schleuder issueshttps://0xacab.org/schleuder/schleuder/-/issues2024-02-14T12:06:17Zhttps://0xacab.org/schleuder/schleuder/-/issues/531Unexpected behaviours when a subscriber shares a key with an admin2024-02-14T12:06:17ZAndrew GallagherUnexpected behaviours when a subscriber shares a key with an adminI created a test list with my personal email address as admin, and I then tried to self-subscribe from my work email address. To my surprise this worked, even though the x-subscribe command was limited to admins - but the two email addre...I created a test list with my personal email address as admin, and I then tried to self-subscribe from my work email address. To my surprise this worked, even though the x-subscribe command was limited to admins - but the two email addresses share the same PGP key so I suspect that the permissions check only tested whether the mail was signed by an admin's key, but not sent from an admin's email address. That's unexpected, but probably not worth worrying about.
The more serious issue is that when I performed admin tasks via *-request using my personal (admin) email address, the work (subscriber) email address got all the confirmation responses. This is particularly concerning because I may wish to only be able to post from that address, not receive mail there that might contain info such as list member details. The work UID is not even the primary UID of that key, so it is unclear why schleuder would have picked that email address to send admin responses to.https://0xacab.org/schleuder/schleuder/-/issues/530Insufficient sanitation of emailed requests2024-02-14T11:27:26ZAndrew GallagherInsufficient sanitation of emailed requestsI use Apple Mail, which has the unfortunate habit of expanding "user@example.com" to "user@example.com &lt;user@example.com&gt;", even in "plain text" mode. This means that when trying to subscribe a non-admin user to a list via the -req...I use Apple Mail, which has the unfortunate habit of expanding "user@example.com" to "user@example.com <user@example.com>", even in "plain text" mode. This means that when trying to subscribe a non-admin user to a list via the -request interface, the body gets mangled to:
```
x-subscribe: user@example.com <user@example.com> DEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF
```
This is apparently being parsed as:
```
x-subscribe: user@example.com NULL TRUE
```
because it subscribes the user without a fingerprint and sets them to an admin:
```
user@example.com has been subscribed with these attributes:
Fingerprint:
Admin? true
Email-delivery enabled? true
```
This is dangerous behaviour. Unexpected input should always throw an error, especially where admin permissions are being assigned.5.0.0pazpazhttps://0xacab.org/schleuder/schleuder/-/issues/532dirmngr uses wrong socket (debian)2024-01-18T20:42:48ZAndrew Gallagherdirmngr uses wrong socket (debian)When running the key-refresh cronjob, it fails with an IPC error:
```
gpg: connecting dirmngr at '/run/user/119/gnupg/d.67jqaekj6ai5n17emewna6y3/S.dirmngr' failed: IPC connect call failed
gpg: keyserver refresh failed: No dirmngr
```
I...When running the key-refresh cronjob, it fails with an IPC error:
```
gpg: connecting dirmngr at '/run/user/119/gnupg/d.67jqaekj6ai5n17emewna6y3/S.dirmngr' failed: IPC connect call failed
gpg: keyserver refresh failed: No dirmngr
```
It turns out that dirmngr is listening on a different socket:
```
root:/etc/schleuder# lsof -p 1294146 |grep unix
dirmngr 1294146 schleuder 3u unix 0x000000008664544e 0t0 491630981 /var/lib/schleuder/.gnupg/S.dirmngr type=STREAM
```
This seems to be a longstanding issue on various distros, e.g.:
* https://bbs.archlinux.org/viewtopic.php?id=267854
Versions:
```
root:/etc/schleuder# dpkg -l dirmngr gnupg schleuder
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-================-============-===========================================================
ii dirmngr 2.2.27-2+deb11u2 amd64 GNU privacy guard - network certificate management service
ii gnupg 2.2.27-2+deb11u2 all GNU privacy guard - a free PGP replacement
ii schleuder 4.0.3-7 all encrypting mailing list manager with remailing-capabilities
```https://0xacab.org/schleuder/schleuder/-/issues/526Schleuder throws a traceback if told to import a key, but a key can't be found2024-01-09T08:56:04ZgeorgSchleuder throws a traceback if told to import a key, but a key can't be foundSuper admins receive the following error via mail if a user tries to import a key via a request mail with `x-add-key`, but no key:
```
undefined method `compact' for "Your message did not contain any attachments nor text content. Theref...Super admins receive the following error via mail if a user tries to import a key via a request mail with `x-add-key`, but no key:
```
undefined method `compact' for "Your message did not contain any attachments nor text content. Therefore no key could be imported.":String
import_stati = results.compact.collect(&:imports).flatten
^^^^^^^^
/usr/lib/ruby/vendor_ruby/schleuder/keyword_handlers/key_management.rb:21:in `add_key'
/usr/lib/ruby/vendor_ruby/schleuder/keyword_handlers_runner.rb:67:in `run_handler'
/usr/lib/ruby/vendor_ruby/schleuder/keyword_handlers_runner.rb:34:in `block in run'
/usr/lib/ruby/vendor_ruby/schleuder/keyword_handlers_runner.rb:32:in `map'
/usr/lib/ruby/vendor_ruby/schleuder/keyword_handlers_runner.rb:32:in `run'
/usr/lib/ruby/vendor_ruby/schleuder/filters/post_decryption/10_request.rb:16:in `request'
/usr/lib/ruby/vendor_ruby/schleuder/filters_runner.rb:14:in `block in run'
/usr/lib/ruby/vendor_ruby/schleuder/filters_runner.rb:12:in `map'
/usr/lib/ruby/vendor_ruby/schleuder/filters_runner.rb:12:in `run'
/usr/lib/ruby/vendor_ruby/schleuder/runner.rb:127:in `run_filters'
/usr/lib/ruby/vendor_ruby/schleuder/runner.rb:56:in `run'
/usr/lib/ruby/vendor_ruby/schleuder/cli.rb:38:in `work'
/usr/share/rubygems-integration/all/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'
/usr/share/rubygems-integration/all/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'
/usr/share/rubygems-integration/all/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'
/usr/share/rubygems-integration/all/gems/thor-1.2.1/lib/thor/base.rb:485:in `start'
/usr/bin/schleuder:13:in `<main>'
```
Schleuder version: `4.0.3`5.0.0pazpazhttps://0xacab.org/schleuder/schleuder/-/issues/435Provide list-option to auto-import keys from Autocrypt-headers and attachments2023-12-08T13:18:02ZgeorgProvide list-option to auto-import keys from Autocrypt-headers and attachmentsI spoke with people about Schleuder version 4, and stuff they would find helpful. Something people mentioned several times was better Autocrypt support, especially if Schleuder is used in a "frontdesk setup", with lots of different peopl...I spoke with people about Schleuder version 4, and stuff they would find helpful. Something people mentioned several times was better Autocrypt support, especially if Schleuder is used in a "frontdesk setup", with lots of different people sending mail to Schleuder, etc. To make this more easy, and to give people an option to get rid of boring, manual and repeated work, this is a proposal:
- Introduce a new per-list option to parse incoming Autocrypt header.
- If enabled, handle the `keydata` field, check the data in there, and if all good, import the key into the final keyring.
- Probably, checking the data in the field means importing the data into a temporary keyring, and checking the result.
- Add a new pseudo-header, `sender key status`, with the result of the check and/or import as per above:
* `Not present - Key imported` (if there was not key yet for this email addr, TOFU)
* `Already present - Key unchanged` (if the key is already part of the keyring)
* `Already present - Conflicting Key - not imported` (if a different key for this mail addr is already part of the keyring)
- Pending questions:
* Use a dedicated per-list keyring for these keys, similar to what MUAs are doing?
* Still, prefer the manual keyring, and only if no key is found there, fallback to the Autocrypt-keyring?
* Should a disctinction be made regarding sending to subscribers, vs. resending? That is: Should the manual keyring be the single source of truth to handle key lookups of subscriptions?
* As per the Autocrypt spec, AFAIK, MUAs do replace keys, if a key is already present on the local system and there is a new one received via mail. Do we want this? Or do we let people handle this situation on their own, as per above?
* Wording: Not really sure if I'm happy with `sender key status`, maybe just `Autocrypt`? OTOH, not sure if that's "too technical".
That's a first draft, happy to take any input, and to get this into something worth implementing.5.0.0pazpazhttps://0xacab.org/schleuder/schleuder/-/issues/479Don't allow to upload expired keys (or inform the user about usability issues...2023-11-14T08:55:40ZcasperDon't allow to upload expired keys (or inform the user about usability issues [expired, revoked])You shouldn't be allowed to upload an unusable key. Or at least, there should be an informative warning flash message as proposed in schleuder-web#12.You shouldn't be allowed to upload an unusable key. Or at least, there should be an informative warning flash message as proposed in schleuder-web#12.5.0.0pazpazhttps://0xacab.org/schleuder/schleuder/-/issues/520Stop providing a default SKS keyserver2023-11-14T08:55:30ZpazStop providing a default SKS keyserverI propose to not provide a default config setting for `Conf.sks_keyserver` anymore.
The old SKS keyservers are mostly dead, `keyserver.ubuntu.com` appears to be the only public SKS keyserver left. We shouldn't encourage to use them anym...I propose to not provide a default config setting for `Conf.sks_keyserver` anymore.
The old SKS keyservers are mostly dead, `keyserver.ubuntu.com` appears to be the only public SKS keyserver left. We shouldn't encourage to use them anymore.
But `keys.mailvelope.com` (validates uploaded email addresses) provides its keys via SKS-like URLs (besides its own API, which I don't want to implement), and people might want to use non-public SKS keyservers, too. Therefore I do not propose to remove handling SKS-keyservers completely.5.0.0pazpazhttps://0xacab.org/schleuder/schleuder/-/issues/525Fix importing keys from encoded attachments2023-11-14T08:54:32ZpazFix importing keys from encoded attachmentsCurrently importing keys from some forms of encoded attachments (e.g. sent by Thunderbird) fails.
This is due to the change from 7ff1160a4cd090e38ffd6d49ee27531132cc52f4.
Interestingly, the test-case newly added by that commit, also is...Currently importing keys from some forms of encoded attachments (e.g. sent by Thunderbird) fails.
This is due to the change from 7ff1160a4cd090e38ffd6d49ee27531132cc52f4.
Interestingly, the test-case newly added by that commit, also is green without the change to `key_management.rb`.
@georg Do you have any memory why you changed `key_management.rb` the way you did?5.0.0pazpazhttps://0xacab.org/schleuder/schleuder/-/issues/527x-add-key with inline key material might fail depending on blank line2023-11-10T14:28:37Zgeorgx-add-key with inline key material might fail depending on blank lineThe following fails, Schleuder reports `In the message you sent us, no keys could be found. :(`.
```
x-list-name: list@example.org
x-add-key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
[...]
-----END PGP PUBLIC KEY BLOCK-----
```
In contrast...The following fails, Schleuder reports `In the message you sent us, no keys could be found. :(`.
```
x-list-name: list@example.org
x-add-key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
[...]
-----END PGP PUBLIC KEY BLOCK-----
```
In contrast, this works as expected:
```
x-list-name: list@example.org
x-add-key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
[...]
-----END PGP PUBLIC KEY BLOCK-----
```
MUA: Mutt 2.0.5
Schleuder: 4.0.3https://0xacab.org/schleuder/schleuder/-/issues/449Add error_codes to API errors2023-11-08T22:31:39ZngAdd error_codes to API errorsAPI errors should not only have an `error:` but also a machine readable `error_code`.
See https://0xacab.org/schleuder/schleuder/merge_requests/308#note_296360 for backgroundAPI errors should not only have an `error:` but also a machine readable `error_code`.
See https://0xacab.org/schleuder/schleuder/merge_requests/308#note_296360 for backgroundNext Big ThingNinaNinahttps://0xacab.org/schleuder/schleuder/-/issues/450Fix flaky test in release-4 branch2023-11-08T22:31:39ZNinaFix flaky test in release-4 branchThis test seems to be flaky spec/schleuder-api-daemon/requests/list_spec.rb:107
Example:
https://0xacab.org/schleuder/schleuder/-/jobs/127406This test seems to be flaky spec/schleuder-api-daemon/requests/list_spec.rb:107
Example:
https://0xacab.org/schleuder/schleuder/-/jobs/127406NinaNinahttps://0xacab.org/schleuder/schleuder/-/issues/495x-add-key fails for binary attachments2023-10-28T10:15:11Zgeorgx-add-key fails for binary attachmentsx-add-key fails for binary attachments, Schleuder tells 'no keys could be found'.x-add-key fails for binary attachments, Schleuder tells 'no keys could be found'.4.0.1georggeorghttps://0xacab.org/schleuder/schleuder/-/issues/523HTML mail leakage when the `text/html` part is not a direct child of the `mul...2023-10-23T21:36:38ZsnipHTML mail leakage when the `text/html` part is not a direct child of the `multipart/alternative`Hello!
I think I've encountered a problem in Schleuder 3.4.0 (which is probably still present in the later versions as well), in which the HTML part of an email containing keywords will not be removed if the `text/html` part is not a di...Hello!
I think I've encountered a problem in Schleuder 3.4.0 (which is probably still present in the later versions as well), in which the HTML part of an email containing keywords will not be removed if the `text/html` part is not a direct child of the main `multipart/alternative` container.
## Steps to Reproduce the Problem
1. Compose a new email (I used Thunderbird 102, but other email clients might work as well).
2. Add Schleuder keywords (such as an `x-resend` keyword).
3. In the body of the email, insert an image.
4. Send the encrypted, signed email to the Schleuder address.
Note: Since the HTML part should be stripped anyway, I agree that there is not much point including an image in the email in the first place. However, I think there are real-life situations where this could happen: for instance, when quoting / replying to an email which already has embedded images, the email client will automatically include these images in the new message, and the user may just leave them as is. (Actually, this is how I've stumbled upon this problem.)
## Expected Behavior
One would expect the HTML part to be stripped from the email resent by Schleuder, since #399 was fixed thanks to !255.
## Actual Behavior
The HTML part will be left untouched by Schleuder and resent as is. In particular, it will leak the keywords.
## Specifications
- Version: 3.4.0 (it seems to me that the problem is present in the 4.* branch as well, but I wasn't able to test)
- Installation method (package, gem...): unknown
- Mail client version: Thunderbird 102.3.0
## Other information
It seems to me that this is due to the fact that Schleuder will only remove the `text/html` part if it is directly contained in the top-level `multipart/alternative` container, according to the [`strip_html_from_alternative_if_keywords_present` filter](http://wmj5kiic7b6kjplpbvwadnht2nh2qnkbnqtcv3dyvpqtz7ssbssftxid.onion/schleuder/schleuder/-/blob/schleuder-3.4.0/lib/schleuder/filters/post_decryption/90_strip_html_from_alternative_if_keywords_present.rb#L11-13). For instance, the filter will work as expected if the email has the following structure:
```
multipart/alternative
|- text/plain
'- text/html
```
However, if there is an image embedded with the HTML part, then Thunderbird (and probably other email clients) will first bundle the HTML part and the image together in a `multipart/related` part, then add this part to the `multipart/alternative`:
```
multipart/alternative
|- text/plain
'- multipart/related
|- text/html
'- image/jpeg
```
From what I could understand from the code of the `strip_html_from_alternative_if_keywords_present` filter, it seems to me that Schleuder will not find and remove the `text/html` part because it is not in the `mail.parts` array.
Maybe a possible fix would be to recurse down the tree of parts instead of just looking at the direct children of the root `multipart/alternative` container? Unfortunately, I'm not fluent enough in Ruby to be able to investigate this issue further.
In any case, I hope that this report will help!
Thank you very much for all the work on this great tool! :)
Cheers!\
snip5.0.0https://0xacab.org/schleuder/schleuder/-/issues/399HTML mails might leak keywords to third parties2023-01-18T23:42:21ZgeorgHTML mails might leak keywords to third partiesSchleuder leaves an encrypted HTML part of a mail untouched, it doesn't fiddle with the content. This might lead to keyword leaks to third parties, for example if `x-resend` is used.
Ideas so far how to deal with this:
- Drop the HTML p...Schleuder leaves an encrypted HTML part of a mail untouched, it doesn't fiddle with the content. This might lead to keyword leaks to third parties, for example if `x-resend` is used.
Ideas so far how to deal with this:
- Drop the HTML part completely (which would possibly annoy users)
- Parse the HTML, drop possibly sensitive content
- Use a regex, fed with the keywords which were found in the plaintext, on the "stringified" HTML3.4pazpazhttps://0xacab.org/schleuder/schleuder/-/issues/502signature validation fails2022-09-27T21:18:41Zpony hütchensignature validation failsI'm having trouble with signature validation.
## Expected Behavior
When I send an validly signed and encrypted openpgp/mime message to a lists request address, it should process the request. When I send such a message to a lists normal...I'm having trouble with signature validation.
## Expected Behavior
When I send an validly signed and encrypted openpgp/mime message to a lists request address, it should process the request. When I send such a message to a lists normal address, it should put the pseudo-header 'Sig: Good signature [...]'.
## Actual Behavior
It outputs "Messages to this address must be encrypted and signed by the key associated with a subscribed address [...]". It replies with a email with the same text. It says "Bad signature" in the pseudo header.
## Steps to Reproduce the Problem
1. set up list with one subscriber who is admin of that list.
2. pipe a signed and encrypted message from the subscriber to the list into schleuder
## Specifications
- Version: schleuder 4.0.1
- Installation method (package, gem...): gem
- Mail client version: I used KMail to create the messages.
## Other information
This is the test message I send to the list:
```
From admin@a Wed Jun 09 16:14:08 2021
From: admin@a
To: list@a
Subject: test
Date: Wed, 09 Jun 2021 18:14:08 +0200
Message-ID: <6066403.5e4LmiuuCV@deepthought>
MIME-Version: 1.0
Content-Type: multipart/encrypted; boundary="nextPart2013499.KfxGTPaf5f"; protocol="application/pgp-encrypted"
--nextPart2013499.KfxGTPaf5f
Content-Type: application/pgp-encrypted
Content-Disposition: attachment
Content-Transfer-Encoding: 7Bit
Version: 1
--nextPart2013499.KfxGTPaf5f
Content-Type: application/octet-stream
Content-Disposition: inline; filename="msg.asc"
Content-Transfer-Encoding: 7Bit
-----BEGIN PGP MESSAGE-----
hQIMAx0nShUMaPCRAQ//f0l0D6hTAYsNxuD5dOCSdio6pniKNXWu+bJnZQG1eGEs
4tG2NreH7VpX9qCDd9ZXb4Dh2tFyhVS0NO/nza/bOjqwI7luLlr7QbaxSemyY06+
d7GVITKVbo/d/iO5UyK8MyOESyLe/u3LydsDKm9aJP/sYjtjatuW9iQyEy9KLkTi
8v2IjAMlK28lcuX0PiXOelU+V6jg5humUT11GWmC3iP7IjUxaPMbdbUNdqnZ2CI3
ZW2N50/AF6CS4laRG1xawNy5c3TyoBR/Owd5tHvjGN7PMTSPE99K6VETMV+RfK3n
ouPYm952mSybmIkZE/uU9SvfPS0vYxAgo+BcnfzpHEKAm5UpEBK3LZ7AJizaCOXK
LAYkK6dR2/38jCLjGm187p2IiJGy57AT2e4rsSXTqW9ywz0ukTC3xzGKuq9NPAu4
LH6dXvEutmFBo1SWObEksYSOmPzCOdcknWl5xhlgPBMzG1mOXaWgkogITl2F/Cta
vuWGSuOZLo+3WEmpSYGKddrrQM0AiWMlPN/Xjh6icIyxNzjFTYP5iRdDCqlGQEPV
s9AAhYDB0sPYDyd03JSAdZrrZOCKu8ezW8KAsiYLoypfTGSbqvLeWPXyAAZcoFTX
dhdZoSPiKsdb9MQ1saAgPS+Gt6RKu/i2tV2ZRhlgUi7VQWeiSPawS8poyNurY3GE
jAMCZeuxTV+KPgEEAIlDW20JIWC/3DQ6j2GJfzosfpYb2FBycohIpJawmvf5b5hH
hTWGwrYlSBrA3xIiC3EFc9EgCJ8vhicDe+xD5dmKywGS7xRqU2a+hNp8k/CA6FLZ
FO4rGtwBGRNor/DN20nwx6PEC9baD0W0SPwqt2CHi6XRomyyMfCarQ7XiA4Y0ukB
rPf+FIIuhYLFRZs1Od6s4uatPZxAjh8yZQ6GAiJ7H2BaT5vERBIXvWDqrGQmA44Q
t35Ey2MFIIx1KQyaeHthlE++loPSEtzSerV+4pAqEz+NiCv4BOxybNHk9S9evOZo
k6fuiLBCw6ezDzSgvQbxVrO3q0wNx2KAe0WWunaVaebQ2iTsOiVKhsL1XANmdta6
rA4avZHHsf+OAFbSyWG9k0tb5PBeQJZCqctKbVgyL2psWDpgHLYkYbMPH58RV1W8
8nM83o1ecSDqswVrUYWVNiTYXKeZf/FUbJJUd996EL7NTm3Y610EtaAXOmmGnjKc
rRnCILQiRHc83/tPMw57qMN7Zf2cwZUU8iPuxnJxlOzapppPrOHA9vllGYj73uxu
MKYJvNpar+pQ/HeyWaz0xlwGLn4qpTUkCVtul0YhsIaErrZi1hNIGlxueYeOtCdr
Z5VOvxvEgLxUnUQwdH5re65xM0cLQaMIDYbOkyAtILUoHEaO0hal76XaI7Ene3wL
iPP7RLIasdj6PgeupuX8pzsGbFnlZatC4jrtoO807k0AYDNpd6RmRzwCONbm3fkH
Hg/ethyjqxwsJjcF65ckW+ofTWgtuFsheujqNQuJ97NAFZPssxPcPLjP94vt9R+J
uXF7bdBqn03qCcMJNJE8p7SPJzhbbkcm2BumTcZec5dMWY4x/IBfJS2vtzJ8RKAw
hZ4EWKsg7t8uXqKyPWuOy+5dOZbm4AyP7TB9jaLN82Jtn+MAy4VDskR+vIa7Gn4Y
ZOHRVMe9lpyLZ1R7yXmO+v/nBAoStBt2jZ2VvLH5SQEIaBmfqxAtZksONhs8nKNo
83SPmpzacXmdbQELy+bRqrgxWTuapmmCI7cMArdXyGxXOzIoYCiV
=Q/1n
-----END PGP MESSAGE-----
--nextPart2013499.KfxGTPaf5f--
```
This is the decrypted message:
```
Content-Type: multipart/signed; boundary="nextPart2918540.ARZk9SpqV6"; micalg="pgp-sha256"; protocol="application/pgp-signature"
--nextPart2918540.ARZk9SpqV6
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"; protected-headers="v1"
From: admin@a
To: list@a
Subject: test
Date: Wed, 09 Jun 2021 18:14:07 +0200
Message-ID: <6066403.5e4LmiuuCV@deepthought>
x-list-name: list@a
x-list-keys
--nextPart2918540.ARZk9SpqV6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part.
Content-Transfer-Encoding: 7Bit
-----BEGIN PGP SIGNATURE-----
iLMEAAEIAB0WIQSfKcpM8aR1YUksBzfHpUV6NcUAggUCYMDozwAKCRDHpUV6NcUA
go21A/0aprlyFNaG5R82y3eUw24brBzWRSaokE1oTqGO48sjernuCUsInRMobEXi
GRdwZ/oYwzWCtIXtYmxXREsnvtVl1OrNLKxxNJfsuicdvCqZhGQPH5llVb27sueX
90sIJ+vxg1/WtG7zlx/3lZiWw9SggbXgVoDjkJVzllms2fNE5w==
=u5Tv
-----END PGP SIGNATURE-----
--nextPart2918540.ARZk9SpqV6--
```
Here is information about the test list
```
me@server:~ $ schleuder-cli keys list list@a
9F29CA4CF1A47561492C0737C7A5457A35C50082 admin@a
7EDF3336CB8BC6D15D461DB5FFF7A04251E7D112 list@a
me@server:~ $ schleuder-cli subscriptions list list@a
admin@a 9F29CA4CF1A47561492C0737C7A5457A35C50082 admin
```
This is how I put the message into schleuder:
```
me@server:~ $ cat mailtolist.mbox | sudo -u schleuder schleuder work list-request@a
Error: Messages to this address must be encrypted and signed by the key associated with a subscribed address.
Kind regards,
Your Schleuder system.
```
This is from /var/log/mail.log
```
Jun 9 19:00:46 server Schleuder[17753]: Loading list 'list-request@a'
Jun 9 19:00:46 server Schleuder[17753]: (9.5ms) SELECT sqlite_version(*)
Jun 9 19:00:46 server Schleuder[17753]: Schleuder::List Load (2.6ms) SELECT "lists".* FROM "lists" WHERE "lists"."email" = ? ORDER BY "lists"."email" ASC LIMIT ? [["email", "list@a"], ["LIMIT", 1]]
Jun 9 19:00:47 server Schleuder[17753]: Schleuder::Subscription Load (1.9ms) SELECT "subscriptions".* FROM "subscriptions" WHERE "subscriptions"."list_id" = ? AND "subscriptions"."admin" = ? ORDER BY "subscriptions"."email" ASC [["list_id", 12], ["admin", 1]]
Jun 9 19:00:47 server Schleuder[17753]: Schleuder::Subscription Load (1.0ms) SELECT "subscriptions".* FROM "subscriptions" WHERE "subscriptions"."list_id" = ? AND "subscriptions"."admin" = ? ORDER BY "subscriptions"."email" ASC [["list_id", 12], ["admin", 1]]
Jun 9 19:00:50 server Schleuder[17753]: Schleuder::Subscription Load (3.1ms) SELECT "subscriptions".* FROM "subscriptions" WHERE "subscriptions"."list_id" = ? AND "subscriptions"."fingerprint" = ? ORDER BY "subscriptions"."email" ASC LIMIT ? [["list_id", 12], ["fingerprint", "9F29CA4CF1A47561492C0737C7A5457A35C50082"], ["LIMIT", 1]]
```
This is the lists log:
```
D, [2021-06-09T18:46:02.136140 #16993] DEBUG -- : Setting GNUPGHOME to /var/lib/schleuder/lists/a/list
I, [2021-06-09T18:46:02.136829 #16993] INFO -- : Parsing incoming email.
D, [2021-06-09T18:46:04.245871 #16993] DEBUG -- : Loading pre_decryption filters
D, [2021-06-09T18:46:04.259098 #16993] DEBUG -- : Calling filter forward_bounce_to_admins
D, [2021-06-09T18:46:04.356335 #16993] DEBUG -- : Calling filter forward_all_incoming_to_admins
D, [2021-06-09T18:46:04.357047 #16993] DEBUG -- : Calling filter send_key
D, [2021-06-09T18:46:04.357378 #16993] DEBUG -- : Calling filter fix_exchange_messages
D, [2021-06-09T18:46:04.357698 #16993] DEBUG -- : Calling filter strip_html_from_alternative
D, [2021-06-09T18:46:05.138321 #16993] DEBUG -- : Loading post_decryption filters
D, [2021-06-09T18:46:05.165974 #16993] DEBUG -- : Calling filter request
D, [2021-06-09T18:46:05.166580 #16993] DEBUG -- : Request-message
D, [2021-06-09T18:46:05.167848 #16993] DEBUG -- : Error: Message was not encrypted and validly signed
D, [2021-06-09T18:46:05.170170 #16993] DEBUG -- : Bouncing message
```
It started this strange behaviour about a month ago, but I didn't immediately noticed. I don't know what caused it to stop working properly. Could be that it came with an system update. I also tried to resend and old E-Mail to an existing mailing list that I had sent earlier which haven't caused any problems, but it produces this error now.[adminata-private-nopass.asc](/uploads/ded08598eae3d6b6f849e7d9dda6ed18/adminata-private-nopass.asc)
**update:**
The password of the subscribers private key is 'pass'https://0xacab.org/schleuder/schleuder/-/issues/518Upgrade Active Record to 7.0.42022-09-13T14:52:14ZNinaUpgrade Active Record to 7.0.45.0.0NinaNinahttps://0xacab.org/schleuder/schleuder/-/issues/496gpg: insecure memory warnings for tests2022-09-13T14:50:27ZAndreas Schleifergpg: insecure memory warnings for testsHello,
while trying to package schleuder for Archlinux I get the following errors when running the tests during the packaging step:
```
Created database 'db/test.sqlite3'
Randomized with seed 63950
.......................................Hello,
while trying to package schleuder for Archlinux I get the following errors when running the tests during the packaging step:
```
Created database 'db/test.sqlite3'
Randomized with seed 63950
.....................................................................................................................................................................................................................................................................................................................................................................................................................................FFF.F.FF..............................................................................................................
Failures:
1) Schleuder::ListBuilder creates a listdir for the list
Failure/Error: raise Errors::KeyAdduidFailed.new(exc.to_s)
Schleuder::Errors::KeyAdduidFailed:
Adding a user-ID to the OpenPGP key failed with this message:
gpg: Warning: using insecure memory!
Kind regards,
Your Schleuder system.
# ./lib/schleuder/list_builder.rb:103:in `rescue in adduids'
# ./lib/schleuder/list_builder.rb:88:in `adduids'
# ./lib/schleuder/list_builder.rb:82:in `create_key'
# ./lib/schleuder/list_builder.rb:41:in `run'
# ./spec/schleuder/unit/list_builder_spec.rb:41:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:48:in `block (3 levels) in <top (required)>'
# ./spec/spec_helper.rb:47:in `block (2 levels) in <top (required)>'
# ------------------
# --- Caused by: ---
# RuntimeError:
# gpg: Warning: using insecure memory!
# ./lib/schleuder/list_builder.rb:93:in `block in adduids'
2) Schleuder::ListBuilder creates a new, valid list
Failure/Error: raise Errors::KeyAdduidFailed.new(exc.to_s)
Schleuder::Errors::KeyAdduidFailed:
Adding a user-ID to the OpenPGP key failed with this message:
gpg: Warning: using insecure memory!
Kind regards,
Your Schleuder system.
# ./lib/schleuder/list_builder.rb:103:in `rescue in adduids'
# ./lib/schleuder/list_builder.rb:88:in `adduids'
# ./lib/schleuder/list_builder.rb:82:in `create_key'
# ./lib/schleuder/list_builder.rb:41:in `run'
# ./spec/schleuder/unit/list_builder_spec.rb:9:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:48:in `block (3 levels) in <top (required)>'
# ./spec/spec_helper.rb:47:in `block (2 levels) in <top (required)>'
# ------------------
# --- Caused by: ---
# RuntimeError:
# gpg: Warning: using insecure memory!
# ./lib/schleuder/list_builder.rb:93:in `block in adduids'
3) Schleuder::ListBuilder subscribes the adminaddress and ignores the adminfingerprint if an adminkey was given
Failure/Error: raise Errors::KeyAdduidFailed.new(exc.to_s)
Schleuder::Errors::KeyAdduidFailed:
Adding a user-ID to the OpenPGP key failed with this message:
gpg: Warning: using insecure memory!
Kind regards,
Your Schleuder system.
# ./lib/schleuder/list_builder.rb:103:in `rescue in adduids'
# ./lib/schleuder/list_builder.rb:88:in `adduids'
# ./lib/schleuder/list_builder.rb:82:in `create_key'
# ./lib/schleuder/list_builder.rb:41:in `run'
# ./spec/schleuder/unit/list_builder_spec.rb:85:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:48:in `block (3 levels) in <top (required)>'
# ./spec/spec_helper.rb:47:in `block (2 levels) in <top (required)>'
# ------------------
# --- Caused by: ---
# RuntimeError:
# gpg: Warning: using insecure memory!
# ./lib/schleuder/list_builder.rb:93:in `block in adduids'
4) Schleuder::ListBuilder subscribes the adminaddress and respects the given adminfingerprint
Failure/Error: raise Errors::KeyAdduidFailed.new(exc.to_s)
Schleuder::Errors::KeyAdduidFailed:
Adding a user-ID to the OpenPGP key failed with this message:
gpg: Warning: using insecure memory!
Kind regards,
Your Schleuder system.
# ./lib/schleuder/list_builder.rb:103:in `rescue in adduids'
# ./lib/schleuder/list_builder.rb:88:in `adduids'
# ./lib/schleuder/list_builder.rb:82:in `create_key'
# ./lib/schleuder/list_builder.rb:41:in `run'
# ./spec/schleuder/unit/list_builder_spec.rb:72:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:48:in `block (3 levels) in <top (required)>'
# ./spec/spec_helper.rb:47:in `block (2 levels) in <top (required)>'
# ------------------
# --- Caused by: ---
# RuntimeError:
# gpg: Warning: using insecure memory!
# ./lib/schleuder/list_builder.rb:93:in `block in adduids'
5) Schleuder::ListBuilder subscribes the adminaddress and imports the adminkey
Failure/Error: raise Errors::KeyAdduidFailed.new(exc.to_s)
Schleuder::Errors::KeyAdduidFailed:
Adding a user-ID to the OpenPGP key failed with this message:
gpg: Warning: using insecure memory!
Kind regards,
Your Schleuder system.
# ./lib/schleuder/list_builder.rb:103:in `rescue in adduids'
# ./lib/schleuder/list_builder.rb:88:in `adduids'
# ./lib/schleuder/list_builder.rb:82:in `create_key'
# ./lib/schleuder/list_builder.rb:41:in `run'
# ./spec/schleuder/unit/list_builder_spec.rb:60:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:48:in `block (3 levels) in <top (required)>'
# ./spec/spec_helper.rb:47:in `block (2 levels) in <top (required)>'
# ------------------
# --- Caused by: ---
# RuntimeError:
# gpg: Warning: using insecure memory!
# ./lib/schleuder/list_builder.rb:93:in `block in adduids'
6) Schleuder::ListBuilder creates a list-key with all required UIDs
Failure/Error: raise Errors::KeyAdduidFailed.new(exc.to_s)
Schleuder::Errors::KeyAdduidFailed:
Adding a user-ID to the OpenPGP key failed with this message:
gpg: Warning: using insecure memory!
Kind regards,
Your Schleuder system.
# ./lib/schleuder/list_builder.rb:103:in `rescue in adduids'
# ./lib/schleuder/list_builder.rb:88:in `adduids'
# ./lib/schleuder/list_builder.rb:82:in `create_key'
# ./lib/schleuder/list_builder.rb:41:in `run'
# ./spec/schleuder/unit/list_builder_spec.rb:49:in `block (2 levels) in <top (required)>'
# ./spec/spec_helper.rb:48:in `block (3 levels) in <top (required)>'
# ./spec/spec_helper.rb:47:in `block (2 levels) in <top (required)>'
# ------------------
# --- Caused by: ---
# RuntimeError:
# gpg: Warning: using insecure memory!
# ./lib/schleuder/list_builder.rb:93:in `block in adduids'
Finished in 4 minutes 20.7 seconds (files took 1.94 seconds to load)
539 examples, 6 failures
Failed examples:
rspec ./spec/schleuder/unit/list_builder_spec.rb:37 # Schleuder::ListBuilder creates a listdir for the list
rspec ./spec/schleuder/unit/list_builder_spec.rb:5 # Schleuder::ListBuilder creates a new, valid list
rspec ./spec/schleuder/unit/list_builder_spec.rb:81 # Schleuder::ListBuilder subscribes the adminaddress and ignores the adminfingerprint if an adminkey was given
rspec ./spec/schleuder/unit/list_builder_spec.rb:69 # Schleuder::ListBuilder subscribes the adminaddress and respects the given adminfingerprint
rspec ./spec/schleuder/unit/list_builder_spec.rb:56 # Schleuder::ListBuilder subscribes the adminaddress and imports the adminkey
rspec ./spec/schleuder/unit/list_builder_spec.rb:45 # Schleuder::ListBuilder creates a list-key with all required UIDs
Randomized with seed 63950
```
During these tests I don't really care about such errors and therefor I tried to ignore them. My current code for running the tests looks like this:
```
export GNUPGHOME=.gnupg
mkdir -p "${GNUPGHOME}"
echo "no-secmem-warning" >> "${GNUPGHOME}/gpg.conf"
export CHECK_CODE_COVERAGE=false
export SCHLEUDER_CONFIG=spec/schleuder.yml
export SCHLEUDER_ENV=test
bundle exec rake db:init
bundle exec rspec
```
Any idea how I can ignore these errors in my tests?
I can't use setuid, as the build environment has no permissions to do that.
Best regards5.0.0pazpazhttps://0xacab.org/schleuder/schleuder/-/issues/519`list.send_list_key_to_subscriptions` fails if `deliver_selfsent` is set to f...2022-09-13T14:49:52Zfleish`list.send_list_key_to_subscriptions` fails if `deliver_selfsent` is set to falseI recently changed my list defaults to set deliver_selfsent to false to avoid having messages reflected back to senders who are also subscribers. The next time I tried to create a list using schleuder-cli, I was unable to use the send-li...I recently changed my list defaults to set deliver_selfsent to false to avoid having messages reflected back to senders who are also subscribers. The next time I tried to create a list using schleuder-cli, I was unable to use the send-list-key-to-subscriptions command to send myself the list's key. Temporarily setting deliver_selfsent to true resolved this issue. Debug logs attached for attempting to call send-list-key-to-subscriptions both times. Somewhat ironically, the 2 errors generated were successfully sent to me as the list admin (and only subscriber) via signed+encrypted mail to the same address.
[list.log.send-list-key-to-subscriptions_selfsent.false.txt](/uploads/f1c51b2f18213f4b36f7cb290b3e0468/list.log.send-list-key-to-subscriptions_selfsent.false.txt)
[list.log.send-list-key-to-subscriptions_selfsent.true.txt](/uploads/1fbf4e90ba20d02f65600fb206831b1f/list.log.send-list-key-to-subscriptions_selfsent.true.txt)5.0.0pazpazhttps://0xacab.org/schleuder/schleuder/-/issues/476receive_from_subscribed_emailaddresses_only: make From: check case-insensitive2022-09-13T14:48:53Zcosmo222receive_from_subscribed_emailaddresses_only: make From: check case-insensitiveHello,
I have a few list using schleuder and in lists where i'm not using pgp to verify if someone is on list i use
`Receive from subscribed emailaddresses only?` and there is a problem because this check is case-sensitive i know that...Hello,
I have a few list using schleuder and in lists where i'm not using pgp to verify if someone is on list i use
`Receive from subscribed emailaddresses only?` and there is a problem because this check is case-sensitive i know that this is weak check because You can change From header and send emails to list but this is only what i have.
I cannot use verify using pgp sign because peoples don't know how to use it.
Do You planing to change it or if it fixed tell me in witch version?
I'm using schleuder version 3.4.0-2 installed from repo on debian10.
Best regards
Matthew5.0.0pazpazhttps://0xacab.org/schleuder/schleuder/-/issues/361Speak to keyservers directly and drop dirmngr2022-09-13T13:40:27ZpazSpeak to keyservers directly and drop dirmngrWe were discussion to maybe speak to keyservers directly, via HTTPS.
Pro:
* We can get rid of a lot of shell-calls,
* it it much easier and probably much more realiable to test, sks-mock.rb and repeatingly killing dirmngr could probably...We were discussion to maybe speak to keyservers directly, via HTTPS.
Pro:
* We can get rid of a lot of shell-calls,
* it it much easier and probably much more realiable to test, sks-mock.rb and repeatingly killing dirmngr could probably be dropped,
* we still can support multiple, specific keyservers,
* we have much more control over the requests, e.g. can retry in case of timeouts.
Contra:
* We can not support keyserver-pools (because they don't use proper HTTPS-certificates),
* we must use a hardcoded default, can't fall back to a system-wide configured keyserver,
* supporting connections via TOR requires additional work (but not that much: https://rubygems.org/gems/socksify, https://stackoverflow.com/questions/13353544/ruby-tor-and-nethttpproxy/13882749#13882749)5.0.0pazpaz