I cannot get the PDF encryption to work.
I set the settings according to the manual but the message is encrypted.
Here are my settings:
---- Gesetzliche Pflichtangaben
Krämer IT Solutions GmbH
Registergericht: Amtsgericht Saarbrücken, HRB 14379
Geschäftsführer: Michael Krämer
maybe you can help me with the following issues:
On incoming signed E-Mails, Djigzo puts the CN of the sender's
intermediate CA next to the "X-Djigzo-Info-Signer-ID-0-1"-header.
Shouldn't it be the CN of the sender's user certificate which is displayed?
Same thing happens with the "
X-Djigzo-Info-Encryption-Recipient-0-0"-Header in incoming encrypted
Is there a way to use the value of the FROM-header instead of the
default CN ("persona non-validated" by default) for automatically
As long as outgoing emails have their source in my trusted environment,
this would make things easier without representing a security issue.
Is it possible to use end-to-end encryption for specific users, so that
a specific user has it's own private key stored on his client and djigzo
only passes through the encrypted email?
I tried to do so. But as I don't have any CA except Djigzo's built-in
CA, i created the internal user and its certificate with the built-in
CA, exported the key to the client, deleted the user, but Djigzo still
decrypts incoming E-Mail for this user before. Is this a bug or working
On 02/01/2011 11:53 AM, Manuel Faux wrote:
>> "was never intended to" depends on how you look at it :). From my point
>> of view it was intended that way because I implemented it that way.
>> Djigzo is an email encryption gateway that encrypts and decrypts email
>> at the gateway level. If you don't want email to be decrypted at the
>> gateway level than don't put the private key on the gateway. If the
>> private key is not available, the message cannot be decrypted.
> What do you think is the benefit of this feature? Is there any "normal" situation you forward an encrypted email without reencrypting it?
Quite a lot of companies you it for domain to domain encryption. Setting
up domain to domain encryption is really easy because the email is
decrypted with any key it can find.
>> Then you should either not use a gateway encryption product or encrypt
>> email for specific users with certificates that are not stored on the
>> gateway (i.e., use real desktop-to-desktop encryption). A gateway
>> encryption solution assumes that you can trust you internal infrastructure.
> I think a gateway solution should not weaken the security of a desktop-to-desktop scenario, in situations it is not necessary in. I use a gateway scenario, because I want to benefit from the advantages like a centralized archive, an enforceable security policy and the transparency in front of my users. On the one hand I share your opinion, that in general you should assume to trust your internal infrastructure, but on the other hand there may be employees with different responsibilities which may not share same trust level.
I understand your objections. Part of the reasons it was implemented
this way is that it's much easier from a management perspective. The
gateway tries to decrypt if possible. If this is not the required
behavior it's best to use a desktop encryption product. I can however
see how I can add an option to turn on "extra secure" mode. This however
requires that when a message is received and the message has multiple
recipients that the message is decrypted multiple times for all
recipients and if it cannot be decrypted for a recipient because there
is no key for the recipient that the message is delivered encrypted. It
also has to be clear what certificate belongs to the user. Certificates
are ok for a recipient if the email addresses in the certificate
matches? This implies that domain encryption no longer works.
What behavior would you like the gateway to have in "extra secure" mode?
> I have noticed, that other products refuse to decrypt messages in such a scenario. I just wanted to make sure you are aware of this feature and wanted to hear your opinion about it.
I really appreciate your help and input. Have you also tried to see how
they handle the case where you add an extra recipient. So, you have an
encrypted message for user test(a)example.com, now you also add as an
extra recipient test2(a)example.com (to the message envelope and header).
Is the message then decrypted for user test(a)example.com and for user
test2(a)example.com it's still encrypted?
Djigzo open source email encryption