On 12/07/2011 02:00 PM, Ragnar Plint wrote: > I continue describing Erki's issue. > > We have 2 problems: > a) incoming messages are not being decrypted, if we forward them and choose > to send ourselves in our Inbox with .p7m attached, then Djigzos manages to > decrypt.
> b) outgoing messages are signed and then crypted, but we have a requirement > to first encrypt and then sign the message. > > We have defined our domain as internal and other domains as external. > We have imported and whitelisted external certificates and our private key > (there's a key icon next to our certificate). > > External domains have their certs for encrypting and ours for signing, we > have tried both Allow/Force encrypt options and other S/MIME section Strict > mode off/on, only sign when encrypt on/off. > Our internal domain has our cert for encryption (which we believe should be > picked up for decrypting) and for signing we have also our certificate. > > > I also add a log of sending the mail out(none of the certificates do have a > CA): > > 07 Dec 2011 12:44:11 | INFO incoming | MailID: > 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: > spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; > Remote address: 192.168.212.231; Recipients: > [spoc_fp@external_domain_here.com]; Subject: LT/CPS; > Message-ID:<[email protected]>; > (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] > 07 Dec 2011 12:44:11 | INFO external | MailID: > 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: > spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; > (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] > 07 Dec 2011 12:44:11 | INFO postDLP | MailID: > 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: > spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; > (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] > 07 Dec 2011 12:44:11 | INFO checkForceEncryptHeader | MailID: > 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: > spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; > (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] > 07 Dec 2011 12:44:11 | INFO checkEncryptMode | MailID: > 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: > spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; > (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] > 07 Dec 2011 12:44:11 | INFO checkSMIME | MailID: > 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: > spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; > (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] > 07 Dec 2011 12:44:12 | INFO Rebuilding trust anchor cache. > (mitm.common.security.certpath.CertStoreTrustAnchorBuilder) [Spool Thread #0] > 07 Dec 2011 12:44:12 | INFO smime | MailID: > 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: > spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; > (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] > 07 Dec 2011 12:44:12 | WARN Error building path for signing certificate. > CertPathBuilderException: There are no roots. > (mitm.application.djigzo.james.mailets.SMIMESign) [Spool Thread #0] > 07 Dec 2011 12:44:12 | INFO smimeEncrypt | MailID: > 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: > spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; > (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] > 07 Dec 2011 12:44:12 | INFO encryptionNotification | MailID: > 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: > spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; > (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] > 07 Dec 2011 12:44:12 | INFO blackberrySMIMEAdapter | MailID: > 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: > spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; > (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] > 07 Dec 2011 12:44:12 | INFO transport | MailID: > 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: > spoc_fp@internal_domain_here.com; Sender: spoc_fp@internal_domain_here.com; > Remote address: 192.168.212.231; Recipients: > [spoc_fp@external_domain_here.com]; Subject: LT/CPS; > Message-ID:<[email protected]>; > (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] > 07 Dec 2011 12:44:12 | INFO transport-auto-submitted | MailID: > 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator:<>; Sender:<>; > (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] > 07 Dec 2011 12:44:12 | INFO transport | MailID: > 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator:<>; Sender:<>; Remote > address: 192.168.212.231; Recipients: [spoc_fp@internal_domain_here.com]; > Subject: The message has been encrypted; > Message-ID:<[email protected]>; > (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] > > Best regards, > Ragnar > > -----Original Message----- > From: [email protected] [mailto:[email protected]] > On Behalf Of Martijn Brinkers > Sent: Wednesday, December 07, 2011 2:29 PM > To: [email protected] > Subject: Re: [Djigzo users] Problem with encryption and signing, and incoming > mail is not decrypted > >> Zitat von Erki Naumanis<[email protected]>: >> >>> Hi. >>> We have installed the Djigzo gateway and everything Works great if we >>> do not try to encrypt and sign outgoing messages. >>> It seems that Djigzo is signing and then encrypting the messages. Is >>> that how it should be? And is there a way to do it Vice Versa? >> >> Not sure about this one but it looks like standard behaviour as >> encrypted messages should protect *all* mail content which includes the >> signing parts... > > It depends on how the gateway was setup whether it encrypts by default. > If encrypt mode is set to "Allow", it encrypts if possible. So if there > is a valid certificate for the recipient and encrypt mode is allow, the > email will be encrypted. If you want to encrypt only when the subject > contains some keyword, you should set encrypt mode to "No encryption" > and use the subject trigger to trigger encryption. > > >> And is there a way to do it Vice Versa? > > What do you mean with that? You want to encrypt and then sign? > >> >>> On the other hand, all signed and encrypted incoming mail is not >>> decrypted. >>> We have double checked the participants certificates and they are OK. >> >> This looks like you either have not correctly assigned the >> internal/external properties or you don't have the required private key >> (not certificate) to decrypt the incoming mail. >> >> Try the following: >> - Send from an internal user a message signed by Djigzo to some external >> account >> - Reply from the external account and choose "encrypt the mail" > > I think Andreas is right. You probably forgot to add a domain for which > you receive email (for example just.ee) and set the domain to be an > internal domain. Only email sent to internal users are decrypted. > > Kind regards, > > Martijn > _______________________________________________ > Users mailing list > [email protected] > http://lists.djigzo.com/lists/listinfo/users > _______________________________________________ > Users mailing list > [email protected] > http://lists.djigzo.com/lists/listinfo/users _______________________________________________ Users mailing list [email protected] http://lists.djigzo.com/lists/listinfo/users
