Mailmin operation

Mailmin (as of version 0.4) is a mail filtering program. It receives mail from a Mail Transfer Agent (MTA), a Mail Retrieval Agent or an Mail Delivery Agent, and then prints it back on STDOUT, after adding an X-Mailmin-ID email header. It then invokes the Gnu Privacy Guard (gpg) to decrypt the message and verify that it has been signed by an authorized user. Commands are executed via shell invocation (Mailmin can technically spawn any program, but a shell is typical), and the output is collected and placed into the body of an email message addressed to the sender of the incoming message. Mailmin then again invokes gpg, this time to sign and encrypt the outgoing message, which is then sent via the sendmail command (which will probably be a symlink to a sendmail drop-in such as Exim). Mailmin can also transfer files to and from the remote system and serve as an email to web gateway via special Mailmin directives. See the usage page for instructions on Mailmin usage.

Beginning with version 0.3, Mailmin has a restricted mode, where sharply limited functionality is available, and can also provide anonymous access via ordinary, unsigned mail. See here for more details.


Secure Shell (SSH)

The standard method for remote access to a *nix system is via the Secure Shell Connection Protocol, which securely implements shell access across a network. This method has several requirements:

Additionally, firewalls can restrict the use of SSH.

Other remote access methods

There are a number of solutions that eliminate the need for one or both of the first two above mentioned requirements. The Anyterm comparison page is a very informative comparison of various options. Webterm, JCTerm, Mindterm and Shell in a Box replace the SSH client with a Java applet, but therefore require that the client have a Java capable web browser (or possibly some other type of Java support). SSHWebProxy apparently implements SSH via HTML and can be used with any browser, but requires a web server with Java servlet support. PHPShell and htsh allow an ordinary browser to communicate with a web server via PHP, and therefore require no Java, just a PHP capable web server. Anyterm itself implements SSH via Javascript; it requires Apache2 on the server (an experimental standalone daemon version is also available) and can be used with any browser that supports Javascript. [I had some trouble getting it to work; my browser would often hang and need to be restarted.]

Most of the above solutions can still be impeded by firewalls. This problem can sometimes be circumvented by tunneling TCP over HTTP (see item 4 on the Anyterm comparison page). All of the above methods require a persistent network connection.

The Mailmin Solution

Mailmin uses a completely different paradigm for remote access: secure (OpenPGP) email. No server program (other than the normal mail server) runs on the remote machine, and since all communication is via email, it will generally be unaffected by firewalls, and a persistent nework connection is not required. The only requirement for the client is the ability to send and receive secure email. If a webmail service is used, then web access suffices. The only requirements for the server are an automated method for receiving and delivering inbound email and one for sending outbound email.

The only other program of which I am aware which apparently does someting similar is Grunt, but it has almost no documentation (although the developer, John Goerzen, did refer me to the comments in the (Python) code).


The downside, of course, is that Mailmin is non-interactive.