> Le 13 août 2014 à 08:48, Martijn Brinkers <[email protected]> a écrit : > >> On 08/12/2014 10:29 PM, Stephane wrote: >> Hello, >> >> I have been running my first deployment of ciphermail/djigzo for a >> few days, and I like it a lot. >> >> I managed to configure pretty much everything how I wanted, but there >> is one thing which I could not find: is it possible to instruct the >> MPA not to decrypt incoming emails even if it has the correct private >> key to do it? >> >> My use case is the following: I would like to use ciphermail to >> enforce outbound encryption and signature. On the other hand for >> inbound messages there is no enforcement of receiving only encrypted >> emails. However if received emails are encrypted I would like this to >> be more visible to users than just via the headers (as would be the >> case if decryption is done at MPA), and also ensure a maximum >> security in keeping the secrecy as close to the reader client as >> possible. I do not need virus/spam checking for encrypted messages at >> the gateway level. > > The gateway has been configured to always decrypt if there is a private > key available. In your case there are a couple of options. One option > would be to not relay email for your incoming domains through the > ciphermail gateway. Whether or not this works depends on your email > setup. Another option would be to change the mail flow. The complete > mail handling is described in the file config.xml. You can disable or > side-step the decryption part.
The decrypt setting in config.xml did the trick. This is the best option in my case as I need to continue receiving public keys and have ciphermail catch them. > >> One other reason for the request is that I suspect a bug, or at least >> an incompatibility with signed+encrypted messages that get >> incorrectly transformed into a message with a single attachment >> called smime.p7m which the webmail cannot identify. This occurs every >> time I receive a signed+encrypted email generated at the external >> sender from outlook through ciphermail and have cipermail decrypt the >> message (my server is set to not remove signature from messages - >> again I want users to have a maximum visibility of what happens to >> their communications). This was raised previously to this list (july >> 21st) but I could not see a final answer. > > This is not a bug but caused by the signing format of the sender. S/MIME > signatures come in two flavours: opaque signed and clear text signed. > With an opaque signature the message is encoded in a way that only an > S/MIME capable reader can show the message. An opaque message has an > smime.p7m attachment. The smime.p7m attachment is not encrypted and can > be opened with an S/MIME capable reader without requiring the private > key, With S/MIME clear signing the message is a normal message with an > smime.p7s attachment and can be viewed by a normal email client. Outlook > for example uses opaque signing when the message is signed and > encrypted. Therefore after encryption, the message will be an opaque > signed message with the smime.p7m attachemnt, Since you talk about > webmail I guess your webmail client does not know how to decode the > signed smime.p7m attachment. The workaround is to enable "remove > signature" option since this will convert the signed smime.p7m into a > normal message. This is very clear. Thank you! > > Kind regards, > > Martijn Brinkers > >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Users mailing list [email protected] https://lists.djigzo.com/lists/listinfo/users
