Testing a mail server with WKD+WKS support

Web Key Directory is a way to publish a GPG public key through WWW. This is currently the recommended way for publishing your public keys (keyservers are deprecated). What WKD means is that you can send PGP signed emails and your recipient will be able to verify your signature automatically because his mail client can find automatically your public key. It also means that people can immediately send an encrypted message to you, without having to find and download your public key, because their mail client knows where to find it and can do it automatically.

There are many ways for publishing your public to a WKD, and one of them (my preferred one) is Web Key Service. With this method your mail client can send your public key by email to a key-submission address on the mail server. The mail server will reply automatically with an encrypted confirmation message. Once you send the confirmation reply, the mail server will publish your key on the WKD.

I have implemented a mail server with WKD+WKS support and I have installed a testing instance of it for the domain tst1.fs.al. If you want to test this mail server and its WKD+WKS support, this is what you should do:

  1. Create a test account by sending a message to register@tst1.fs.al. In a few minutes you will receive a message with account details (username, password, SMTP server, etc.) This is a forward-only email account, which means that all emails that are sent to xyz@tst1.fs.al will be forwarded to your real mail address. It will expire automatically in a week, but you can create another one if you need.

  2. I recommend using Thunderbird+Enigmail for testing WKD+WKS. You should follow these steps:

    1. Create a new Outgoing Server (SMTP) with the details of the test server.
    2. Create a new identity with the details of the test account and the SMTP server created on the first step.
    3. Open Enigmail Key Management and generate a new PGP key for the identity created on the second step.
    4. On the Enigmail Key Management, select the new key that you just created, and select the menu option Upload to your provider’s Web Key Directory.
    5. Soon you should get a confirmation message from keys@tst1.fs.al with subject Confirm your key publication. You will also see a button Confirm Request on it. Click this button to send the confirmation request.
    6. Finally you will get a notification from keys@tst1.fs.al with subject Your key has been published.
  3. To check that your key has been published try this command:

    /usr/lib/gnupg/gpg-wks-client -v --check xyz@tst1.fs.al
    
  4. Also try to send an encrypted message to dashamir@tst1.fs.al (which is my account). Enigmail should be able to find my public key automatically and you should not have to worry about finding and downloading it.

If you have experience with mailserver/postfix implementations, please also try to scrutinize the configuration of the mailserver docker-scripts / postfix · GitLab . I am sure it has some problems, because I am not sure that everything is correct. Please help me to find and fix any problems. If you are instead a hacker, just try to break or to exploit the test mailserver by using it in unexpected ways. I would appreciate if you find any problems and report it.

Happy #ilovefs day, and happy hacking.

1 Like

After posting this message, I did a system update (apt upgrade) and received a new version of Thunderbird, the latest one. However in this version Enigmail is gone. Its functionality is supposed to be merged to Thunderbird, but not all of it. In particular the features that facilitate the interaction with a WKS server are missing. Let’s hope that it will be added back soon, but meanwhile we can follow these steps to publish a key:

  1. Make sure that msmtp is installed: apt install msmtp

  2. Send a key publishing request with a command like this:

    /usr/lib/gnupg/gpg-wks-client \
            --create EF6FF16876 xyz@tst1.fs.al \
        | msmtp \
            --read-envelope-from --read-recipients \
            --tls=on --auth=on \
            --host=smtp.tst1.fs.al --port=587 \
            --user=xyz@tst1.fs.al --passwordeval="echo passwd"
    
  3. When the email with subject “Confirm your key publication” arrives, save it as a text file.

  4. Send the confirmation email with a command like this:

    cat Confirm-your-key-publication.eml \
        | /usr/lib/gnupg/gpg-wks-client --receive \
        | msmtp  \
            --read-envelope-from --read-recipients \
            --tls=on --auth=on \
            --host=smtp.tst1.fs.al --port=587 \
            --user=xyz@tst1.fs.al --passwordeval="echo passwd"
    

It is not so difficult, if you know how to do it.

Thanks for the heads-up!

Cheers
– t