GPGrelay is a little relaying server which interferes SMTP- and POP3-Communication
that way, that transmission of emails will be signed and/or encrypted on the fly using
GnuPG (The GNU Privacy Guard) with your default email-program.|
This Program is not meant to be the security overkill, in fact it even makes secure communication a little bit more insecure, but it enables all email-clients to use GPG for secure mail-transfer over the internet (so eavesdropping should only be possible from the local machine).
Therefore is it not recommended that you use this program on a machine where many users have access-privilege!
This program is OpenSource & Free (as anything concerning security on the internet should be).
This program is released under the GNU General Public License (GPL)!
|What is GPGrelay?|
GPGrelay is, as indicated by its name a local relaying server.
It works completely transparent for your Email-Client as well as for the remote Server.
Now, if you want to send emails encrypted, GPGrelay encrypts them and sends the encrypted mail to the SMTP-Server.
If you receive an encrypted mail, GPGrelay does the decryption for you - so your Email-Client never sees any encrypted mails, which is quite a nice feature when your Email-Client (like Outlook Express) is not capable of handling those mails.
But this also means, if an eavesdropper has access to your local environment, where Emails are stored decrypted, he can easily get access to them!
But on the other hand: If an eavesdropper really is present in your local Site, he could probably setup some mechanism (Trojan Horses come to mind) to get your Keyring and the Passphrase you use...
|Why should I encrypt my mail?|
This is an excerpt from "The comp.security.pgp FAQ"|
You should have read this FAQ completely if you're not familiar with public-key encryption, because it's also valid in most cases for GnuPG (so replace PGP in the following excerpt with GnuPG)!
excerpt from the RFC2015: MIME Security with Pretty Good Privacy (PGP):|
Take note, that GPGrelay does not handle those multiparts in an opaque way!
GPGrelay generates such an PGP-MIME-Mail when sending and destroys that structure when it sees one incoming.
This means, it takes incoming mails (eg. relayed for an SMTP-Server or POP3-Server) and does the magic transformation, so that the outgoing Mail changes into proper PGP-MIME-Format and incoming PGP-MIME-Mails become normal multipart-mails.
This means, the used Email-Client doesn't see anything concerning
|What is PGP-MIME?|
Here are two schematic block-diagrams that explain the concept of PGP-MIME graphically:|
As you can see, the encrypted version does not lose any information concerning the MIME-Structure of the original mail, esp. any attachment is encrypted as well!
Another thing you should be aware of is, that the normal Mail-Header is not encrypted, this also includes the subject of the mail (same applies for inlined PGP-Blocks).
And don't confuse PGP-MIME with S/MIME! They are not the same!
More details about PGP-MIME can be gathered from RFC 3156 "MIME Security with OpenPGP" which revises RFC 2015 "MIME Security with Pretty Good Privacy (PGP)". Both are OpenPGP-Extensions to RFC 1847 "Security Multiparts for MIME: Multipart/Signed and Multipart/Encrypted".
In case you want to know OpenPGP in detail, then these RFCs are for you: RFC 2440 "OpenPGP Message Format". It builds on the foundation provided in RFC 1991 "PGP Message Exchange Formats"
|So what about the "Inlined"-Option in GPGrelay?|
Within the Inlined-Mode GPGrelay does not construct an PGP-MIME-Wrapper for an Email,
which is much more like the way many plugins for email-clients work:|
It's just a simple OpenPGP-Message inside a normal plaintext email.
To give more detail: First it takes the body, reverts the character-encoding (eg. from quoted-printable back to 8bit) and encrypts it normally (say like the way WinPT does with Data on the Clipboard). Then it reapplies the character-encoding (eg. from 8bit back to quoted-printable).
This is then also done for all Attachments (if there are any).
To compare this with PGP-MIME: PGP-MIME requires just ONE encrypted block for the whole mail and also keeps the original character-encoding and attachments, this also allows to easily send and receive HTML-Mail without corrupting anything and without an complex decrypt-procedure.
On the contrary: When using the inlined variant, then for every part the character-encoding has to be reversed, GPG has to encrypt it and the character-encoding has to be reapplied. You can easily see that this adds extra complexity which leads to poorer performance.
And it also allows an attacker to remove/modify an attachment (e.g. with some previously signed/encrypted attachment of a different mail) - whereas PGP-MIME will protect against.
To sum it up: Try to avoid Inlined-PGP! Only use it if your correspondence-partner cannot handle PGP-MIME.
This project is also hosted on|
You should use the forums provided by SourceForge to ask for help, track bugs or generally discuss about GPGrelay.
There is also a GPGrelay-Mailing-List available there!
I strongly recommend it for discussion about GPGrelay!
SourceForge-Mailinglist : gpgrelay-talk
Any email to me or entry in the guestbook are still welcome!