[smtp_batch] S/MIME signed e-mails

[Lukas-Heindl]

I'm currently investigating whether/how to sign e-mails generated by the smtp_batch output bot.

Currently there are two related variables gpg_key and gpg_pass and the docs specify GPG-signed e-mails are possible.

I see signing is done here:

intelmq/intelmq/bots/outputs/smtp_batch/output.py

Line 419 in 0342b77

.signature(self.gpg_key, self.gpg_pass)

And looking at the library used (envelope), I see the library supports also S/MIME. It also looks like the library uses the same function for S/MIME and GPG signatures.

So is it true, one can use the parameters available as of now, simply specify an PEM-encoded S/MIME private key instead of an GPG key and it just works?

Maybe @e3rd as dev/maintainer of the envelope library can help here best.

[e3rd]

You're right into summining me here. I've intented the envelope to be the most handsome to its users and this looks like it bears fruit. As a side-effect, it works with S/MIME now. Is this your use-case, could you test it?

We might then add a note to the intelmq docs but I've been struggling last time with the nomenclature. I don't know whether it's best to add smime variables (that resolve to the same vars as gpg) or rename gpg ones to be more general.

[Lukas-Heindl]

We're not entirely sure about the details yet (so I'll need longer time). In case/When I test this I'll definitely drop a comment whether it worked.

Adding more parameters raises the question what happens when too many (s/mime + gpg) are specified, so renaming would be more comprehensible probably. On the other side renaming the variables is a breaking change.

[sebix]

so renaming would be more comprehensible probably. On the other side renaming the variables is a breaking change.

But all doable. I can do the part for the upgrade compatibility if you'd like.

[e3rd]

The easiest would be to add smime_key_and_cert and smime_passpharse or something variables.

For the reference, the key parameter might contain many things. GPG fingerprint or file, SMIME key or cert.

:param key: Signing key
            * GPG:
                * True (blank) for the user default key
                * "auto" for turning on signing if there is a key matching to the "from" header
                * key ID/fingerprint
                * e-mail address of the identity whose key is to be signed with
                * Any attainable contents with the key to be signed with (will be imported into keyring)
            * S/MIME: Any attainable contents with key to be signed with. May contain signing certificate as well.
:param passphrase: Passphrase to the signing key if needed.