On 03/09/2015 05:20 AM, Sebastian Nielsen wrote:
> Does djigzo/ciphermail clear any X-Djigzo-Info-* headers it find in
> any mails before doing anything?
>
> If a impostor put headers in the mail:
> X-Djigzo-Info-Signer-Verified-0-0: true
> X-Djigzo-Info-Signer-Trusted-0-0: true
>
> before sending, and ciphermail does not clear these, a MUA can be
> tricked into displaying to a end user that the mail was securely
> signed, when it was not.
>
> Yes, I know that Ciphermail will always add these headers when a PGP
> or SMIME mail arrives, so if a impostor both falsely S/MIME sign a
> message (for example with an untrusted cert) *and* tries to add false
> headers, the resulting mail will get double X-Djigzo-Info-* headers
> that the MUA can raise an alert on since one of the headers are
> obviously fake.
>
> But if a impostor adds these headers to an unsigned mail, where
> Djigzo does not add any headers, the user can think the mail is
> signed, if Djigzo does not clear these headers before processing the
> email.
Hi Sebastian,
These headers are cleared for email sent to internal users with the
following rule (see config.xml)
<!-- remove all X-Djigzo-* headers for incoming email -->
<mailet match="All" class="RemoveHeaders">
<pattern>(?i)^X-Djigzo.*</pattern>
</mailet>
Kind regards,
Martijn Brinkers
--
CipherMail email encryption
Open source email encryption gateway with support for S/MIME, OpenPGP
and PDF messaging.
http://www.ciphermail.com
Twitter: http://twitter.com/CipherMail
_______________________________________________
Users mailing list
[email protected]
https://lists.djigzo.com/lists/listinfo/users
