- trigger : http:// www. alcyone. com/ software/ sion (Default Posix Extended) extended "^encrypt:(.*)" fauxident/ gpg-encrypt "\1" [8] Windows Identd: • :basic: Switches to Posix Basic add [X-GPG-Comment] U http:// identd. dyndns. org/ identd/ • :extended: Switches to Posix Ex- "Encrypted for \1" [9] Enigmail plugin: tended (default) done http:// enigmail. mozdev. org • :perl oder :perlre: Perl compatible reg- [10] MSMTP: ular expressions (only if PCRE support The subject line contains the encrypt http:// msmtp. sourceforge. net is built into Anubis) trigger followed by the receiver’s key ID: [11] ESMTP: http:// esmtp. sourceforge. net • :exact or :ex: No regular expressions, Hello John Doe!@@encrypt:Receiver-Key. the pattern must be an exact match Wily Anubis Daniel S. Haischt has a degree in • :scase: Case sensitive More complex tasks need a more power- Business Information Systems/Tech- • :icase: Case insensitive ful programing language, and Anubis nology, and is now studying Busi- A statement can contain a sequence of gives you this in the form of the Guile ness Information Management in tags: :perl:scase means case-sensitive scripting language (a dialect of Scheme). Reutlingen. On his leisure time, PCRE expressions. The regex :perl : You can also use external programs for Daniel works for a number of open scase statement sets this variant as a source projects, and enjoys tackling

mail manipulation. In combination with THE AUTHOR difficult server configurations. permanent default. the integrated commands, GNU Anubis