Merge pull request #89 from vedetta-com/wip

- Add OpenPGP Web Key Service and Web Key Directory

Author: horia

INSTALL.md

@@ -74,7 +74,7 @@ sh /etc/netstart $(ifconfig egress | awk 'NR == 1{print $1;}' | sed 's/://')
 
 Install packages:
 ```sh
-pkg_add dovecot dovecot-pigeonhole dkimproxy rspamd opensmtpd-extras
+pkg_add dovecot dovecot-pigeonhole dkimproxy rspamd opensmtpd-extras gnupg-2.2.4
 ```
 
 *n.b.*: dovecot package comes with instructions for self-signed certificates, which are not used in this guide:
@@ -261,6 +261,7 @@ install -o root -g vmail -m 0640 -b src/var/dovecot/imapsieve/before/report-spam
 install -o root -g vmail -m 0750 -d src/var/dovecot/sieve/after /var/dovecot/sieve/after
 install -o root -g vmail -m 0750 -d src/var/dovecot/sieve/before /var/dovecot/sieve/before
 install -o root -g vmail -m 0640 -b src/var/dovecot/sieve/before/spamtest.sieve /var/dovecot/sieve/before/
+install -o root -g vmail -m 0640 -b src/var/dovecot/sieve/before/00-wks.sieve /var/dovecot/sieve/before/
 
 install -o root -g wheel -m 0644 -b src/var/unbound/etc/unbound.conf /var/unbound/etc/
 
@@ -270,6 +271,16 @@ install -o root -g daemon -m 0644 -b src/var/www/htdocs/mercury.example.com/inde
 install -o root -g daemon -m 0755 -d src/var/www/htdocs/mercury.example.com/mail /var/www/htdocs/$(hostname)/mail
 install -o root -g daemon -m 0644 -b src/var/www/htdocs/mercury.example.com/mail/config-v1.1.xml /var/www/htdocs/$(hostname)/mail/
 
+install -o root -g daemon -m 0755 -d src/var/www/openpgpkey /var/www/openpgpkey
+install -o root -g daemon -m 0644 -b src/var/www/openpgpkey/policy /var/www/openpgpkey/
+install -o root -g daemon -m 0644 -b src/var/www/openpgpkey/submission-address /var/www/openpgpkey/
+
+install -o vmail -g daemon -m 0755 -d src/var/www/openpgpkey/hu /var/www/openpgpkey/hu
+
+install -o root -g wheel -m 0755 -d src/var/lib /var/lib
+install -o root -g wheel -m 0755 -d src/var/lib/gnupg /var/lib/gnupg
+install -o root -g wheel -m 2750 -d src/var/lib/gnupg/wks /var/lib/gnupg/wks
+
 install -o root -g wheel -m 0644 -b src/root/.ssh/config /root/.ssh/
 
 mkdir -m 700 /var/crash/rspamd
@@ -292,6 +303,7 @@ Compile sieve scripts:
 ```sh
 sievec /var/dovecot/imapsieve/before/report-ham.sieve
 sievec /var/dovecot/imapsieve/before/report-spam.sieve
+sievec /var/dovecot/sieve/before/00-wks.sieve
 sievec /var/dovecot/sieve/before/spamtest.sieve
 ```
 
@@ -341,6 +353,112 @@ pfctl -f /etc/pf.conf
 rcctl restart sshd dkimproxy_out rspamd dovecot smtpd
 ```
 
+### OpenPGP Web Key Service ([WKS](https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-05))
+
+An important aspect of using OpenPGP is trusting the (public) key. Off-channel key exchange is not always practical, OpenPGP DANE protocol lacks confidentially, HKPS' a mess, and keybase is wicked. OpenPGP proposed a new protocol to automate and build trust in the process of exchanging public keys.
+
+Web Key Service has two main functions for our Email Service:
+1. Allow all users to locate and retreive public keys by email address using HTTPS
+2. Allow local user's email client to automatically publish and revoke public keys
+
+Self-hosting has the advantage of full authority on the user mail addresses for their domain name. By design, only one WKS can exist for a domain name. Furthermore, only local users can make requests to WKS Submission Address, and replies to local users only. Moreover, the service automatically verifies the sender is in possesion of the secret key, before publishing their public key. Self-hosting the public key server finally makes OpenPGP oportunistic encryption user friendly.
+
+To get started, a GnuPG 2.1 safe configuration is provided: [`gpg.conf`](src/home/puffy/.gnupg/gpg.conf)
+
+Web Key Service maintains a Web Key Directory (WKD) which needs the following configuration for each *virtual* domain:
+```sh
+mkdir -m 755 /var/lib/gnupg/wks/example.com
+chown vmail:vmail /var/lib/gnupg/wks/example.com
+
+cd /var/lib/gnupg/wks/example.com
+
+ln -sf /var/www/openpgpkey/hu .
+chown -h vmail:vmail hu
+
+ln -s /var/www/openpgpkey/submission-address .
+chown -h vmail:vmail submission-address
+
+doas -u vmail \
+	env -i HOME=/var/vmail \
+	gpg-wks-server --list-domains
+```
+
+Web Key Service uses a Submission Address, which needs the following configuration:
+
+Add *virtual* password for the Submission Address:
+```sh
+smtpctl encrypt
+> secret
+> $2b$...encrypted...passphrase...
+vi /etc/mail/passwd
+> key-submission@example.com:$2b$...encrypted...passphrase...::::::
+```
+
+Create the submission key:
+```sh
+doas -u vmail \
+	env -i HOME=/var/vmail \
+	gpg2 --batch --passphrase '' --quick-gen-key key-submission@example.com
+```
+
+Verify:
+```sh
+doas -u vmail \
+	env -i HOME=/var/vmail \
+	gpg2 -K --with-fingerprint
+```
+
+List the z-Base-32 encoded SHA-1 hash of the mail address' local-part (i.e. key-submission):
+doas -u vmail \
+	env -i HOME=/var/vmail \
+	gpg2 --with-wkd-hash -K key-submission@example.com
+> 54f6ry7x1qqtpor16txw5gdmdbbh6a73@example.com
+```
+
+Publish the key, using the hash of the string "key-submission" (i.e. 54f6ry7x1qqtpor16txw5gdmdbbh6a73):
+```sh
+doas -u vmail \
+	env -i HOME=/var/vmail \
+	gpg2 -o /var/lib/gnupg/wks/example.com/hu/54f6ry7x1qqtpor16txw5gdmdbbh6a73 \
+		--export-options export-minimal --export key-submission@example.com
+```
+
+*n.b.*: To delete this key:
+```sh
+gpg2 --delete-secret-key "key-submission@example.com"
+gpg2 --delete-key "key-submission@example.com"
+```
+
+Expire non confirmed publication requests:
+```sh
+crontab -e
+```
+```console
+30	11	*	*	*	doas -u vmail env -i HOME=/var/vmail /usr/local/bin/gpg-wks-server --cron
+```
+
+*n.b.*: [Enigmail](https://www.enigmail.net)/Thunderbird, [Kmail](https://userbase.kde.org/KMail) and [Mutt](http://www.mutt.org/) (perhaps other MUA) support the Web Key Service. Once published, a communication partner's MUA automatically downloads the public key (if their GnuPG 2.1 --enable-wks-tools) with the following `gpg.conf` directive:
+```console
+auto-key-locate		wkd
+```
+
+The key can be manually retreived too:
+```sh
+gpg2 --auto-key-locate clear,wkd --locate-keys puffy@example.com
+```
+
+To simply check a key:
+```sh
+$(gpgconf --list-dirs libexecdir)/gpg-wks-client --check puffy@example.com
+```
+
+Or a hex listing:
+```sh
+gpg-connect-agent --dirmngr --hex 'wkd_get puffy@example.com' /bye
+```
+
+*n.b*: If the same local-part of an email address exists for multiple domains (e.g. **puffy**@example.com and **puffy**@example.net), the hash of the string will be the same and each key publication overwrites the same file. The *workaround* is using **+tags** to create a secondary UID (e.g. puffy**+enc**@example.com) for the key, and go through the process of key submission and confirmation using the MUA interface with the tagged email address (e.g. puffy**+enc**@example.com).
+
 ### Logs
 
 ```console

README.md

@@ -25,12 +25,13 @@ Root your Inbox :mailbox_with_mail:
 - Flexible: switching roles is easy, making the process of changing VPS hosts a breeze (no downtime)
 - DMARC (with DKIM and SPF) email-validation system, to detect and prevent email spoofing
 - Uncensored DNS validating resolver from root nameservers
+- OpenPGP Web Key Service with Web Key Directory, the most trusted and secure key exchange protocol
 - MUA Autoconfiguration, for modern clients
 - Daily (spartan) stats, to keep track of things
 - Your sieve scripts and managesieve configuration, let's get started
 
 ## Considerations
-By design, email message headers need to be public, for exchanges to happen. The body of the message can be encrypted by the user, if desired. Moreover, there is no way to prevent the host from having access to the virtual machine. Therefore, [full disk encryption](https://www.openbsd.org/faq/faq14.html#softraidFDE) (at rest) may not be necessary.
+By design, email message headers need to be public, for exchanges to happen. The body of the message can be [encrypted](INSTALL.md#openpgp-web-key-service-wks) by the user, if desired. Moreover, there is no way to prevent the host from having access to the virtual machine. Therefore, [full disk encryption](https://www.openbsd.org/faq/faq14.html#softraidFDE) (at rest) may not be necessary.
 
 Given our low memory requirements, and the single-purpose concept of email service, Roundcube or other web-based IMAP email clients should be on a different VPS.
 
@@ -49,7 +50,7 @@ See the [**Installation Guide**](INSTALL.md) for details.
 
 Install packages:
 ```sh
-pkg_add dovecot dovecot-pigeonhole dkimproxy rspamd opensmtpd-extras
+pkg_add dovecot dovecot-pigeonhole dkimproxy rspamd opensmtpd-extras gnupg-2.2.4
 ```
 Add users:
 ```sh
@@ -146,6 +147,28 @@ Each *virtual* autoconfig subdomain has record type CNAME pointing to Autoconfig
 autoconfig.example.net.	86400	IN	CNAME	mercury.example.com.
 ```
 
+#### OpenPGP Web Key Directory ([WKD](https://tools.ietf.org/html/draft-koch-openpgp-webkey-service-05))
+Each WKD subdomain has record type CNAME pointing to Web Key Server:
+```console
+wkd.example.com.	86400	IN	CNAME	mercury.example.com.
+```
+
+Each *virtual* WKD subdomain has record type CNAME pointing to Web Key Server:
+```console
+wkd.example.net.	86400	IN	CNAME	mercury.example.com.
+```
+
+#### SRV Records for OpenPGP Web Key Directory
+Each domain has record type SRV for WKD subdomain
+```console
+_openpgpkey._tcp.example.com	86400	IN	SRV	0 0 443 wkd.example.com
+```
+
+Each *virtual* domain has record type SRV for *virtual* WKD subdomain
+```console
+_openpgpkey._tcp.example.net	86400	IN	SRV	0 0 443 wkd.example.net
+```
+
 #### SRV Records for [Locating Email Services](https://tools.ietf.org/html/rfc6186)
 Each domain and *virtual* domain has record types SRV for simple MUA auto-configuration:
 ```console

UPGRADE.md

@@ -1,17 +1,26 @@
 # caesonia (beta)
 *Open*BSD Email Service - Upgrade an existing installation
 
-[`6.3.0-beta`](https://github.com/vedetta-com/caesonia/tree/v6.3.0-beta) to [`6.3.1-beta`](https://github.com/vedetta-com/caesonia/tree/v6.3.1-beta)
+[`6.3.1-beta`](https://github.com/vedetta-com/caesonia/tree/v6.3.1-beta) to [`6.3.2-beta`](https://github.com/vedetta-com/caesonia/tree/v6.3.2-beta)
 
 > Upgrades are only supported from one release to the release immediately following it. Read through and understand this process before attempting it. For critical or physically remote machines, test it on an identical, local system first. -- [OpenBSD Upgrade Guide](https://www.openbsd.org/faq/index.html)
 
 ## Upgrade Guide
 
-Split TLS and non-TLS configuration, update TLS cipher strength and key exchange (score A+ with 100% on every [ssllabs.com](https://www.ssllabs.com/ssltest/) test while supporting all devices), and improve Mozilla [Autoconfiguration](https://developer.mozilla.org/en-US/docs/Mozilla/Thunderbird/Autoconfiguration) with the following `httpd.conf` changes:
+### Introducing OpenPGP Web Key Service (WKS) to OpenBSD
+
+To start implementing Web Key Service, please make sure the new DNS [prerequisites](README.md#openpgp-web-key-directory-wkd) are met.
+
+```sh
+pkg_add gnupg-2.2.4
+```
+
+Edit [`/etc/httpd.conf`](src/etc/httpd.conf) to add a WKD alias and location:
 ```console
 # Host:443
 server "mercury.example.com" {
 	alias "autoconfig.*"
+	alias "wkd.*"
 
 	listen on $IPv4 tls port https
 	listen on $IPv6 tls port https
@@ -35,6 +44,13 @@ server "mercury.example.com" {
 
 	block
 
+	# OpenPGP Web Key Directory
+	location "/.well-known/openpgpkey/*" {
+		root "/openpgpkey"
+		root strip 2
+		pass
+	}
+
 	location "/*" {
 		root "/htdocs/mercury.example.com"
 		pass
@@ -44,66 +60,82 @@ server "mercury.example.com" {
 # Host:80
 server "mercury.example.com" {
 	alias "autoconfig.*"
+	alias "wkd.*"
+...
+```
 
-	listen on $IPv4 port http
-	listen on $IPv6 port http
-
-	tcp nodelay
-	connection { max requests 500, timeout 3600 }
+Add WKD LetsEncrypt certificate:
+```sh
+acme-client -vr mercury.example.com
+```
 
-	log { access "access.log", error "error.log" }
+Edit [`/etc/acme-client.conf`](src/etc/acme-client.conf) to add every service (virtual) WKD subdomains as alternat
+ive names:
+```console
+...
+	alternative names { \
+		autoconfig.example.com \
+		autoconfig.example.net \
+		wkd.example.com \
+		wkd.example.net }
+...
+```
 
-	block
+```sh
+acme-client -v mercury.example.com
+get-ocsp.sh mercury.example.com
+```
 
-	location "/.well-known/acme-challenge/*" {
-		root "/acme"
-		root strip 2
-		pass
-	}
+Edit [`/etc/doas.conf`](src/etc/doas.conf) to add WKS permissions:
+```console
+# WKS: expire non confirmed publication requests
+permit nopass root as vmail cmd env args \
+    -i HOME=/var/vmail /usr/local/bin/gpg-wks-server --cron
+```
 
-	# Mozilla Autoconfiguration
-	location "/mail/*" {
-		block return 302 "https://autoconfig.example.com$REQUEST_URI"
-	}
+Edit [`/var/cron/tabs/root`](src/var/cron/tabs/root) to add WKS expiration:
+```console
+30	11	*	*	*	doas -u vmail env -i HOME=/var/vmail /usr/local/bin/gpg-wks-server --cron
+```
 
-	location "/*" {
-		root "/htdocs/mercury.example.com"
-		pass
-	}
-}
+Edit [`/etc/mail/smtpd.conf`](src/etc/mail/smtpd.conf) to add WKS table:
+```console
+table wks-recipients		{ "key-submission@example.com" } # OpenPGP WKS Submission Address
 ```
 
-Update TLS (cipher strength) for dovecot:
+OpenPGP Web Key Service (WKS) Trust Management for primary and backup MX:
 ```sh
-sed -i 's/HIGH:!aNULL/HIGH:!AES128:!kRSA:!aNULL/' /etc/dovecot/conf.d/10-ssl.conf
+sed -i 's/accept tagged MTA from any/& recipient ! <wks-recipients>/g' /etc/mail/smtpd.conf
 ```
 
-LetsEncrypt certificate updates, now with service *virtual* subdomains:
+Add OpenPGP Web Key Service (WKS) Submission Address
 ```sh
-acme-client -vr mercury.example.com 
-sed -i 's/autoconfig.example.com/& autoconfig.example.net/' /etc/acme-client.conf
-acme-client -v mercury.example.com
-get-ocsp.sh mercury.example.com
-rcctl restart smtpd dovecot
+echo "key-submission@example.com \tvmail" >> /etc/mail/virtual
 ```
 
-Update crontab to restart smtpd and dovecot on certificate update:
+Install OpenPGP Web Key Service (WKS) Server Tool:
 ```sh
-crontab -e
-```
-```console
-20	6	*	*	*	acme-client mercury.example.com && /usr/local/bin/get-ocsp.sh mercury.example.com && rcctl restart smtpd dovecot
+install -o root -g vmail -m 0640 -b src/var/dovecot/sieve/before/00-wks.sieve /var/dovecot/sieve/before/
+sievec /var/dovecot/sieve/before/00-wks.sieve
 ```
 
-Increase waiting for reply timeout to 120s, giving rspamd ample time to tell the truth:
+Install OpenPGP Web Key Directory:
 ```sh
-sed -i 's|/bin/rspamc|& -t 120|' /etc/mail/smtpd.conf
-rcctl restart smtpd
+install -o root -g daemon -m 0755 -d src/var/www/openpgpkey /var/www/openpgpkey
+install -o root -g daemon -m 0644 -b src/var/www/openpgpkey/policy /var/www/openpgpkey/
+install -o root -g daemon -m 0644 -b src/var/www/openpgpkey/submission-address /var/www/openpgpkey/
+
+install -o vmail -g daemon -m 0755 -d src/var/www/openpgpkey/hu /var/www/openpgpkey/hu
+
+install -o root -g wheel -m 0755 -d src/var/lib /var/lib   
+install -o root -g wheel -m 0755 -d src/var/lib/gnupg /var/lib/gnupg
+install -o root -g wheel -m 2750 -d src/var/lib/gnupg/wks /var/lib/gnupg/wks
 ```
 
-New rspamd statistics update script, to relearn Spam/ from all users:
+Follow the [Web Key Service Configuration Guide](INSTALL.md#openpgp-web-key-service-wks) to finish the upgrade.
+
+Restart:
 ```sh
-install -o root -g wheel -m 0550 -b src/usr/local/bin/learn_all_spam.sh /usr/local/bin/
-learn_all_spam.sh
+rcctl restart smtpd dovecot httpd
 ```
 

src/etc/acme-client.conf

@@ -13,7 +13,11 @@ authority letsencrypt-staging {
 
 # (!) Add every service (virtual) subdomains as alternative names
 domain mercury.example.com {
-	alternative names { autoconfig.example.com autoconfig.example.net }
+	alternative names { \
+		autoconfig.example.com \
+		autoconfig.example.net \
+		wkd.example.com \
+		wkd.example.net }
 	domain key "/etc/ssl/acme/private/mercury.example.com.key"
 	domain certificate "/etc/ssl/acme/mercury.example.com.crt"
 	domain full chain certificate "/etc/ssl/acme/mercury.example.com.fullchain.pem"

src/etc/doas.conf

@@ -15,3 +15,7 @@ permit keepenv :wheel
 
 # Allow dsync replication
 permit nopass dsync as vmail cmd doveadm
+
+# WKS: expire non confirmed publication requests
+permit nopass root as vmail cmd env args \
+    -i HOME=/var/vmail /usr/local/bin/gpg-wks-server --cron