On 08/12/2014 10:29 PM, Stephane wrote: > Hello, > > I have been running my first deployment of ciphermail/djigzo for a > few days, and I like it a lot. > > I managed to configure pretty much everything how I wanted, but there > is one thing which I could not find: is it possible to instruct the > MPA not to decrypt incoming emails even if it has the correct private > key to do it? > > My use case is the following: I would like to use ciphermail to > enforce outbound encryption and signature. On the other hand for > inbound messages there is no enforcement of receiving only encrypted > emails. However if received emails are encrypted I would like this to > be more visible to users than just via the headers (as would be the > case if decryption is done at MPA), and also ensure a maximum > security in keeping the secrecy as close to the reader client as > possible. I do not need virus/spam checking for encrypted messages at > the gateway level.
The gateway has been configured to always decrypt if there is a private key available. In your case there are a couple of options. One option would be to not relay email for your incoming domains through the ciphermail gateway. Whether or not this works depends on your email setup. Another option would be to change the mail flow. The complete mail handling is described in the file config.xml. You can disable or side-step the decryption part. > One other reason for the request is that I suspect a bug, or at least > an incompatibility with signed+encrypted messages that get > incorrectly transformed into a message with a single attachment > called smime.p7m which the webmail cannot identify. This occurs every > time I receive a signed+encrypted email generated at the external > sender from outlook through ciphermail and have cipermail decrypt the > message (my server is set to not remove signature from messages - > again I want users to have a maximum visibility of what happens to > their communications). This was raised previously to this list (july > 21st) but I could not see a final answer. This is not a bug but caused by the signing format of the sender. S/MIME signatures come in two flavours: opaque signed and clear text signed. With an opaque signature the message is encoded in a way that only an S/MIME capable reader can show the message. An opaque message has an smime.p7m attachment. The smime.p7m attachment is not encrypted and can be opened with an S/MIME capable reader without requiring the private key, With S/MIME clear signing the message is a normal message with an smime.p7s attachment and can be viewed by a normal email client. Outlook for example uses opaque signing when the message is signed and encrypted. Therefore after encryption, the message will be an opaque signed message with the smime.p7m attachemnt, Since you talk about webmail I guess your webmail client does not know how to decode the signed smime.p7m attachment. The workaround is to enable "remove signature" option since this will convert the signed smime.p7m into a normal message. Kind regards, Martijn Brinkers PS you send the message with a different email address than the email address you are registered with to the mailing list. -- CipherMail email encryption Open source email encryption gateway with support for S/MIME, OpenPGP and PDF messaging. http://www.ciphermail.com Twitter: http://twitter.com/CipherMail _______________________________________________ Users mailing list [email protected] https://lists.djigzo.com/lists/listinfo/users
