docs/config.rst


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

=============
Configuration
=============

To enable and configure the mailman-pgp plugin, both Mailman Core needs to be instructed to find the correct plugin
package and class to find mailman-pgp and mailman-pgp needs to be configured to work correctly.

Mailman
=======

Example additions to mailman.cfg to enable mailman-pgp::

    # Setup the mailman-pgp plugin under the `pgp` name. To use the django-pgpmailman
    # web UI. The `MAILMAN_PGP_PLUGIN_NAME` in its project settings.py must be set
    # to the name of the plugin, as thats where Mailman roots the plugins REST api
    # endpoint.
    [plugin.pgp]
    class: mailman_pgp.plugin.PGPMailman
    path: mailman_pgp
    enable: yes
    configuration: python:mailman_pgp.config.mailman_pgp

    # Use the custom PGP enabled deliver callable, performs the signing and encryption
    # on PGP enabled lists which are configured to do so.
    [mta]
    outgoing: mailman_pgp.mta.deliver.deliver

    # Use the custom PGP enabled runner on the default `in` queue.
    [runner.in]
    class: mailman_pgp.runners.incoming.PGPIncomingRunner

    # This runners name needs to be the same as the `[queues].in` config option in
    # the mailman-pgp config file. It runs the default IncomingRunner on a queue
    # of a different name, so that messages come into the mailman-pgp incoming runner
    # and can be then passed to the default incoming runner, defined here.
    [runner.in_default]
    class: mailman.runners.incoming.IncomingRunner


Plugin
======

Default PGP config::

    [db]
    # db path the PGP plugin will use to store list/user configuration (not keys!).
    url: sqlite:////$DATA_DIR/pgp.db


    [archiving]
    # The directory where the local mbox archiver will save messages.
    mailbox_dir: $ARCHIVE_DIR/pgp/mbox

    # The directory where the local maildir archiver will save messages.
    maildir_dir: $ARCHIVE_DIR/pgp/maildir


    [keydirs]
    # Key directory used to store user public keys.
    user_keydir: $DATA_DIR/pgp/user_keydir/

    # Key directory used to store list keypairs.
    list_keydir: $DATA_DIR/pgp/list_keydir/

    # Key directory used to store archive public keys.
    archive_keydir: $DATA_DIR/pgp/archive_keydir/


    [keypairs]
    # Whether to autogenerate the list key on list creation.
    autogenerate: yes

    # Type of primary list key and its size.
    # Format: type:size
    # type is one of:
    #     RSA, DSA, ECDSA.
    # size is the key size or curve name for ECDSA, which can be one of:
    #     nistp256, nistp384, nistp521, brainpoolP256r1, brainpoolP384r1,
    #     brainpoolP512r1, secp256k1
    primary_key: RSA:4096

    # Type of list encryption subkey and its size.
    # Format: type:size
    # type is one of:
    #     RSA, ECDH
    # size is the key size or curve name for ECDH, which can be one of:
    #     nistp256, nistp384, nistp521, brainpoolP256r1, brainpoolP384r1,
    #     brainpoolP512r1, secp256k1
    sub_key: RSA:4096

    # Shred keypair on list deletion? Shredding tries to securely erase the file
    # by overwriting it with random data many times. Will be only performed if
    # the `delete` option is also set to yes.
    shred: yes

    # A command, that is run when shredding the list key (if shred is set).
    # It is passed the list key path as an argument.
    # If empty, mailman-pgp will try to shred the listkey itself.
    # Some Linux distributions provide the `shred` command from GNU coreutils, or
    # similar.
    shred_command:

    # Delete list keypair on list deletion.
    delete: yes

    [queues]
    # The queue to which processed incoming messages are passed. Must be a name of
    # a queue which is managed by the Mailman IncomingRunner.
    in: in_default


    [misc]
    # The lifetime for `key change` request confirmation.
    change_request_lifetime: 1d

    # Collect all signature hashes of successful postings to a PGP enabled mailing
    # list for signature replay checking.
    collect_sig_hashes: yes


    [rest]
    # Allow the accessing of a list private key through the REST API.
    # This is necessary for the django-pgpmailman web ui to allow a list owner
    # to export the list private key.
    allow_read_private_key: yes

    # Allow the modification of a list private key through the REST API.
    # This is necessary for the django-pgpmailman web ui to allow a list owner
    # to change the list private key.
    allow_write_private_key: yes

    # Allow the accessing of this plugin configuration through the REST API.
    allow_read_config: yes