Please enable JavaScript to view this site.

MDaemon Email Server 24.5

OpenPGP is an industry standard protocol for exchanging encrypted data, and there are a variety of OpenPGP plugins for email clients that make it possible for users to send and receive encrypted messages. MDPGP is MDaemon's integrated OpenPGP component that can provide encryption, decryption, and basic key management services for your users without requiring them to use an email client plugin.

MDPGP encrypts and decrypts emails using a public-key/private-key system. To do this, when you wish to use MDPGP to send a private and secure message to someone, MDPGP will encrypt that message using a "key" that you previously obtained from that person (i.e. his "public key") and imported into MDPGP. Conversely, if he wishes to send a private message to you, then he must encrypt the message using your public key, which he obtained from you. Giving the sender your public key is absolutely necessary, because without it he can't send you an OpenPGP encrypted message. Your unique public key must be used to encrypt the message because your unique private key is what MDPGP will use to decrypt the message when it arrives.

In order for MDPGP to manage signing, encrypting, and decrypting messages, it maintains two stores of keys (i.e. keyrings)—one for public keys and one for private keys. MDPGP can generate your users' keys automatically as needed, or you can create them manually for specific users. You can also import keys that were created elsewhere. Further, MDaemon can look for public keys attached to authenticated messages from local users, and then import those keys automatically. That way a user can request a public key from someone and then email that key to himself so that MDPGP will detect it and then import it into the public keyring. MDPGP will never store multiple copies of the same key, but there can be multiple different keys for a single address. Finally, whenever a message arrives for an address that has a key in a keyring, MDPGP will sign, encrypt, or decrypt the message as needed, according to your settings. If an address has multiple keys, MDPGP will use the one you have designated as the preferred key to encrypt the message. If no preferred key has been designated then MDPGP will use the first one. When decrypting a message MDaemon will try each one.

You can configure MDPGP's signing and encryption services to operate either automatically or manually. When set to operate automatically, MDPGP will automatically sign and encrypt messages whenever possible. When set to operate manually, MDPGP will only sign or encrypt a message when the sending user inserts a special command into the message's Subject. In any case messages will only be signed or encrypted (or decrypted) when the account has been given permission to use those services.

The OpenPGP specification is outlined in RFCs 4880 and 3156.

Enabling MDPGP

Enable MDPGP

MDPGP is enabled by default, but it will still not sign, encrypt, or decrypt any messages until you create or import keys into its keyrings, or until you use the option below to set MDPGP to Create keys automatically.

Enable encryption & signing services

By default messages can be signed and encrypted when the required keys are in the keyring. Disable this option if you do not wish to allow MDPGP to sign or encrypt messages.

Messages can be signed without being encrypted, but any message that is encrypted by MDPGP will always be signed as well.

Enable decryption & verification services

By default incoming encrypted messages will be decrypted if the recipient's private key is known. Further, MDPGP will also verify embedded signatures in unencrypted messages. Note, however, that both the recipient and sender must be authorized to use the decryption and verification services, either through the "Authorize all..." options or "Configure exactly who..." option below (everyone is authorized by default). Disable this option if you do not wish to verify embedded signatures or allow MDPGP to decrypt any messages, for example if you want all of your users to handle their own decryption via an email client plugin. When disabled, any incoming encrypted message will be handled like a normal message and placed in the recipient's mailbox.

Collect public-keys from DNS (pka1) and cache for [xx] hours

Enable this option if you want MDPGP to query for message recipient public-keys over DNS using PKA1. This is useful because it automates the process of obtaining some recipients' public keys, preventing you or your users from having to obtain and import them manually in order to send encrypted messages. When PKA1 queries are made, any key URI found is immediately collected, validated, and added to the key-ring. Keys successfully collected and imported to the key-ring using this method are tracked in a file called fetchedkeys.txt, and these keys will automatically expire after the number of hours specified in this option or according to the TTL value of the PKA1 record that referred them, whichever value is greater. Therefore the value specified here is the minimum length of time that a key will be cached. The default value is 12 hours and the lowest value allowed is 1 hour.

If you wish to publish your own public-keys to DNS then you must create special TXT records. For example, for the user frank@example.com with the key-id: 0A2B3C4D5E6F7G8H, in the DNS for domain "example.com" you would create a TXT record at "frank._pka.example.com" (replacing the @ in the email address with the string "._pka."). The data for the TXT record would look something like this: "v=pka1; fpr=<key's full fingerprint>; uri=<Webmail-URL>/WorldClient.dll?view=mdpgp&k=0A2B3C4D5E6F7G8H" where <key's full fingerprint> is the full fingerprint of the key (40 characters long representing the full 20 byte fingerprint value). You can see a key's full fingerprint value by double clicking on the key in the MDPGP GUI.

Trade public-keys using HTTP (Webmail)

Enable this option if you wish to use Webmail as a basic public-key server; Webmail will honor requests for your users' public-keys. The format of the URL to make the request looks like this: "http://<Webmail-URL>/WorldClient.dll?View=MDPGP&k=<Key-ID>". Where <Webmail-URL> is the path to your Webmail server (for example, "http://wc.example.com") and <Key-ID> is the sixteen character key-id of the key you want (for example, "0A1B3C4D5E6F7G8H").  The key-id is constructed from the last 8 bytes of the key fingerprint - 16 characters in total.

Trade public-keys during SMTP mail sessions (MDaemon)

Check this box if you wish to enable the automatic transmission of public keys as part of the SMTP message delivery process. To do so, MDaemon's SMTP server will honor an SMTP command called RKEY. When sending an email to a server that supports RKEY, MDaemon will offer to transmit the sender's current, Preferred public-key to the other host. That host will respond indicating that it either already has that key ("250 2.7.0 Key already known") or that it needs that key, in which case the key is immediately transferred in ASCII armored form ("354 Enter key, end with CRLF.CRLF") just like an email message. Keys that are expired or revoked are never transmitted. If MDaemon has multiple keys for the sender it will always send the key that is currently marked as preferred. If no key is preferred then the first one found is sent. If no valid keys are available then nothing is done. Only public-keys that belong to local users are offered.

Public-key transfers happen as part of the SMTP mail session that delivers the message from the user. In order for the public-keys transmitted in this way to be accepted, the public-key must be sent along with a message that has been DKIM signed by the domain of the key owner with the i= set to the address of the key owner, which also must exactly match the From: header address of which there can be only one. The "key owner" is taken from within the key itself. Also, the message must arrive from a host in the sender's SPF path. Finally, the key owner (or his entire domain via use of wildcards) must be authorized for RKEY by adding an appropriate entry to the MDPGP rules file (instructions are in the rules file for this) indicating that the domain can be trusted for key exchange. All this checking is done automatically for you but you must have DKIM and SPF verification enabled or no work can be done.

The MDPGP log shows the results and details of all keys imported or deleted, and the SMTP session log also tracks this activity. This process tracks the deletion of existing keys and the selection of new preferred keys and updates all participating servers it sends mail to when these things change.

Authorize all local MDaemon users for all services

By default all local MDaemon user accounts are authorized to use any of the MDPGP services that you have enabled: signing, encryption, decryption, and verification. If there are specific users whom you do not wish to allow to use one or more of those services, you can use the "Configure exactly who can and can not use MDPGP services" option below to exclude them. Disable this option if you only wish to authorize specific local users. In that case use the "Configure exactly who can and can not use MDPGP services" option below to grant access to whomever you choose.

Authorize all non-local (foreign) users for decrypt/verify services

By default any incoming encrypted message for a local recipient from a non-local sender can be decrypted if MDPGP knows the local recipient's private key. Similarly, MDPGP will verify embedded signatures in incoming messages from non-local users. If there are certain non-local senders whose messages you do not wish to decrypt or verify, then you can use the "Configure exactly who can and can not use MDPGP services" option below to restrict those senders from those services. Disable this option if you do not wish to decrypt messages or verify embedded signatures when the sender is a non-local address. In that case you can still use the "Configure exactly who can and can not use MDPGP services" option below to specify exceptions to that restriction.

Configure exactly who can and can not use MDPGP services

Click this button to open the rules.txt file for configuring user permissions for MDPGP. Using this file you can specify who is allowed to sign messages, encrypt messages, and have messages decrypted. You can also specifically restrict users from these options. For example, you could use the rule "+*@example.com" to allow all example.com users to encrypt messages, but then add "-frank@example.com" to specifically prevent frank@example.com from being able to do so. See the text at the top of the rules.txt file for examples and instructions.

Rules.txt Notes and Syntax

Only SMTP authenticated email from users of this MDaemon server are eligible for encryption service. You can, however, specify non-local addresses that you wish restrict from the encryption service, meaning that MDPGP will not encrypt messages to them, even if the public key is known.

If there is a conflict between the settings in rules.txt and the global "Authorize all local MDaemon users for all services" option, the rules.txt setting is used.

If there is a conflict between the settings in rules.txt and the global "Authorize all non-local (foreign) users for decrypt/verify services" option, the rules.txt setting is used.

Text after # on a line is ignored.

Separate multiple email addresses on the same line with a space.

Wildcards (* and ?) in email addresses are permitted.

Even though MDPGP encrypted messages are always signed, granting encryption permission to a user doesn't also grant that user permission to sign unencrypted messages. In order to sign an unencrypted message the account must be given signing permission.

Each email address must be prefixed with one of the following tags:

+ (plus) - address can use MDPGP encryption service.

- (minus) - address cannot use MDPGP encryption service.

! (exclamation) - address can use MDPGP decryption service.

~ (tilde) - address cannot use MDPGP decryption service.

^ (caret) - address can use MDPGP signing service.

= (equal) - address cannot use MDPGP signing service.

$ (dollar) - address can use MDPGP verification service.

& (ampersand) - address cannot use MDPGP verification service.

Examples:

+*@* — all users of all domains can encrypt.

!*@* — all users of all domains can decrypt.

^*@* — all users of all domains can sign.

^*@example.com — all users of example.com can sign.

+frank@example.com ~frank@example.com — the user can encrypt but not decrypt.

+GROUP:EncryptingUsers — members of MDaemon's EncryptingUsers group can encrypt

^GROUP:Signers — members of MDaemon's Signers group can sign

Encryption/Signing Modes

Automatic Mode

Use the Settings options to configure MDPGP to sign and encrypt messages automatically for accounts permitted to do so. When an account sends an authenticated message and MDPGP knows the required key, the message will be signed or encrypted according to the settings below.

The special Subject codes outlined in the Manual Mode section below always take precedence over the Automatic Mode options. Therefore if one of these options is disabled, an account that is permitted to sign or encrypt messages can still manually cause a message to be signed or encrypted by using one of the codes.

Settings

Encrypt mail automatically if recipient's public key is known

By default, if an account is allowed to encrypt messages, MDPGP will encrypt them automatically if the recipient's public key is known. Disable this option if you do not wish to encrypt them automatically; messages can still be encrypted manually by using the special codes outlined in the Manual Mode section below.

Sign mail automatically if sender's private key is known

Click this option if you want MDPGP to sign messages automatically when the sending account's private key is known, if the account is allowed to sign messages. Even when this option is disabled, messages can still be signed manually by using the special codes outlined in the Manual Mode section below.

Encrypt/Sign mail between users of the same domain

When MDPGP is set to encrypt or sign messages automatically, this option causes MDPGP to do this even when messages are sent between users of the same domain, provided the required keys are known. This option is enabled by default.

Encrypt/Sign mail between users of local MDaemon domains

When MDPGP is set to encrypt or sign messages automatically, this option causes MDPGP to do this even when messages are being sent between users of local MDaemon domains, provided the required keys are known. For example, if your MDaemon domains include "example.com" and "example.net," then messages sent between those domains' users will be automatically encrypted or signed. This option is enabled by default.

Encrypt/Sign mail sent to self

When MDPGP is set to encrypt or sign messages automatically, this will be done even when the MDaemon user is sending a message to himself (e.g. frank@example.com sending to frank@example.com). Therefore if the account has permission to use both encryption and decryption (the default settings) then MDPGP will accept the user's message, encrypt it, and then immediately decrypt it and place it in the same user's mailbox. If, however, the account isn't configured for decryption, this will cause the message to be encrypted and then placed in the same user's mailbox still encrypted. This option is enabled by default.

Manual Mode

When you have disabled the Sign mail automatically... and Encrypt mail automatically... options outlined above, you are using MDPGP in Manual Mode. MDPGP will not sign or encrypt any messages except those that are authenticated and have one of the following codes in the message's Subject header:

--pgps

Sign this message if possible. Code can be placed at the beginning or end of the Subject.

--pgpe

Encrypt this message if possible. Code can be placed at the beginning or end of the Subject.

--pgpx

The message MUST be encrypted. If it cannot be encrypted (e.g. because the recipient's key isn't known) then do not deliver it; the message will be bounced/returned to the sender. Code can be placed at the beginning or end of the Subject.

--pgpk

Send me my public key. The user places this code at the beginning of the Subject and sends the message to himself. MDPGP will then email the user his public key.

--pgpk<Email>

Send me this address' public key. The user places this code at the beginning of the Subject and sends the message to himself. MDPGP will then email the user the address' public key.

Example:

Subject: --pgpk<frank@example.com>

Key Management

Public and private keys are managed using the options on the bottom half of the MDPGP dialog. There is an entry for each key, and you can right-click any entry to export the key, delete it, enable/disable it, set it as a Preferred Key (see "Trade public-keys during SMTP mail sessions" above), or set it as a Domain's Key (see below). When you click Export Key it will be saved to the \MDaemon\Pem\_mdpgp\exports\ folder and you can optionally email the public key to an email address. "Show Local/Remote" and "Filter" options are provided to help you locate certain addresses or groups.

Using a Domain Key

Optionally you can use a single key to encrypt all messages going to a specific domain, regardless of the sender. This is useful if, for example, one of your domains and a domain hosted elsewhere wish to encrypt all emails sent between them, but they do not wish to setup and manage individual encryption keys for every user account within the domain. There are multiple ways to accomplish this:

If you already have a public key for another domain and you wish to use that key for encrypting all outbound messages going to it, right-click the key and click Set as Domain's Key. Then enter the domain name and click OK. This will create a Content Filter rule to cause all messages "To:" that domain to be encrypted using the designated key.

If the domain's public key has been provided to you but isn't yet in the list, click Import Domain's Key, enter the domain name and click OK, then navigate to the domain's public.asc file and click Open. This also will create the Content Filter rule for encrypting messages to the domain.

Customize your Content Filter rules as needed to modify exactly which messages get encrypted before sending to the domains.

To create a new key for one of your domains, to give to another domain for encrypting messages being sent to you, follow the instructions under the "Create keys for a specific user" option below, selecting "_Domain Key (domain.tld)_ <anybody@domain.tld>" from the list.

Do not use a key to encrypt outbound messages for which you also have the corresponding private key. If you do, MDPGP will encrypt a message and then immediately see that the decryption key is known and promptly decrypt that very same message.

Email details of encryption failures to sender (--pgpe command)

When someone uses the --pgpe command to send encrypted mail and that encryption fails (for example, because no encryption key is found), then this option will cause a notification email to be sent back to the sender informing him or her of the failure. This option is disabled by default, meaning no failure notification message will be sent.

Email public-keys when mail sent to self (--pgpk command)

When a user sends an email to himself with "--pgpk<email address>" as the subject (e.g. --pgpk<frank@example.com>). If a public-key for <email address> exists it will be emailed back to the requester.

Auto-import public-keys sent from authenticated users

By default, when an authenticated user sends an email message with a public key in ASCII armored format attached, MDPGP will import that public key into the keyring. This is a simple way for a user to get a contact's public key into MDPGP, by emailing the public key to himself as an attachment. Disable this option if you do not wish to auto-import public keys.

Create keys automatically

Enable this option if you want MDPGP to create a public/private key pair automatically for each MDaemon user. Rather than generate them all at once, however, MDPGP will create them over time, creating each user's key pair the next time a message is processed for that user. This option is disabled by default to conserve resources and avoid needlessly generating keys for accounts that may never use MDPGP.

Key size

Use this option to specify the key size for keys that MDPGP generates. You can set the key size to 1024, 2048, or 4096. The default setting is 2048 bit keys.

Expires in [xx] days (0=never)

Use this option to specify the number of days from creation date that a key generated by MDPGP will be valid before it expires. Set the option to "0" if you do not want keys to expire. The default setting is 0.

Create keys for a specific user

To manually generate a key pair for an account:

1.Click Create keys for a specific user.

2.Select the account from the drop-down list. If you wish to create a single key to apply to all of a domain's accounts, choose the "_Domain Key (domain.tld)_ <anybody@domain.tld>" option from the list.

3.Optional: Check the box Email public key to key owner... if you wish to send the key to the user as an email attachment.

4.Click Ok.

Encrypt outbound mail based on receiving IP

If you wish to use a specific encryption key to encrypt all messages destined for a certain IP address, enable this option and click Setup to open the MDaemon Message Transport Encryption file, in which you can list the IP address and associated key ID. Any outbound SMTP session delivering a message to one of the listed IPs will encrypt the message using the associated key just prior to transmission. If the message is already encrypted by some other key then this step will be skipped.

Import keys

If you wish to import a key file into MDPGP manually, click this button, locate the key file, and click Open. When importing a private key file, you do not need to import the corresponding public key, as it is included in the private key. If you are importing a private key protected by a passphrase then MDPGP will prompt you to enter the passphrase. Without the passphrase you cannot import the private key. After importing a private key, MDaemon will change that key's passphrase to whichever passphrase MDPGP is currently using.

Import Domain's key

If a public encryption key has been provided to you to encrypt all messages being sent to a certain domain, click this button, enter the domain name, click OK, and then navigate the domain's public.asc file and click Open. This will add the domain's public key to the list and create a Content Filter rule to encrypt all outbound messages for that domain, regardless of the sender.

Change passphrase

Private keys are protected at all times by a passphrase. When attempting to import a private key, you must enter its passphrase. When exporting a private key, that exported key will still be protected by the passphrase, and it cannot be used or imported elsewhere without it. MDPGP's default passphrase is MDaemon. For security reasons you should change this passphrase after you begin using MDPGP, because until you do so, every key created by or successfully imported into MDPGP will have its passphrase set (or changed) to MDaemon. You can change the passphrase at any time by clicking Change passphrase on the MDPGP screen. When you change the passphrase, every private key on the keyring is updated to the new passphrase.

Backup data files

Click this button to make a backup of your current Keyring.private and Keyring.public keyring files. By default the backup files will be copied to: "\MDaemon\Pem\_mdpgp\backups" and have a date and .bak extension appended to the filenames.

 

Forwarded messages are not encrypted.

Autoresponder messages are not encrypted.

Key servers and key revocation are not supported, except as outlined in the "Collect public-keys from DNS (pka1) and cache for [xx] hours" and "Send public-keys over HTTP (Webmail)" options above.

The Content Filter encrypt action does not act on messages already encrypted, and the encrypt and decrypt actions are subject to all MDPGP configuration requirements.

The drop-down lists that display MDaemon accounts show the first 500 accounts by default. You can set MaxUsersShown=0 in plugins.dat to view all accounts. This may take longer to load for very large user lists.

MDPGPUtil.exe is a tool that can encrypt and decrypt via command line options. Run MDPGPUtil with no arguments from a command line shell for help.