Hi Martijn,
Thanks for the quick response, now I get to read the smime-setup-guide.pdf
found on the website of djigzo, if I reach in doubt about how to configure
it'll be bothering you again.
--
Kindest Regards
Claudio.
Hi,
A new release candidate is available containing a couple of changes
compared to the previous release candidate dated 27-07-2011.
The difference between this release candidate (2.1.1-1) and the previous
release candidate (2.1.1-0):
* The raw log file was not correctly filtered when a filter was set
* Djigzo has the capability of adding certain headers to the signed
and or encrypted inner MIME part. This can be used to protect
certain headers (for example the subject). However there are some
S/MIME gateways that cannot handle S/MIME messages with headers
within inner MIME parts (for example Antigen). Because
interoperability is important, the subject header protection
has been disabled by default (GATEWAY-31).
* A new S/MIME advanced setting "Add user" is added which can be
used to specify whether a user should be added when a
certificate is available for a recipient.
http://www.djigzo.com/beta.html
Full release notes:
New
* Advanced S/MIME setting "Always use freshest signing certificate"
added. If checked, every time the sender needs to sign a message,
the most recent (i.e., the latest "not before" date) signing
certificate will be used (GATEWAY-14).
* Advanced PDF setting "Only encrypt if mandatory" added (GATEWAY-22).
If checked, PDF encryption will only be activated if encryption is
mandatory.
* DLP setting "Quarantine on failed encryption" added. If checked and
encryption is mandatory and a message cannot be encrypted, the
message will be quarantined and not "bounced". Note: this required
minor changes to the "DLP quarantine" template.
* Quarantined emails can now be "released as-is". When a quarantined
email is released as-is, no further processing of the email is done
and the email is immediately delivered.
* The admin can now specify how many rows the grid should show per
page (users, certificates, MTA queue) (GATEWAY-23)
* The admin can now filter for specific email in the MTA queue.
* The MTA logs are now by default shown in "raw" format (i.e., in
exact same order as the log file). To view the MTA logs grouped on
queue ID (the old behavior), the admin should select "Grouped".
* If a certificate chain is valid, the issuer of the certificate in
the certificate view can be clicked to open the issuer certificate
view.
Improvements
* The BlackBerry and mobile settings are moved to a specialized mobile
settings page. New role ROLE_MOBILE_MANAGER added.
* Some settings are moved to advanced settings.
* New charsets can be added to the PDF encryption module (should be
enabled from the command line) to support charsets not supported
"out of the box" by Acrobat reader. For example certain Turkish
characters are not supported "out of the box" by Acrobat reader
(GATEWAY-20)
* If a certificate was available for a recipient, a user object was
always created for that recipient. The user is no longer added by
default. A new S/MIME advanced setting "Add user" is added which
can be used to specify whether a user should be added when a
certificate is available for a recipient.
* Djigzo has the capability of adding certain headers to the signed
and or encrypted inner MIME part. This can be used to protect
certain headers (for example the subject). However there are some
S/MIME gateways that cannot handle S/MIME messages with headers
within inner MIME parts (for example Antigen). Because
interoperability is important, the subject header protection
has been disabled by default (GATEWAY-31).
Bug fix
* With S/MIME "strict mode" enabled, S/MIME messages were only handled
by the S/MIME handler if the recipient had a valid certificate with
private key. If a digitally signed message was received for a
recipient not having a private key, the certificates were not
extracted from the message and the signature was not removed when
"Remove signature" was enabled for that recipient. The message is
now always handled by the S/MIME handler. (GATEWAY-27)
* Under certain special conditions, the base64 encoder of Javamail
sometimes created lines with more than 76 characters (only a few
characters extra). OpenSSL (which is used by some S/MIME gateways)
cannot handle base64 encoded parts containing lines longer than 76
characters. Javamail has been updated (GATEWAY-29)
If no "show stoppers" are found within the next two weeks, it will be
released as the new stable version.
Kind regards,
Martijn Brinkers
--
Djigzo open source email encryption
Hello
we have a problem with a remote destination ditching encrypted mail
because of the header included by Djigzo. They claim that according to
RFC 3851 the S/MIME part must not include RFC822 headers. From what i
read in RFC 5751 section 3.1 there is a standard format to protect
headers. Is this special format used by Djigzo or is the remote side
right at claiming not standard conform S/MIME ?
Many Thanks
Andreas
Hi,
A new Djigzo Gateway release candidate (2.1.1) is available.
http://www.djigzo.com/beta.html
Release notes:
New
* Advanced S/MIME setting "Always use freshest signing certificate"
added. If checked, every time the sender needs to sign a message,
the most recent (i.e., the latest "not before" date) signing
certificate will be used (GATEWAY-14).
* Advanced PDF setting "Only encrypt if mandatory" added (GATEWAY-22).
If checked, PDF encryption will only be activated if encryption is
mandatory.
* DLP setting "Quarantine on failed encryption" added. If checked and
encryption is mandatory and a message cannot be encrypted, the
message will be quarantined and not "bounced". Note: this required
minor changes to the "DLP quarantine" template.
* Quarantined emails can now be "released as-is". When a quarantined
email is released as-is, no further processing of the email is done
and the email is immediately delivered.
* The admin can now specify how many rows the grid should show per
page (users, certificates, MTA queue) (GATEWAY-23)
* The admin can now filter for specific email in the MTA queue.
* The MTA logs are now by default shown in "raw" format (i.e., in
exact same order as the log file). To view the MTA logs grouped on
queue ID (the old behavior), the admin should select "Grouped".
* If a certificate chain is valid, the issuer of the certificate in
the certificate view can be clicked to open the issuer certificate
view.
Improvements
* The BlackBerry and mobile settings are moved to a specialized mobile
settings page. New role ROLE_MOBILE_MANAGER added.
* Some settings are moved to advanced settings.
* New charsets can be added to the PDF encryption module (should be
enabled from the command line) to support charsets not supported
"out of the box" by Acrobat reader. For example certain Turkish
characters are not supported "out of the box" by Acrobat reader
(GATEWAY-20)
* If a certificate was available for a recipient, a user object was
always created for that recipient. The user is no longer added by
default.
Bug fix
* With S/MIME "strict mode" enabled, S/MIME messages were only handled
by the S/MIME handler if the recipient had a valid certificate with
private key. If a digitally signed message was received for a
recipient not having a private key, the certificates were not
extracted from the message and the signature was not removed when
"Remove signature" was enabled for that recipient. The message is
now always handled by the S/MIME handler. (GATEWAY-27)
* Under certain special conditions, the base64 encoder of Javamail
sometimes created lines with more than 76 characters (only a few
characters extra). OpenSSL (which is used by some S/MIME gateways)
cannot handle base64 encoded parts containing lines longer than 76
characters. Javamail has been updated (GATEWAY-29)
This release has been extensively tested. If no "show stoppers" are
found within the next two weeks, it will be released as the new stable
version.
Kind regards,
Martijn Brinkers
--
Djigzo open source email encryption
As LDAP search for certificates is currently not yet available in djigzo, I thought about implementing a workaround for me to have at least the certificates for my "well known" usergroup always up-to-date.
In my case, a simple bash script would connect to the djigzo database and read the list of users that are currently configured.
It would then conduct an ldap search using each users email address to receive the current certificate of that user. The users certificate in the database would be deleted, and the new certificate retrieved from LDAP will be imported.
Would that be possible, and which steps would be necessary to import the certificate into the database using psql?
Marek
--
NEU: FreePhone - 0ct/min Handyspartarif mit Geld-zurück-Garantie!
Jetzt informieren: http://www.gmx.net/de/go/freephone
Hi,
for whatever reason, our Djigzo installation does not sign emails.
I have create a new email address michael.guenther(a)in-put.de, added it
as a new internal user, created and assigned a certificate for
encryption and signing.
The certificate for signing has not expired, it is valid not before Jul
18, 2011 and not after Jul 17, 2016.
The key Usage ist "keyEncipherment, digitalSignature", the extended Key
usage is "emailProtection, clientAuth".
And of course the system has the current time.
In the user settings I have selected "Only sign when encrypt (deactived,
do not inherit).
Did I miss something?
Thanks for any hints/help,
Stefan
Hi,
we all know, that a manual backup by using the Backup manager isn't the
most reliable backup solution.
Is it possible to backup all necessary files and directories with a
script called by a cronjob?
Bye,
Stefan
Hello,
we have installed the groupware Zarafa (together with Postfix) on a
Ubuntu 10.04 System.
Zarafa has its own user management, therefore postfix doesn't know
anything about the users it should deliver mail for, but it works.
We have now integrated djigzo into the mail flow.
The interesting thing now is, that whenI send an email from the command
line, the mail will be delivered. When I use fetchmail to poll a mail
and forward it to the same user, postfix tells me, that this user
doesn't exist. This was possible before adding the djigzo configuration.
My question now is: How does the djigzo configuration change the
configuration of postfix, so that postfix wants to check the user?
Or the other way round: How do I tell postfix to just forward the email
to a local transport (in this case it is mailbox_transport = zarafa)?
Thanks for any suggstions or hints,
Stefan
Hi,
My evaluation is going well but Ive just had an issue raised
by our compliance people re the format of the the pdf
passwords. Ive got the length and expire time set fine and
assume that as the passwords are auto generated its not
likely to repeat them, but can you force upper/lower
character mix and use of special characters as well
(£$%&*@#? etc )?
Thanks
Bruce
As an afterthought. The only inconvenience of "must encrypt" DLP option in our particular case is that employees often would prefer to remove forbidden pattern from the message and resend it un-encrypted rather then encrypted. This option is not available with automatic encryption.