Hi ChriS,
the problem is not LDAP specific. It also affects non-LDAP installations with
mixed case in email addresses.
I attached two patches: One for comparing the email addresses case insensitive
and one for displaying the SAN email addresses in Preferences > Mail > IMAP
Accounts > Edit > Security
Best regards from Göggingen ;)
Frank
Am Donnerstag, 24. Februar 2022 11:57 CET, schrieb "\"Christian Setzer (HaW
Augsburg)\"" ([email protected]) <[email protected]>:
> Hi Frank,
>
> thanks for your feedback and check.
>
> I was doing some research here and came to the following observation /
> conclusion:
>
> By default, my account was getting the email adress with uppercase
> letters e.g. Name.Surname@... When i changed it all to lowercase
> directly in the ldap, i was able to send it.
>
> So it seems to be an upper lower case related issue when comparing the
> account email adress with the email adress in the certificate.
>
> Am i right in presuming that your email adress whas/is all in lowercase
> (by default)?
>
>
> Greetings,
>
> ChriS.
>
>
> P.S.
>
> > I can confirm that email addresses in the SAN are not visible in
> > Preferences > Mail > IMAP Accounts > Edit > Security.
> > With the fix for issue #5440 SAN email addresses became visible only when
> > viewing signed messages.
> Would this be "interesting enough" to add it to a wishlist? If so, is
> there a list apart from the bts bugtracker or would that be the place to
> "make a wish", so to say?
>
>
>
>
> On 23.02.22 14:36, "Frank Schmirler" ([email protected]) wrote:
> > Hi Christian,
> >
> > I'm also running 5.5.1 and have no problems sending signed messages,
> > provided the sender address is really part of the certificate. Please
> > double check that. I Tried with both, a certificate with the email address
> > in SAN only (like yours) and a certificate with the email address in DN and
> > SAN.
> >
> > I can confirm that email addresses in the SAN are not visible in
> > Preferences > Mail > IMAP Accounts > Edit > Security.
> > With the fix for issue #5440 SAN email addresses became visible only when
> > viewing signed messages.
> >
> > Best regards,
> > Frank
> >
> > Am Mittwoch, 23. Februar 2022 10:57 CET, schrieb "Christian Setzer |
> > Hochschule Augsburg" ([email protected]) <[email protected]>:
> >
> >> sorry ...
> >>
> >> hereby with the attachments ...
> >>
> >> :P
> >>
> >> ChriS.
> >>
> >>
> >> -------- Forwarded Message --------
> >> Subject: sogo webclient - send signed email error - sender address not
> >> in certificate
> >> Date: Wed, 23 Feb 2022 10:41:12 +0100
> >> From: Christian Setzer | Hochschule Augsburg
> >> <[email protected]>
> >> Organization: Hochschule für angewandte Wissenschaften Augsburg
> >> To: [email protected]
> >>
> >>
> >>
> >> Hello all together!
> >>
> >> As i am not sure if it is or was a reported bug already, i will try this
> >> channel first, although i couldn't find anything on the same topic.
> >>
> >> It seems to me that it could be related to the issues #5407 and #5440 in
> >> the SOGo BTS and the "fix(mail): check if smime certificate matches
> >> sender address".
> >>
> >>
> >> Currently, we cannot send signed messages using the sogo web client.
> >> (actually using version 5.5.1)
> >>
> >> Before sending, there appears to be a check of the valid certificate and
> >> it runs into an error:
> >>
> >> "The message can't be signed because the sender address is not included
> >> in the certificate associated to the mail account."
> >>
> >> See attachment: "SogoWebErrorMessageSignedSenderAddressNotInCert.jpg"
> >>
> >>
> >> If i recall it correctly, we had no issues sending signed email until
> >> version 5.2, before the change in version 5.3 where the check was added.
> >>
> >> Then, we had the issue with the warning when receiving signed messages
> >> as shown in bug #5440, which disappeared with the upgrade on 5.4.
> >>
> >> "Message is signed but the certificate (name surname) doesn't match the
> >> sender email address"
> >>
> >> Finally, we upgraded to 5.5.1 and hoped the sending signed error would
> >> disappear, but it didn't.
> >>
> >>
> >> When i go to Preferences > Mail > IMAP Accounts > Edit > Security and
> >> open the view of the certificate, i can only see the parts Subject Name
> >> and Issuer.
> >>
> >> But the SAN / E-Mail-Address is not shown / visible.
> >>
> >> See attachment: "SogoWebSecurityViewCertDetails.jpg"
> >>
> >>
> >> My questions would be:
> >>
> >> Could anyone observe the same issue?
> >>
> >> What could be the origin, if it is likely to be a more personal issue?
> >>
> >> If others can observe it to, should i place it in the SOGo BTS?
> >>
> >>
> >> Thanks and greetings,
> >>
> >> ChriS.
> >>
> >> --
> >> Christian Setzer
> >> Rechenzentrum (Computer Center & IT Services)
> >> HOCHSCHULE für angewandte Wissenschaften AUGSBURG (University of Applied
> >> Sciences)
> >> --
--
[email protected]
https://inverse.ca/sogo/lists
diff -ur SOGo-5.5.1.orig/SoObjects/Mailer/NSData+SMIME.m SOGo-5.5.1/SoObjects/Mailer/NSData+SMIME.m
--- SOGo-5.5.1.orig/SoObjects/Mailer/NSData+SMIME.m 2022-02-04 19:06:58.000000000 +0100
+++ SOGo-5.5.1/SoObjects/Mailer/NSData+SMIME.m 2022-02-24 14:20:54.037839820 +0100
@@ -35,6 +35,8 @@
#include <openssl/bio.h>
#include <openssl/err.h>
#include <openssl/cms.h>
+#include <openssl/x509.h>
+#include <openssl/x509v3.h>
#include <openssl/pkcs12.h>
#include <openssl/pem.h>
#endif
@@ -675,9 +677,17 @@
if (x)
{
NSString *subject, *issuer;
+ NSMutableArray *emails = [NSMutableArray array];
+ int j;
+ STACK_OF(OPENSSL_STRING) *emlst;
char p[1024];
BIO *buf;
+ emlst = X509_get1_email(x);
+ for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++)
+ [emails addObject: [[NSString stringWithUTF8String: sk_OPENSSL_STRING_value(emlst, j)] lowercaseString]];
+ X509_email_free(emlst);
+
memset(p, 0, 1024);
buf = BIO_new(BIO_s_mem());
X509_NAME_print_ex(buf, X509_get_subject_name(x), 0,
@@ -697,6 +707,7 @@
data = [NSDictionary dictionaryWithObjectsAndKeys:
[subject componentsFromMultilineDN], @"subject",
[issuer componentsFromMultilineDN], @"issuer",
+ emails, @"emails",
nil];
}
else
diff -ur SOGo-5.5.1.orig/UI/Templates/PreferencesUI/UIxAccountEditor.wox SOGo-5.5.1/UI/Templates/PreferencesUI/UIxAccountEditor.wox
--- SOGo-5.5.1.orig/UI/Templates/PreferencesUI/UIxAccountEditor.wox 2022-02-04 19:06:58.000000000 +0100
+++ SOGo-5.5.1/UI/Templates/PreferencesUI/UIxAccountEditor.wox 2022-02-24 14:01:10.396536157 +0100
@@ -260,6 +260,13 @@
<div class="md-margin" md-whiteframe="3">
<div class="md-padding" layout="row" layout-wrap="layout-wrap">
<div flex="50" flex-xs="100">
+ <div class="sg-padded--bottom" ng-if="$AccountDialogController.certificate.emails">
+ <div class="md-subhead md-default-theme md-fg md-primary"
+ ng-bind="::'Email Addresses' | loc"><!-- Email Addresses --></div>
+ <div class="pseudo-input-field md-body-1"
+ ng-repeat="email in $AccountDialogController.certificate.emails"
+ ng-bind="email"><!-- email address --></div>
+ </div>
<div class="md-subhead md-default-theme md-fg md-primary"
ng-bind="::'Subject Name' | loc"><!-- Subject Name --></div>
<div ng-repeat="field in $AccountDialogController.certificate.subject">
--- SOGo-5.5.1.orig/SoObjects/Mailer/SOGoDraftObject.m 2022-02-04 19:06:58.000000000 +0100
+++ SOGo-5.5.1/SoObjects/Mailer/SOGoDraftObject.m 2022-02-24 13:48:21.260424501 +0100
@@ -2039,7 +2039,7 @@
parser = [NGMailAddressParser mailAddressParserWithString: [self sender]];
parsedSender = [parser parse];
- emailAddress = [parsedSender address];
+ emailAddress = [[parsedSender address] lowercaseString];
if (![emails containsObject: emailAddress])
{
