Re: Problem after Ubuntu Upgrade from 16.04 to 18.04

2021-04-06 Thread Frank Schmitz 
 Yup, that did it.I just replaced the TrustedTimestamps.php with the newest 
from the master branch and it worked again.
Thanks for the help!

Frank

Am Dienstag, 6. April 2021, 18:36:56 MESZ hat  Folgendes 
geschrieben:  
 
 

Hello Frank,

in openssl 1.1.x the output of the openssl command has changed. Assuming
your mentioned piler installation is older than 2020-10-17, then I 
suggest
to try updating system/helper/TrustedTimestamps.php from the master 
branch,
and let's see how it goes.

Janos

On 2021-04-06 16:50, Frank Schmitz wrote:
> Hello all,
> 
> I had to perform an Ubuntu Upgrade to 18.04 on a server running an
> older version of piler.
> 
> The update ran without any problems, but the piler Web-GUI seems to be
> "broken".
> 
> I get the following error in the apache log (pseudo anonymized):
> 
> [Tue Apr 06 16:35:53.008548 2021] [php7:error] [pid 14368] [client
> xxx:64562] PHP Fatal error:  Uncaught Exception: Systemcommand failed:
> Using configuration from /usr/lib/ssl/openssl.cnf, Verification: OK in
> /var/www/xxx/htdocs-ssl/system/helper/TrustedTimestamps.php:186\nStack
> trace:\n#0 /var/www/xxx/htdocs-ssl/model/search/message.php(512):
> TrustedTimestamps::validate('1c79bef0265fxxx...',
> 'MIIVSzADAgEAxxx...', '1617716xxx', '/var/piler/free...')\n#1
> /var/www/xxx/htdocs-ssl/model/search/message.php(51):
> ModelSearchMessage->check_rfc3161_timestamp_for_id('2519')\n#2
> /var/www/xxx.com/htdocs-ssl/model/search/message.php(228):
> ModelSearchMessage->verify_message('4000606xxx8...', 'Return-Path:
>  ModelSearchMessage->extract_message('4000606cxxx...', '')\n#4
> /var/www/xxx/htdocs-ssl/system/front.php(36):
> ControllerMessageView->index()\n#5
> /var/www/xxx/htdocs-ssl/system/front.php(14): Fro in
> /var/www/xxx/htdocs-ssl/system/helper/TrustedTimestamps.php on line
> 186
> 
> I see that TrustedTimestamps.php throws an exception, but I don't
> understand why...
> It says "Verification: OK" which should indicate that everything has
> gone well, right?
> 
> openssl is installed (1.1.1), the cron job signing messages using
> TrustedTimestamps.php is also running fine.
> 
> But using the gui throws an exception...
> 
> Help anyone?
> 
> Kind regards
> Frank Schmitz

Problem after Ubuntu Upgrade from 16.04 to 18.04

2021-04-06 Thread Frank Schmitz 
Hello all,
I had to perform an Ubuntu Upgrade to 18.04 on a server running an older 
version of piler.
The update ran without any problems, but the piler Web-GUI seems to be "broken".
I get the following error in the apache log (pseudo anonymized):
[Tue Apr 06 16:35:53.008548 2021] [php7:error] [pid 14368] [client xxx:64562] 
PHP Fatal error:  Uncaught Exception: Systemcommand failed: Using configuration 
from /usr/lib/ssl/openssl.cnf, Verification: OK in 
/var/www/xxx/htdocs-ssl/system/helper/TrustedTimestamps.php:186\nStack 
trace:\n#0 /var/www/xxx/htdocs-ssl/model/search/message.php(512): 
TrustedTimestamps::validate('1c79bef0265fxxx...', 'MIIVSzADAgEAxxx...', 
'1617716xxx', '/var/piler/free...')\n#1 
/var/www/xxx/htdocs-ssl/model/search/message.php(51): 
ModelSearchMessage->check_rfc3161_timestamp_for_id('2519')\n#2 
/var/www/xxx.com/htdocs-ssl/model/search/message.php(228): 
ModelSearchMessage->verify_message('4000606xxx8...', 'Return-Path: 
extract_message('4000606cxxx...', '')\n#4 
/var/www/xxx/htdocs-ssl/system/front.php(36): 
ControllerMessageView->index()\n#5 
/var/www/xxx/htdocs-ssl/system/front.php(14): Fro in 
/var/www/xxx/htdocs-ssl/system/helper/TrustedTimestamps.php on line 186

I see that TrustedTimestamps.php throws an exception, but I don't understand 
why...It says "Verification: OK" which should indicate that everything has gone 
well, right?
openssl is installed (1.1.1), the cron job signing messages using 
TrustedTimestamps.php is also running fine.
But using the gui throws an exception...
Help anyone?

Kind regardsFrank Schmitz

Re: Piler 1.3.5 on Ubuntu 18.04 WebUI doesn't render timestamped Mails

2020-10-16 Thread Frank Schmitz 
 Regarding TSA
https://freetsa.org/ works well for me and is completely free...







Am Freitag, 16. Oktober 2020, 21:20:02 MESZ hat  Folgendes 
geschrieben:  
 
 

Hello Patrick,

for starters the DECRYPT_ATTACHMENT_BINARY should be pileraget (not 
pilerget).

Also it might be worth to go over the steps and check if everything is 
setup properly:

https://bitbucket.org/jsuto/piler/issues/480/support-rfc3161-trusted-timestamps
https://www.mail-archive.com/piler-user@list.acts.hu/msg00785.html

In the meantime I try to find a TSA provider suitable for testing 
purposes.
If anyone on the list was familiar with any, or better could provide a 
test
account, it would be great.

Janos



On 2020-10-16 20:02, Patrick Wagner wrote:
> Hello everyone,
> 
> we're testing the TSA signing feature of Piler. When I login as
> auditor all mails are listed correctly in the Web GUI upper pane /
> list. When I click on a mail the header and content are displayed
> below if that mail was not signed (yet). Clicking on a signed mail
> however does not refresh the lower pane and continues to display
> either the last non-stamped mail or remains blank (if no mail had been
> selected before). With pilerget on the CLI the mails are displayed
> correctly.
> 
> What's wrong? Do I have to change any configuration?
> 
> I added these lines in config-site.php:
> $config['TSA_PUBLIC_KEY_FILE'] = '/etc/piler/tsa.publickey.pem';
> $config['TSA_START_ID'] = 1;
> $config['TSA_STAMP_REQUEST_UNIT_SIZE'] = 500;
> $config['TSA_URL'] = 'http://zeitstempel.dfn.de';
> 
> $config['DECRYPT_BINARY'] = '/usr/bin/pilerget';
> $config['DECRYPT_ATTACHMENT_BINARY'] = '/usr/bin/pilerget';
> 
> 
> Thanks,
> Patrick
> 
> # piler -V
> piler 1.3.5, build 997, Janos SUTO 
> 
> Build Date: Sun Apr 21 16:50:30 UTC 2019
> ldd version: ldd (Ubuntu GLIBC 2.27-3ubuntu1) 2.27
> gcc version: gcc version 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)
> OS: Linux 188ae4f9894f 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13
> 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
> Configure command: ./configure --prefix=/usr --sysconfdir=/etc
> --localstatedir=/var --with-database=mariadb
> MySQL client library version: 10.2.9
> Extractors: /usr/bin/pdftotext /usr/bin/catdoc /usr/bin/catppt
> /usr/bin/xls2csv /usr/bin/unrtf /usr/bin/tnef
> 
> Ubuntu 18.04.5 LTS
> 
> PHP 7.2.24-0ubuntu0.18.04.6 (as supplied with the distro)
> 
> MariaDB 10.1.44 (as supplied with the distro)

Re: Timestamp Authority "disbanded", what to do now?

2019-04-14 Thread Frank Schmitz 
 Hi Janos,
yeah I thought so too.The TSA isn't completely gone though, it currently just 
doesn't issue any new timestamps but checking hashes still seems to work.Even 
though I probably don't want to risk it disappearing completely.
So any idea how I can restamp all mails in the archive?
The stamps are all in the database right?
Delete all hashes from the database and then simply run the stamping process?

The archive is really small, but can I really stamp all mails at one time or do 
I need several timestamps?

Thanks for the help!
Am Sonntag, 14. April 2019, 21:41:55 MESZ hat  Folgendes 
geschrieben:  
 
 

Hello Frank,

well, I think your only option is to re-stamp existing emails,
since you can't really use them to validate without the (now 
disappeared)
TSA authority who issued them.

Janos

On 2019-04-13 23:33, Frank Schmitz wrote:
> seems like the timestamping authority I used "disbanded" and kind of
> tells me to go elsewhere for timestamping.
> 
> Sure, I can configure another TSA to get NEW timestamps, but what
> about all the old timestamps in my archive?
> Do I have to restamp every mail in the archive?
> What's the best way to do that?
> Can I simply add another certificate to be able to verify older mails
> with the old timestamps?
> Anyone ever had this problem before?
> 
> Thankful for any advice...

Timestamp Authority "disbanded", what to do now?

2019-04-13 Thread Frank Schmitz 
Hello,seems like the timestamping authority I used "disbanded" and kind of 
tells me to go elsewhere for timestamping.

Sure, I can configure another TSA to get NEW timestamps, but what about all the 
old timestamps in my archive?Do I have to restamp every mail in the 
archive?What's the best way to do that?
Can I simply add another certificate to be able to verify older mails with the 
old timestamps?Anyone ever had this problem before?
Thankful for any advice...

Re: timestamp feature

2018-02-07 Thread Frank Schmitz 
Hi,
actually you can choose which way piler uses timestamps. If you want, you can 
use a different timestamp for each incoming mail.
This strategy might prove quite costly though, since most TSAs bill you for 
each timestamp they issue to you (And you won't know how much they charge you 
each day beforehand).

The other way is to use one timestamp for all incoming mails within a specified 
timeframe (every 1/2/3 hours, every hour from 09:00 to 18:00 and so on).
This way, you know beforehand how many timestamps you will need per day and how 
much that will cost you.
When I set this up, I chose a TSA (http://tsa.safecreative.org/) that gives 
away 5 free timestamps per day and I configured piler to create timestamps 
every 2 hours from 9:00 to 17:00 (business hours) -> No costs and still tamper 
proof according to german law (revisionssicher/GDPR).

Regarding your question about deleting a mail:
Timestamps are stored in a different DB table than emails.
They have their own ID and they also store the range of email IDs this 
timestamp is valid for.In another table you'll find all mails with their unique 
IDs.
Even though I never tried it (different setup), you should be able to delete 
individual mails without a problem, since the timestamp is not stored within 
the mail itself. Instead the timestamp "knows" which mails it's valid for.

Hope that helps,Frank 

Christian Röser - PELMA  schrieb am 10:56 Mittwoch, 
7.Februar 2018:
 

  Hello, 
   I have some questions about the timestamping feature. As far as I understand 
from this 
posthttps://www.mail-archive.com/piler-user@list.acts.hu/msg00785.html piler 
collects a bunch of mails, generates a hash for all of them and then this hash 
is signed by the tsa server. To verify a single mail, piler looks up what hash 
belongs to this e-mail, what other e-mails where involved, computes the hash 
for all of them and then compares this hash with the signed hash. Am I right?   
 Now I want (have to) use the delete feature of piler. For example in Germany 
you have to delete job applications after some time. Although we have a 
separate e-mail address for such stuff, which will not be archived, it happens 
from time to time that someone sends a mail to the a general address like 
info@. Now german law tells me that I have to delete such mails.    What does 
that mean for the timestamp feature? If I delete a mail, that message is no 
longer available for the hash computing. Does that mean that the verification 
for a some mails or – if I use the unit way – some hundred or thousand emails 
fails? Do I have get a stamp for every single mail? Is this even possible? Or 
exists there some magic in piler to prevent this?😉    Best regards, Christian   
   

Re: GOBD certification

2017-07-26 Thread Frank Schmitz 


Hi Janos,

since I didn't write a procedural manual for my girlfriends business (yet, of 
course ;-)) and reading about you and Zyrixx planning to write such a "monster" 
(the linked sample has 42 pages and still needs to be completed!)  

http://www.awv-net.de/upload/pdf/Belegablage_V1_20151026.pdf 


I finally took a short dive into the sample manual.


I think it's REALLY good and does have quite a lot of explanations on how to 
apply it to your company.
My opinion: If this is not enough, you're the wrong guy for this job, give it 
to someone who knows your company better than you do ;-)

The only chapter that would really profit from your input (again, in my opinion 
of course) is 3.1 in which the used hard- and software needs to be explained 
(in regard to GoBD compliance).

If you provide a good explanation of how it's possible to configure piler to be 
GoBD compliant for this chapter, everything else can be taken and modified from 
this sample document, no need to reinvent the wheel here...

Interestingly, the authors recommend to use "certified software" and even 
provide a chapter to list the certifications...
But I still don't think it relevant, especially for a small (digital) 
business...
You have to describe how you configured the "certified" software and how you 
use it exactly like you would describe it for uncertified software anyway. 

Come to think of it, it actually might be counterproductive if you had to tweak 
the certified software a lot to make it work for your company. According to the 
authors, the more you have to "customize" the software, the more "suspicious" 
the auditors will get ;-)


Personally I think GoBD had two main goals:
1.) A crack down on tax evasion by using cash transactions (If you use cash, 
you really HAVE to get a GoBD compliant cash register, no way around it)
2.) To make an auditors life easier

As I already said, GoBD compliant email storage (contrary to HW handling cash 
transactions!) is not a law, therefore no auditor can punish you for not 
abiding to it (Of course it might piss the auditor off and make him look really 
closely at things, which can be a costly mistake too...).

If you don't take cash and all the money comes in by bank transfer, Paypal et. 
all, there is absolutely no way you could cheat anyway, since all bank 
transfers can be traced...

Which is the reason I didn't put too much effort into writing a manual for my 
girlfriend incidentally... If an auditor really is interested in such a small 
business, you can go like "Here's the archive. Don't trust it or don't 
understand the IT behind it? Fine, go and check the bank transfers and have 
fun..."
Every time I look into the admin panel I have to laugh: Less than 400 mails 
since January 2017 and the archive/server will probably be full in "34755 
years, 10 months, 15 days" :-)


Funny side notes: 

- If you get invoices only per snail mail, you actually don't have to archive 
them electronically
- If you only use a "Template" on a computer to print your invoices and do NOT 
save the invoice itself on the computer (Using it like a typewriter), you don't 
have to store the invoices electronically either

Since we're talking about funny stuff, I also found a comment from a guy on a 
german message board, who actually called his local tax authority and asked 
about GoBD. He spoke to several persons including an auditor, who told him 
saving invoices in PDF format on his harddrive is perfectly fine, since PDFs 
can't be changed afterwards... ROFL!

Here's the link if anyone is interested, it does have a really good explanation 
of GoBD requirements, even though there are some mistakes (like time-critical 
saving of digital invoices, which only need to be saved as a file within 10 
days but NOT also archived within 10 days) in it, but it is in german:

http://www.selbstaendig-im-netz.de/2017/04/12/selbstaendig/gobd-darauf-musst-du-bei-digitalen-rechnungen-und-belegen-achten/


Kind regards,

Frank



"s...@acts.hu"  schrieb am 21:42 Dienstag, 25.Juli 2017:





Hello Frank,

On 2017-07-25 14:47, Frank Schmitz wrote:
> 
> a GoBD certification would surely result in a higher "visibility" for
> piler, since quite a lot of companies are basing their business
> decisions on those.
> 
> But please do NOT believe that Piler needs a GoBD certification to be
> used in germany!
> The ministry of finance in germany does not care whether the software
> is certified, it cares about
> 
> 1. whether the software fulfills the legal requirements (i.e. to use
> piler for GoBD in germany you need to use timestamping)

do you mean that it's mandatory to use an external timestamp provider
with piler? Or do you refer to the timestamps piler provides and stores
in the metadata table?


> 2. how

Re: GOBD certification

2017-07-26 Thread Frank Schmitz 


Hi Janos,

see below...



"s...@acts.hu"  schrieb am 21:42 Dienstag, 25.Juli 2017:





Hello Frank,

On 2017-07-25 14:47, Frank Schmitz wrote:
> 
> a GoBD certification would surely result in a higher "visibility" for
> piler, since quite a lot of companies are basing their business
> decisions on those.
> 
> But please do NOT believe that Piler needs a GoBD certification to be
> used in germany!
> The ministry of finance in germany does not care whether the software
> is certified, it cares about
> 
> 1. whether the software fulfills the legal requirements (i.e. to use
> piler for GoBD in germany you need to use timestamping)

do you mean that it's mandatory to use an external timestamp provider
with piler? Or do you refer to the timestamps piler provides and stores
in the metadata table?


Well, it depends.
The crux of the matter is the so called "revisionssicherheit".
Meaning the company must not be able to manipulate anything in the archive.
If you host piler yourself, you can obviously manipulate anything in the 
archive by 

replacing encrypted mails and "correcting" the hashes within the database, 
since you
have full access to the server piler is hosted on.

By adding a third party (i.e. the Time Stamping Authority), this is no longer 
possible
without a verification fail. As far as I understand it, you can't even delete 
an email
from the archive without it being quite obvious in the database (Missing 
Timestamp etc.).

If you actually pay a third party that is hosting piler, this might not be 
necessary since the
company has no direct access to the server...
On the other hand, the company might be able to bribe someone from the hoster 
to manipulate the archive ;-)
The hoster might want to use timestamps too to make that temptation a 
no-brainer...

So no, it's probably not mandatory in all use cases, but if you host piler 
yourself you need it to meet the
legal requirements...



> 2. how the company USES the software (You need a procedural
> documentation)


I'll make it soon.

That might actually be impossible, since every company is handling mails 
differently, therefore you cannot
write a one-size-fits-all procedure... 

What would probably help are examples of differently sized companies (Even 
though that might be more effort than it's worth...)

Apart from that, a good explanation why piler cannot be manipulated (even if 
self-hosted) without it being obvious
might help in any discussion with an auditor.

I set piler up for my girlfriend and her really small business and she 
certainly could not explain why her mailarchive cannot be manipulated to an 
auditor...

It probably would also help, if you could check the timestamp validity within 
the GUI, i.e. call the TSA 

validity check with the timestamp used for the mail in a new browser windows :-)


> In case of an audit, both will be checked and the auditor won't care
> whether piler is certified or not...
> 
> To prove the point:
> https://www.bundesfinanzministerium.de/Content/DE/Downloads/BMF_Schreiben/Weitere_Steuerthemen/Abgabenordnung/Datenzugriff_GDPdU/2014-11-14-GoBD.pdf?__blob=publicationFile
> 
> This is an official statement from the ministry of finance in germany,
> under heading 12 / 181 (last page) it reads:
> 
> _„Zertifikate“ oder „Testate“ Dritter können bei der Auswahl
> eines Softwareproduktes _
> _dem Unternehmen als Entscheidungskriterium dienen, entfalten jedoch_
> 
> _ aus den in Rz. 179 genannten Gründen gegenüber der Finanzbehörde
> keine Bindungswirkung._
> 
> Roughly translated:
> 
> Certificates or testimonies of third parties may be used by companies
> to choose a software, but they DO NOT have a binding effect for the
> ministry of finance because of the reasons named in Rz. 179.

I see. My point is that the usefulness of the certificate is that the
auditing company has examined the given software and by providing the
gobd compatible stamp they verify that the software complies with all
demands by the law.


The funny thing is, there simply is no certificate for GoBD compliance (As of 
yet, at least).
I hesitate to call it a scam, even while less respectable companies use exactly
that description to market their products, since the products (probably :-)) 

fulfill the legal requirements.
In germany a "certificate" goes a long way to impress customers...
You could probably put a "Bio(logical)" certificate (self-designed label and 
different from existing ones) 

on piler without any problems, since that term/certificate is not protected at 
all in germany :-)))
(We have other less obvious certifications for that)

The one from audicon is not actually a GoBD certification, but a "IDW PS 880" 
compliance check.
Which kind of means more or less the same, since that is a compliance "check" 
of

Re: GOBD certification

2017-07-25 Thread Frank Schmitz 
Hi Janos,
a GoBD certification would surely result in a higher "visibility" for piler, 
since quite a lot of companies are basing their business decisions on those.
But please do NOT believe that Piler needs a GoBD certification to be used in 
germany!The ministry of finance in germany does not care whether the software 
is certified, it cares about 
1. whether the software fulfills the legal requirements (i.e. to use piler for 
GoBD in germany you need to use timestamping)2. how the company USES the 
software (You need a procedural documentation)
In case of an audit, both will be checked and the auditor won't care whether 
piler is certified or not...
To prove the point: 
https://www.bundesfinanzministerium.de/Content/DE/Downloads/BMF_Schreiben/Weitere_Steuerthemen/Abgabenordnung/Datenzugriff_GDPdU/2014-11-14-GoBD.pdf?__blob=publicationFile
This is an official statement from the ministry of finance in germany, under 
heading 12 / 181 (last page) it reads:
„Zertifikate“ oder „Testate“ Dritter können bei der Auswahl eines 
Softwareproduktes dem Unternehmen als Entscheidungskriterium dienen, entfalten 
jedoch aus den in Rz. 179 genannten Gründen gegenüber der Finanzbehörde keine 
Bindungswirkung.
Roughly translated: 
Certificates or testimonies of third parties may be used by companies to choose 
a software, but they DO NOT have a binding effect for the ministry of finance 
because of the reasons named in Rz. 179.
In short, those certificates for GoBD compliance aren't worth the paper they're 
written on if an auditor is knocking on your door...
You must be able to show that piler is able to fulfill all GoBD Requirements. 
For a (german) "checklist" you can look those up here 15 Kriterien für 
GoBD-konforme Software | Scopevisio Ratgeber or here Neue GoBD: Ein umfassender 
Überblick.
I'm no expert by any means, but as far as I understand it, piler is quite 
capable of doing all that IF you use timestamping so you can prove the emails 
haven't been changed since they were timestamped/received...
Apart from the technical requirements, you will also need an "extensive" 
documentation about what exactly you are doing with your receipts/invoices/etc. 
You can even find a sample documentation to use here: GoBD - 
Verfahrensdokumentation, praxisrelevante Hilfestellungen / PSP München if you 
have no idea what to do... Make no mistake, THIS is what really matters to an 
auditor! (Well, maybe not if you use really crappy software ;-))
So unless you really want to spend several thousand euros on increasing the 
visibility/user base of piler, I would recommend you forget about purchasing a 
GoBD certificate... 

Speaking for myself, I would certainly consider throwing a bit of money into 
crowdfunding "useful" additions to piler, but for this I won't pay anything at 
all, sorry...

Kind regards,Frank


  
|  
|   
|   
|   ||

   |

  |
|  
|   |  
GoBD - Verfahrensdokumentation, praxisrelevante Hilfestellungen / PSP München
 Von PSP / Developer: Michael Cammannn Erfahren Sie in den Fachbeiträgen zur 
Verfahrensdokumentation, wie ein Unternehmen die Vollständigkeit, Ordnung ...  
|   |

  |

  |

 


  
|  
|   |  
Neue GoBD: Ein umfassender Überblick
 Von Stefan Groß VeR-Vorsitzender Stefan Groß erklärt in diesem Fachbeitrag, 
was Unternehmen über die neuen Buchführungsregeln wi...  |  |

  |

 

  
|  
|   |  
15 Kriterien für GoBD-konforme Software | Scopevisio Ratgeber
 Die GoBD definieren Anforderungen an elektronische Buchführung. Unsere 
Checkliste sagt Ihnen, ob Ihre Software a...  |  |

  |

 




"s...@acts.hu"  schrieb am 20:56 Montag, 24.Juli 2017:
 

 

Dear piler users (especially the German ones at this time),

probably all of you have heard that German law mandates
that all German businesses must archive emails starting
from this year.

I've been convinced that it's worth to obtain GOBD
certification for piler to offer the choice of freedom
to German users to pick an open source email archiving product.

Unfortunately it costs huge money* even for open source
applications as well, so I thought some crowdfunding might
help getting the required amount of money.

For a successful fundraising campaign I need some helpers
from Germany to spread the word (email, social media, etc)
before the actual campaign launches, pick a crowdfunding
platform, donating the initial seed (I have a small donation
in mind, like 5 EUR or so), etc.

If you agreed and willing to help, then please drop me a line.
Perhaps I'll create a mailing list for the topic.

Janos



*: I got a quote from Audicon of 6500 EUR (not sure if any
additional costs may occur during the process)