Hello, I continue describing Erki's issue.
We have 2 problems: a) incoming messages are not being decrypted, if we forward them and choose to send ourselves in our Inbox with .p7m attached, then Djigzos manages to decrypt. b) outgoing messages are signed and then crypted, but we have a requirement to first encrypt and then sign the message. We have defined our domain as internal and other domains as external. We have imported and whitelisted external certificates and our private key (there's a key icon next to our certificate). External domains have their certs for encrypting and ours for signing, we have tried both Allow/Force encrypt options and other S/MIME section Strict mode off/on, only sign when encrypt on/off. Our internal domain has our cert for encryption (which we believe should be picked up for decrypting) and for signing we have also our certificate. I also add a log of sending the mail out(none of the certificates do have a CA): 07 Dec 2011 12:44:11 | INFO incoming | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; Remote address: 192.168.212.231; Recipients: [spoc_fp@external_domain_here.com]; Subject: LT/CPS; Message-ID: <[email protected]>; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] 07 Dec 2011 12:44:11 | INFO external | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] 07 Dec 2011 12:44:11 | INFO postDLP | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] 07 Dec 2011 12:44:11 | INFO checkForceEncryptHeader | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] 07 Dec 2011 12:44:11 | INFO checkEncryptMode | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] 07 Dec 2011 12:44:11 | INFO checkSMIME | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] 07 Dec 2011 12:44:12 | INFO Rebuilding trust anchor cache. (mitm.common.security.certpath.CertStoreTrustAnchorBuilder) [Spool Thread #0] 07 Dec 2011 12:44:12 | INFO smime | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] 07 Dec 2011 12:44:12 | WARN Error building path for signing certificate. CertPathBuilderException: There are no roots. (mitm.application.djigzo.james.mailets.SMIMESign) [Spool Thread #0] 07 Dec 2011 12:44:12 | INFO smimeEncrypt | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] 07 Dec 2011 12:44:12 | INFO encryptionNotification | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] 07 Dec 2011 12:44:12 | INFO blackberrySMIMEAdapter | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] 07 Dec 2011 12:44:12 | INFO transport | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; Remote address: 192.168.212.231; Recipients: [spoc_fp@external_domain_here.com]; Subject: LT/CPS; Message-ID: <[email protected]>; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] 07 Dec 2011 12:44:12 | INFO transport-auto-submitted | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: <>; Sender: <>; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] 07 Dec 2011 12:44:12 | INFO transport | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: <>; Sender: <>; Remote address: 192.168.212.231; Recipients: [spoc_fp@internal_domain_here.com]; Subject: The message has been encrypted; Message-ID: <[email protected]>; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] Best regards, Ragnar -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Martijn Brinkers Sent: Wednesday, December 07, 2011 2:29 PM To: [email protected] Subject: Re: [Djigzo users] Problem with encryption and signing, and incoming mail is not decrypted > Zitat von Erki Naumanis <[email protected]>: > >> Hi. >> We have installed the Djigzo gateway and everything Works great if we >> do not try to encrypt and sign outgoing messages. >> It seems that Djigzo is signing and then encrypting the messages. Is >> that how it should be? And is there a way to do it Vice Versa? > > Not sure about this one but it looks like standard behaviour as > encrypted messages should protect *all* mail content which includes the > signing parts... It depends on how the gateway was setup whether it encrypts by default. If encrypt mode is set to "Allow", it encrypts if possible. So if there is a valid certificate for the recipient and encrypt mode is allow, the email will be encrypted. If you want to encrypt only when the subject contains some keyword, you should set encrypt mode to "No encryption" and use the subject trigger to trigger encryption. >> And is there a way to do it Vice Versa? What do you mean with that? You want to encrypt and then sign? > >> On the other hand, all signed and encrypted incoming mail is not >> decrypted. >> We have double checked the participants certificates and they are OK. > > This looks like you either have not correctly assigned the > internal/external properties or you don't have the required private key > (not certificate) to decrypt the incoming mail. > > Try the following: > - Send from an internal user a message signed by Djigzo to some external > account > - Reply from the external account and choose "encrypt the mail" I think Andreas is right. You probably forgot to add a domain for which you receive email (for example just.ee) and set the domain to be an internal domain. Only email sent to internal users are decrypted. Kind regards, Martijn _______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users _______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
