intelmq icon indicating copy to clipboard operation
intelmq copied to clipboard
verified publisher icon certtools

[smtp_batch] S/MIME signed e-mails

Open Lukas-Heindl opened this issue 1 month ago • 4 comments

I'm currently investigating whether/how to sign e-mails generated by the smtp_batch output bot.

Currently there are two related variables gpg_key and gpg_pass and the docs specify GPG-signed e-mails are possible.

I see signing is done here: https://github.com/certtools/intelmq/blob/0342b7718050b1690d9e20f137b58c7693d869ec/intelmq/bots/outputs/smtp_batch/output.py#L419

And looking at the library used (envelope), I see the library supports also S/MIME. It also looks like the library uses the same function for S/MIME and GPG signatures.

So is it true, one can use the parameters available as of now, simply specify an PEM-encoded S/MIME private key instead of an GPG key and it just works?

Maybe @e3rd as dev/maintainer of the envelope library can help here best.

Lukas-Heindl avatar Nov 20 '25 13:11 Lukas-Heindl

You're right into summining me here. I've intented the envelope to be the most handsome to its users and this looks like it bears fruit. As a side-effect, it works with S/MIME now. Is this your use-case, could you test it?

We might then add a note to the intelmq docs but I've been struggling last time with the nomenclature. I don't know whether it's best to add smime variables (that resolve to the same vars as gpg) or rename gpg ones to be more general.

e3rd avatar Nov 20 '25 17:11 e3rd

We're not entirely sure about the details yet (so I'll need longer time). In case/When I test this I'll definitely drop a comment whether it worked.

Adding more parameters raises the question what happens when too many (s/mime + gpg) are specified, so renaming would be more comprehensible probably. On the other side renaming the variables is a breaking change.

Lukas-Heindl avatar Nov 25 '25 15:11 Lukas-Heindl

so renaming would be more comprehensible probably. On the other side renaming the variables is a breaking change.

But all doable. I can do the part for the upgrade compatibility if you'd like.

sebix avatar Nov 26 '25 13:11 sebix

The easiest would be to add smime_key_and_cert and smime_passpharse or something variables.

For the reference, the key parameter might contain many things. GPG fingerprint or file, SMIME key or cert.

:param key: Signing key
            * GPG:
                * True (blank) for the user default key
                * "auto" for turning on signing if there is a key matching to the "from" header
                * key ID/fingerprint
                * e-mail address of the identity whose key is to be signed with
                * Any attainable contents with the key to be signed with (will be imported into keyring)
            * S/MIME: Any attainable contents with key to be signed with. May contain signing certificate as well.
:param passphrase: Passphrase to the signing key if needed.

e3rd avatar Nov 26 '25 15:11 e3rd