add-key command does not work if keyring does not exist. Looks like gpg has some troubles creating the keyring and adding a key in one rush.

Add LMTP as option to deploy postcrypt to avoid starting a process for each new message.
LMTP is preferred over SMTP for postcrypt because no message queue must be implemented and the SMTP server (postfix) is responsible for delivery if postcrypt fails

LMTP RFC:
https://james.apache.org/server/rfclist/lmtp/rfc2033.txt

Add comments to the PGP encryption block and Mail Header indicating that postcrypt would be to blame for invalid format or encryption.

If mails are addressed to multiple recipients where not all have keys associated, mails can only be accessed by those with keys.

To circumvent this, I propose 3 strategies that can be chosen from via a configuration option:

1. send mail encrypted with all known encryption keys. recipients without a key are left out (current behaviour)
2. send 1 mail per recipients and encrypt those for whom the recipient keys are known
3. send mail unencrypted

Unfortunately I'm not at all experienced with Go, but after setting up with postfix as you describe I'm getting this runtime error which looks code-related:

[info] postcrypt: encrypting message with id 7d821b10
panic: runtime error: invalid memory address or nil pointer dereference [signal 0xb code=0x1 addr=0x0 pc=0x4015a4]
goroutine 1 [running]: main.isEncrypted(0xf840067f00, 0x8, 0x0, 0x0, 0x0, ...)
/usr/lib/go/src/pkg/github.com/sprungknoedl/postcrypt/encrypt.go:147 +0x25 main.runEncrypt(0x757d60, 0xf84006c220, 0x200000002, 0x7) /usr/lib/go/src/pkg/github.co
m/sprungknoedl/postcrypt/encrypt.go:103 +0x25e main.main() /usr/lib/go/src/pkg/github.com/sprungknoedl/postcrypt/main.go:140 +0x3d5 goroutine 2 [syscall]: create
d by runtime.main /build/buildd/golang-1.0.2/src/pkg/runtime/proc.c:221 goroutine 3 [syscall]: syscall.Syscall6() /build/buildd/golang-1.0.2/src/pkg/syscall/asm
_linux_amd64.s:40 +0x5 syscall.EpollWait(0xf800000006, 0xf8400a6170, 0xa0000000a, 0xffffffff, 0xc, ...) /usr/lib/go/src/pkg/syscall/zerrors_linux_amd64.go:1781 +0xa1 net.(_pollster).WaitFD(0xf8400a6160, 0xf84006c440, 0x0, 0x13, 0x0, ...) /usr/lib/go/src/pkg/net/fd_linux.go:146 +0x110 net.(_pollServer).Run(0xf84006c440, 0x0) /usr/lib/go/src/pkg/net/fd.go:236 +0xe4 created by net.newPollServer /usr/lib/go/src/pkg/net/newpollserver.go:35 +0x382 )

Currently the mail gets encrypted only for the first recipient for whom a key could be found.

Please encrypt for all recipients that have a key associated.

Please create configuration options to associate keys (multiple) with a receiver.

• RFC 2045
• RFC 2046
• RFC 2047
• RFC 4288
• RFC 4289
• RFC 2049

If incoming mails are already encrypted, do not encrypt them again.

Maybe this should be however possible via a configuration option

Add an option that can specify keys which will be always added to the recipient keys if the mail will be encrypted. This allows the possibility for the sender to decrypt messages if the receiver has "lost" his key.

Add Received Header to Mail containing Message ID and postcrypt information

Similiar to #3.

When encrypting, postcrypt is selecting expired subkeys. I believe this is actually a problem with the Go API not checking the subkeys for expiration at all.

The API seems to just be testing:

subkey.Sig.FlagsValid && subkey.Sig.FlagEncryptCommunications && subkey.PublicKey.PubKeyAlgo.CanEncrypt()

Which only tests for the presence of valid flags, the presence of the encryption flag, and the ability of the algorithm to perform encryption.

This is reported upstream as https://code.google.com/p/go/issues/detail?id=5808