On 11/24/2011 02:14 PM, Erik Jacobs wrote: > On 11/24/2011 6:00 AM, [email protected] wrote: >>> 1) I can't seem to figure out how to get every user's SMIME cert to >>> every other user. Example: I've [email protected] and >>> [email protected]. I created the internal CA, created a cert for both >>> of them and imported it. But, at that point, how do I send an >>> encrypted message between Johnny and Sammy? Without Sammy having >>> Johnny's keys and vice-versa, there isn't a way to encrypt the >>> outgoing message. On the certificates page, there is an option to >>> "download all keys." But aren't these the private keys? I wouldn't >>> want every user to have every user's private keys. >> If you select the certificates and click "download keys" it will >> download the keys but if you select "download certificates" it will >> only download the certificates (without the keys). All the >> certificates for all your internal users should be exchanged between >> clients. The easiest way to do this is by selecting all the >> certificates for your users, and then click "download certificates". >> This will give you a .p7b file containing all certificates. This .p7b >> file can then be imported into every desktop. > Is there a "special" way to import certificates into Thunderbird? Or > are the certificates not imported into Thunderbird? Exporting the > certificates does not prompt for a password. Trying to import the p7b > into Thunderbird prompted for a password.
Exporting the certificates from Djigzo does not require a password. A .p7b (or .cer) is not a password protected file. Thunderbird probably requires you to enter the master password (set by the owner of Thunderbird) to allow the import of certificates and/or keys. >>> 2) Is there any way to prevent Djigzo from DEcrypting incoming >>> messages? >> If all users are external users (the default), then no email will be >> decrypted. Incoming email is split into two paths, for internal >> recipients email will be decrypted, for external recipients email will >> be encrypted. If you do not make any domain or user an internal user, >> no email will be decrypted. >>> Essentially, here's what I'm looking for: -- All messages in a user's >>> mail folders are SMIME encrypted. -- Any incoming mail that is SMIME >>> encrypted for that user passes untouched. >>> -- Any incoming mail that is unencrypted is encrypted by Djigzo >>> using the user's own key. -- Any outgoing mail that is encrypted is >>> untouched -- Any outgoing mail that is unencrypted is untouched. >>> >>> I think that Djigzo ends up being total overkill in this situation? >> I have been thinking about such a use case as well because it can be >> used to store all email encrypted in your local mailbox. This is kind >> of different from the typical use case of the Djigzo gateway. If you >> make sure that every user is an external user, this should work since >> all incoming email for some internal user will be encrypted if it is >> not already encrypted (if setup to encrypt all email for certain >> users). How are your internal users going to send encrypted email to >> each other? Using the S/MIME functionality of the email client? > Yes this is the assumption. If the users import "all" of the > certificates, then wouldn't they be able to encrypt email going to > another user? If the user Johnny sends an unencrypted email to the user > Sammy on the same server, but they are both "external" users, isn't > Djigzo going to encrypt the incoming message? > > EX: Sammy sends email to Johnny unencrypted. Djigzo will use Johnny's > key to encrypt the message before it is passed along to Johnny? I haven't tested this but it should work if you make sure that the Djigzo gateway is the one your users connect to. If you are using a different server your users connect to and that server handles email for local accounts locally (for example the mail boxes are stored on the same server), the email for local users is not relayed through the Djigzo server. Kind regards, Martijn Brinkers _______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
