Hi,
A release candidate of the CipherMail gateway 2.10.0 is available. This is
mostly a maintenance release.
Improvements/Changes
* HTML parts are now scanned for PGP content
[https://jira.djigzo.com/browse/GATEWAY-88]
* PGP desktop/universal (now Symantec) proprietary partitioned encoding
format is now fully supported for incoming email. Email encrypted
with PGP desktop/universal with the partitioned encoding format is
now "repaired" to a proper MIME message.
* RedHat/CentOS 7 is now supported.
* Ignore content-transfer-encoding of multipart messages.
* S/MIME handler now adds X-Djigzo-Info-Signer-Email-* headers with the
email address of the signer certificate.
* Tomcat server.xml config configured to only use strong ciphers. This
implies that Windows XP users with IE can no longer connect since IE
on Windows XP does not support strong ciphers.
* Virtual appliance: There is no longer a separate version for VMware
ESX and workstation. The VMware virtual appliance now supports ESX 4
and up and VMware workstation. Because the virtual appliance now
requires VM version 7, ESXi 3 is no longer supported.
The release candidate and updated installation documentation can be
downloaded from
https://www.ciphermail.com/beta.html
Kind regards,
Martijn Brinkers
--
CipherMail email encryption
Open source email encryption gateway with support for S/MIME, OpenPGP
and PDF messaging.
http://www.ciphermail.com
Twitter: http://twitter.com/CipherMail
I'm having an issue when trying to reply to encrypted PDFs, the URL looks correct, in the logs I believe this to be the relevant line.
Caused by: java.lang.RuntimeException: Error obtaining injected value for field mitm.djigzo.web.pages.portal.pdf.PDFReply.clientSMTPHost: Symbol 'client.mail.smtp.host' is not defined.
I don't know where that is being read from, or where to set it. Any help would be greatly appreciated.
Thanks!
Hello all,
I’ve got an issue here that I would really appreciate some help with. We are running Ubuntu 14.04, Postfix, Dovecot and Ciphermail, everything updated — all mail and authentication services are functioning normal.
First … Dovecot is the LDA and we have virtual users and virtual domains. Some of these domains are aliases of non-routable Windows AD domains. For example, user(a)email.net <mailto:user@email.net> -> user(a)email.corp <mailto:user@email.corp> … Ciphermail creates accounts for the internal domain instead of the address that the email was initially addressed to, and this confuses the users. How do we configure Ciphermail/Postfix to make sure that Ciphermail processes the account using the alias domain (what is in the original To:) that the user is familiar with?
Second … Since Ciphermail is running on the same mail server that is accepting incoming mail from the internet, whether or not it is encrypted, it is still processing the queue. We have created a tag (“[encrypt]”) that flags an email to be processed by Ciphermail, with the intention of that function being available for only internal domains — or more precisely, for SASL authenticated users — but it services encryption for any random external user or domain as long as they put the same tag in the subject line. How can we avoid this happening?
Thank you so much for any insight.
~ Laz Peterson
Paravis, LLC
I'm having an issue when trying to reply to encrypted PDFs, the URL looks correct, in the logs I believe this to be the relevant line.
Caused by: java.lang.RuntimeException: Error obtaining injected value for field mitm.djigzo.web.pages.portal.pdf.PDFReply.clientSMTPHost: Symbol 'client.mail.smtp.host' is not defined.
I don't know where that is being read from, or where to set it. Any help would be greatly appreciated.
Thanks!
Hello,
I have a problem with signing my mails.
I created an internal user and imported the encryption and the signing certificate (comodo). The Info field of the certificates contains: "Error building certPath. No issuer certificate for certificate in certification path found."
I followed the steps in the manual,
-set Locality to "internal"
- set encrypt mode to "allow"
- unchecked the "Only sign when encrypt" box
When sending a mail from the specific user to a testuser the mail is not signed.
Does anyone of you know, what the mistake is?
Thank, Markus
Mit freundlichen Grüßen
mareco gmbh & co.kg
Dipl.-Ing.(FH)
Markus Zimmermann
Geschäftsführer der Komplementärin
Rothelebuch 7, 87637 Seeg
Tel. +49 (8364) 984009-0
Fax. +49 (8364) 984009-9
E-Mail. info(a)mareco.biz
Internet. www.mareco.biz
Sitz Seeg, HRA8889 Amtsgericht Kempten
Persönlich haftende Gesellschafterin
CRM Verwaltungs-GmbH
Sitz Seeg, HRB9745 Amtsgericht Kempten
Geschäftsführer Markus Zimmermann
Hello,
I'm new to CipherMail, and have been testing for a couple of days now.
It's quite an impressive solution, and I'm thinking of using it in a
professional environment.
My setup:
Exchange <--> CipherMail <--> Postfix
Outlook 2013 + Symantec PGP Client <--> Ciphermail <--> Roundcube
Webmail
The test:
Send Encrypt --> CipherMail --> Receive encrypted (i.e. scrambled PGP
message NOT OK!
Receive unencrypted = OK! <-- CipherMail <-- Send Encrypted
As described above, I can send encrypted mail to my Exchange server,
which will then get decrypted by Symantec PGP. But when returning the
message, it doesn't get decrypted by CipherMail. I have tested with
"Enable PGP/INLINE to interna", and PGP/MIME PGP/INLINE, but success.
Log:
18 Mar 2015 13:37:23 | INFO incoming; MailID:
0350f883-f06c-443d-854a-56ad340c865f; Recipients: [USER(a)DOMAIN1.org];
Originator: USER(a)DOMAIN2.nl; Sender: USER(a)DOMAIN2.nl; Remote address:
192.168.1.103; Subject: RE: Woensdagtest20; Message-ID:
<3fdd41d21dcf4eeea6978b49c504ae4f(a)exchange01.DOMAIN1.local>;
(mitm.application.djigzo.james.mailets.Log) [Spool Thread #2]
18 Mar 2015 13:37:23 | INFO Subject filter is disabled for the sender;
MailID: 0350f883-f06c-443d-854a-56ad340c865f; Recipients:
[USER(a)DOMAIN1.org] (mitm.application.djigzo.james.mailets.Default)
[Spool Thread #2]
18 Mar 2015 13:37:23 | INFO To internal recipient(s); MailID:
0350f883-f06c-443d-854a-56ad340c865f; Recipients: [USER(a)DOMAIN1.org]
(mitm.application.djigzo.james.mailets.Default) [Spool Thread #2]
18 Mar 2015 13:37:23 | WARN PGP/INLINE signed message contained mixed
content; MailID: 0350f883-f06c-443d-854a-56ad340c865f
(mitm.common.security.openpgp.PGPRecursiveValidatingMIMEHandler) [Spool
Thread #2]
18 Mar 2015 13:37:23 | INFO Message has been PGP decrypted; MailID:
0350f883-f06c-443d-854a-56ad340c865f; Recipients: [USER(a)DOMAIN1.org]
(mitm.application.djigzo.james.mailets.PGPHandler) [Spool Thread #2]
18 Mar 2015 13:37:23 | INFO Message handling is finished. Sending to
final recipient(s); MailID: 0350f883-f06c-443d-854a-56ad340c865f;
Recipients: [USER(a)DOMAIN1.org]; Originator: USER(a)DOMAIN2.nl; Sender:
USER(a)DOMAIN2.nl; Remote address: 192.168.1.103; Subject: RE:
Woensdagtest20; Message-ID:
<3fdd41d21dcf4eeea6978b49c504ae4f(a)exchange01.DOMAIN1.local>;
(mitm.application.djigzo.james.mailets.Log) [Spool Thread #2]
Regards,
Arie
He everybody,
last week suddenly my gateway stopped delivering emails only to extern, our Exchange told me this error:
XXXXX.XXX.XX #503 5.5.1 Error: need MAIL command ##
Then I created a new one with the backup settings of it and everything works fine again.
Today I try to find this error in the log files and did not see it on the gateway, also a test mail works fine.
Any other person who has experience with that?
Thank you.
Marc
Hello,
I bought an E-Mail-Certificate from Comodo, but I am unable to import the key into ciphermail.
I backed up the Certificate in Firefox into a *.p12-File. If I try to import this file into ciphermail goes into a endless loop "importing". The process doesn't finish even after a long time of waiting. Any help would be appreciated.
Regards, Markus
Mit freundlichen Grüßen
mareco gmbh & co.kg
Dipl.-Ing.(FH)
Markus Zimmermann
Geschäftsführer der Komplementärin
Rothelebuch 7, 87637 Seeg
Tel. +49 (8364) 984009-0
Fax. +49 (8364) 984009-9
E-Mail. info(a)mareco.biz
Internet. www.mareco.biz
Sitz Seeg, HRA8889 Amtsgericht Kempten
Persönlich haftende Gesellschafterin
CRM Verwaltungs-GmbH
Sitz Seeg, HRB9745 Amtsgericht Kempten
Geschäftsführer Markus Zimmermann
Suggestion:
Ability to add a possibility to download public keys automatically via a header trigger, like the signing trigger and encryption trigger.
This configuration setting could be that it allows you to specify header name, and then one regexp that will cause the Ciphermail to download the public key if it matches, however, if 2 headers is found with the same header name as the one specified, Ciphermail, will NOT download public keys.
The idea behind not downloading if 2 headers of the same name is found, is to prevent a rogue entity to add such a header in a incoming mail. The idea is then that the validation software, that the system administrator uses to decide if a public key should be downloaded or not, can specify, lets say a example: “X-PGP-Download-Key: yes” or “X-PGP-Download-Key: no” (Header name: “X-PGP-Download-Key”, Regexp: “/^yes$/”), and thus if a rogue entity tries to add “X-PGP-Download-Key: yes”, and the validation software does NOT support removing fraudulent headers, then the mail will end up with one “X-PGP-Download-Key: yes” and one “X-PGP-Download-Key: no” in case validation failed, else 2 identical “X-PGP-Download-Key: yes” headers, thus Ciphermail can ignore these duplicate headers, preventing DoS.
Of course, there should be a setting to remove the header too, and then it will remove the named header regardless of if it matched the regexp or not.
This would allow the administrator to set up limits to prevent DoS, for example, the system administrator could configure the SPF/DKIM validating software, to add this header in the first 5 unique mails for a specific domain, and only once per unique mail sender, and only for mail that passes either SPF or DKIM, or both.
Or the system administrator could add so only the first mail containing “-----BEGIN PGP SIGNATURE-----” line, each 30 minutes will trigger a key download, thus preventing DoS, if someone would start flooding the server.
See this. (report is at the bottom of this email)
Apparently, your list software destroys both SPF and DKIM signatures causing rejects.
Since you repackage S/MIME mail to avoid breaking S/MIME, I would suggest doing the same
to avoid breaking SPF, eg repackage the mail in a new message/rfc822 container like this, and
also DKIM sign the repackaged mail, and also strip the invalid DKIM sig out.
A good idea can be then to put up a DKIM, SPF and DMARC record for lists.djigzo.com.
Then both SPF and DKIM will be verified against the domain “lists.djigzo.com”, not the sender domain, since the SPF/DKIM validator will always validate
mail on the outermost container:
From: users(a)lists.djigzo.com
To: <receiver of list mail>
Subject: Fwd: [original subject]
Content-Type: message/rfc822; boundary=”1234”;
--1234
From: sebastian(a)sebbe.eu
To: <receiver of list mail>
Subject: [original subject]
Content-Type: text/plain
Hello this is a test
--1234--
Here is the report I got from Yahoo:
<?xml version="1.0"?>
-<feedback>
-<report_metadata>
<org_name>Yahoo! Inc.</org_name>
<email>postmaster(a)dmarc.yahoo.com</email>
<report_id>1426038669.132883</report_id>
-<date_range>
<begin>1425945600</begin>
<end>1426031999 </end>
</date_range>
</report_metadata>
-<policy_published>
<domain>sebbe.eu</domain>
<adkim>s</adkim>
<aspf>s</aspf>
<p>reject</p>
<pct>100</pct>
</policy_published>
-<record>
-<row>
<source_ip>87.233.242.72</source_ip>
<count>1</count>
-<policy_evaluated>
<disposition>reject</disposition>
<dkim>fail</dkim>
<spf>fail</spf>
</policy_evaluated>
</row>
-<identifiers>
<header_from>sebbe.eu</header_from>
</identifiers>
-<auth_results>
-<dkim>
<domain>sebbe.eu</domain>
<result>permerror</result>
</dkim>
-<spf>
<domain>lists.djigzo.com</domain>
<result>pass</result>
</spf>
</auth_results>
</record>
</feedback>