* on the Tue, Apr 08, 2014 at 10:41:11PM +0100, Klaus Ethgen wrote:
>> Write a simple script which can handle the verification, and invoke it
>> via ${run...} in the ACL hooked up to the DATA command, to be run after
>> "CRLF.CRLF" is received and before the response is sent.
>
> This is not that simple. What if the mail is signed _and_ encrypted?
> Usually the encryption is done outside and the signature is inside.That is not correct. With PGP, we always sign the ciphertext. We don't encrypt signed plaintext. (*) > Another problem is for mime signatures that can include several > multipart parts. Inline signatures are easy but seldom seen today. Mail::GnuPG is a very simple Perl module that will handle openpgp operations on multipart MIME emails. A Perl script to verify such an email would probably be about half a dozen lines of code. (*) If we signed *then* encrypted, then it would allow attacks such as: 1.) You send me a signed email that is encrypted with my public key. I decrypt, re-encrypt with somebody elses public key and forward on to them. Now it looks like you sent the message to them instead of me. 2.) You send a signed but unencrypted email to somebody. I intercept and encrypt it with their public key and forward on. Now they think the message was encrypted along the entire path, but it wasn't. -- Mike Cardwell https://grepular.com https://emailprivacytester.com OpenPGP Key 35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F XMPP OTR Key 8924 B06A 7917 AAF3 DBB1 BF1B 295C 3C78 3EF1 46B4
signature.asc
Description: Digital signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
