macutil(8) | Mail Avenger 0.8.5 | macutil(8) |
macutil, sendmac - Message Authentication Code utility
macutil --gen [options]
macutil --sender [template] [--from name] [options]
macutil --check [options] code
macutil [options] --sendmail [sendmail-options]
sendmac [sendmail-options]
macutil generates and checks the validity of codes that can be embedded in temporary email addresses. The codes are calculated using a secret passphrase stored in a file. Thus, someone who does not know the passphrase cannot easily generate a valid code. Each code has a configurable expiration time after which it becomes invalid.
To use macutil, you must create a file containing a passphrase. The default location of this file is $HOME/.avenger/.macpass, though the location can be overridden with the MACUTIL_PASSFILE environment variable or --passfile= command-line option. The file should contain a passphrase followed by a newline. The maximum allowed length of the passphrase is 64 characters. Do not use your Unix login password or any password you have used for a sensitive application, as macutil's password will be stored in cleartext and thus be relatively easy to compromise.
Running macutil --gen generates a new code and writes it to standard output.
Running macutil --check code checks the validity of code. If the code is valid and has not expired, macutil exits with status 0. If the code is invalid or has expired, macutil prints a message to standard error and exits with a non-zero exit code.
The following options affect macutil's behavior:
myname+bounces+zjkifk8kuvsy7rubu7vqadmwnn
Don't forget to quote the "*" character when invoking macutil from a shell.
Mail Avenger <myname+tmp+zjkifk8kuvsy7rubu7vqadmwnn@host>
Note that if the MACUTIL_SENDER environment variable has been set, this will be used as a default vaule for the --sender option if you invoke macutil --from and don't specify a --sender.
Mail Avenger (address expires 07 Dec 2004) <myname+tmp+zjkifk8kuvsy7rubu7vqadmwnn@host>
Note that if file contains multiple passphrases, one per line, --gen always uses the first passphrase in the file. --check, however, will try all passphrases until one succeeds, and only output failure if they all fail. In this way, you can change your passphrase, but keep accepting the old one for a time by leaving it as the second line of the file.
to specify num hours, days, or weeks in the future. The full range of suffixes allowed is s, m, h, D, W, M, and Y, which designate seconds, minutes, hours, days, weeks, months, and years, respectively. The default expiration time is 21 days ("+21D").
For example, if MACUTIL_SENDER is "myname+bounces+*", running "macutil --sendmail friend@domain.com" might run the command:
sendmail -f \ myname+bounces+zjkifk8kuvsy7rubu7vqadmwnn \ friend@domain.com
Note that if invoke the macutil program as "sendmac" (or as any other name you link it to beginning with the four letters "send"), it will automatically behave as though there were an extra first argument of --sendmail. (In this case, you cannot specify any sendmac options, but you can still control sendmac's behavior through the environment variables listed below.)
$HOME/.avenger/.macpass
The Mail Avenger home page: <http://www.mailavenger.org/>.
macutil is designed to provide casual security against people trying to guess a valid temporary email address. Don't use it where stronger authentication is required. In particular, for any given passphrase, a random code will be valid (at least on some date) with probability 1 in 2^64. While these are tough odds to beat, cryptographers generally prefer a margin of safety closer to 1 in 2^128 for high-security applications (though that would require longer codes).
Someone who sees a valid code can mount an off-line dictionary attack against your passphrase. In other words, while it is hard recover your passphrase outright, given a valid code, it is is easy to verify whether a particular guess of your passphrase is correct. By guessing every word in the dictionary, an attacker can recover weak passphrases.
Technically, the cryptographic operation performed on the keys is encryption, not a message authentication code (or MAC). Hence, one could argue the utility is misnamed.
David Mazieres
2018-10-09 | Mail Avenger 0.8.5 |