See comments inline On 18-10-18 17:37, Marc Patermann via Users wrote: > Am 18.10.2018 um 12:42 Uhr schrieb Martijn Brinkers via Users: >> Outgoing email will be S/MIME encrypted with all valid certificates for >> the user. If a domain certificate has been setup for the recipient and >> the certificate is valid, the email will be encrypted with the domain >> certificate. If the user also has a personal certificate (i.e., issued >> for his/her email address), then the email will *also* be encrypted with >> the user certificate (i.e., the email will be encrypted with the domain >> certificate *and* the personal certificate). >> >> The gateway dynamically finds the certificates for a recipient (i.e., it >> will check the domain and check if there is a personal certificate). If >> you want to see which certificates are available for a recipient, you >> need to add this recipient first. The click on the details for the >> recipient (click on the email address). On the "Edit user: .." page, >> click S/MIME and then from the pull down menu, select "encryption >> certificates". You should now get an overview of all the S/MIME >> certificates for the recipient. >> >> Certificates are colored depending on whether the certificate is valid, >> auto selected, inherited etc. >> >> Green means the certificate is valid and auto selected (only if the >> email address matches). Yellow means it's inherited (from the domain). > This all looks pretty right in the admin GUI. > >> See the following page for more information >> >> https://www.ciphermail.com/documents/html/administration-guide/#pf3b >> >> What is important to know is that a certificate will only be used if the >> certificate is trusted. > We checked this before. We made all the example.com certs "valid". > > > Is there any debug log to the see that this actually happenend? > > Everything in the admin GUI looks OK. The certificat for > [email protected] is the yellow "inherited" one from the domain setting. > > The admin at example.com says, the cannot decrypt the message.
What application do they use to decrypt the email? > The admin as a cert himself. He can read all my encrypted mails. The best would be to analyze the encrypted email to check with which certificates the email was encrypted with. An S/MIME encrypted email contains a list of identifiers which identify which certificate the message was encrypted with. You should get a copy of the encrypted email. This can be the full email (MIME) or only the smime.p7m attachment (either in binary form or base64). CipherMail contains a tool which you can use to analyze S/MIME email. This should be run from the command line (login to the shell) cd /usr/share/djigzo To show help: java -cp /usr/share/djigzo/djigzo.jar mitm.common.tools.SMIME To open a full MIME message: java -cp djigzo.jar mitm.common.tools.SMIME --read -in <FILE> The output will show which certificates (Recipient's) the message was encrypted with: *** Recipient 0 [email protected], CN=Test CA, L=Amsterdam, ST=NH, C=NL/115FCD741088707366E9727452C9770//1.2.840.113549.1.1.1 The recipient is identified by: Issuer/Serial number pairs. So in the above example the message was encrypted with a certificate issues by "[email protected], CN=Test CA, L=Amsterdam, ST=NH, C=NL" with serial number "115FCD741088707366E9727452C9770" There can be multiple Recipient lines depending on the number of certificates the message was encrypted with. If you do not have the full MIME message, only the smime.p7m blob in base64 encoded form you can use: java -cp djigzo.jar mitm.common.tools.SMIME --read -in <FILE> --p7m And if the smime.p7m blob is in binary form (i.e., not base64 encoded), add the --binary parameter. java -cp djigzo.jar mitm.common.tools.SMIME --read -in <FILE>--p7m --binary Note: to analyze which certificates the message was encrypted with, you do not need the private key because you do not need to decrypt the email. Kind regards, Martijn Brinkers -- CipherMail email encryption Email encryption with support for S/MIME, OpenPGP, PDF encryption and secure webmail pull. https://www.ciphermail.com Twitter: http://twitter.com/CipherMail _______________________________________________ Users mailing list [email protected] https://lists.ciphermail.com/mailman/listinfo/users
