Hello,
we just setup the pdf encryption on ciphermail 3.3.1-0 for one of our clients.
When he sends me an email with 2 images and a pdf attached to the email, the email is encrypted. But when I open it, the attachments are missing.
Is there a parameter in the logging options which we should increase to find out, what happens to the attachments?
Thanks for any suggestions.
Kind regards,
Stefan
Good morning,
on one of our client's server we are running Ciphermail Version: 3.2.7-5. Built: 2017-04-18-21:39.
The process crashes every 2-3 days with the following messages in james.wrapper.log:
22 Jan 2018 06:48:13 | INFO Replacing Issuer: CN=VPS-CA-1, O=Bundesagentur fuer Arbeit, C=DE; CRL number: 98378; Thumbprint: 3663997E3157C83F295546E6F84EEFDB0200489FFBE553978634A025715319179681806545A5E105D0E09
1F77EC6EDE4FA7005DFBEDCD53C2EE177A1BCD10CBE; SHA1: 452DE5AA5EC1758AFC2F308C7D388FD1CADCBD96 with Issuer: CN=VPS-CA-1, O=Bundesagentur fuer Arbeit, C=DE; CRL number: 98379; Thumbprint: 0A8290102A6ACD8B7E1EFA7B482
F96F7163A9B8D04F9317968B251036F409E16802863837BF8EF7B610E8015FD7F547A570F852907ABE74206AFDE13573EFBD1; SHA1: 03AE7FA2B4E7A503089EE29D35347A9D56DC650C (mitm.common.security.crl.CRLStoreMaintainerImpl) [CRL Updater thread]
22 Jan 2018 06:48:30 | ERROR Error in certificate request handler thread. (mitm.common.security.ca.CAImpl) [Certificate request handler thread]
java.lang.OutOfMemoryError: GC overhead limit exceeded
22 Jan 2018 06:48:31 | ERROR Error reading CRL. Skipping CRL (mitm.common.security.crl.CRLStoreMaintainerImpl) [CRL Updater thread]
mitm.common.security.crlstore.CRLStoreException: mitm.common.hibernate.DatabaseException: mitm.common.security.crlstore.CRLStoreException: java.lang.OutOfMemoryError: GC overhead limit exceeded
at mitm.common.security.crl.TransactedCRLStoreMaintainer.internalAddCRL(TransactedCRLStoreMaintainer.java:124)
at mitm.common.security.crl.CRLStoreMaintainerImpl.addCRLs(CRLStoreMaintainerImpl.java:406)
at mitm.common.security.crl.CRLStoreUpdaterImpl.downloadCRLs(CRLStoreUpdaterImpl.java:337)
at mitm.common.security.crl.CRLStoreUpdaterImpl.update(CRLStoreUpdaterImpl.java:413)
at mitm.common.security.crl.ThreadedCRLStoreUpdaterImpl$Updater.updateCRLStore(ThreadedCRLStoreUpdaterImpl.java:161)
at mitm.common.security.crl.ThreadedCRLStoreUpdaterImpl$Updater.access$200(ThreadedCRLStoreUpdaterImpl.java:98)
at mitm.common.security.crl.ThreadedCRLStoreUpdaterImpl$Updater$1.doAction(ThreadedCRLStoreUpdaterImpl.java:130)
at mitm.common.hibernate.DatabaseActionExecutorImpl$1.doAction(DatabaseActionExecutorImpl.java:164)
at mitm.common.hibernate.DatabaseActionExecutorImpl.executeTransaction(DatabaseActionExecutorImpl.java:81)
at mitm.common.hibernate.DatabaseActionExecutorImpl.executeTransaction(DatabaseActionExecutorImpl.java:158)
at mitm.common.security.crl.ThreadedCRLStoreUpdaterImpl$Updater.run(ThreadedCRLStoreUpdaterImpl.java:118)
at java.lang.Thread.run(Thread.java:748)
Caused by: mitm.common.hibernate.DatabaseException: mitm.common.security.crlstore.CRLStoreException: java.lang.OutOfMemoryError: GC overhead limit exceeded
at mitm.common.security.crl.TransactedCRLStoreMaintainer$1.doAction(TransactedCRLStoreMaintainer.java:110)
at mitm.common.security.crl.TransactedCRLStoreMaintainer$1.doAction(TransactedCRLStoreMaintainer.java:96)
at mitm.common.hibernate.DatabaseActionExecutorImpl.executeTransaction(DatabaseActionExecutorImpl.java:81)
at mitm.common.security.crl.TransactedCRLStoreMaintainer.internalAddCRL(TransactedCRLStoreMaintainer.java:94)
... 11 more
Caused by: mitm.common.security.crlstore.CRLStoreException: java.lang.OutOfMemoryError: GC overhead limit exceeded
at mitm.common.security.crl.CRLStoreMaintainerImpl.internalAddCRL(CRLStoreMaintainerImpl.java:369)
at mitm.common.security.crl.TransactedCRLStoreMaintainer.access$101(TransactedCRLStoreMaintainer.java:53)
at mitm.common.security.crl.TransactedCRLStoreMaintainer$1.doAction(TransactedCRLStoreMaintainer.java:107)
... 14 more
Caused by: java.lang.OutOfMemoryError: GC overhead limit exceeded
22 Jan 2018 06:48:31 | INFO Trying to download CRL from http://crl.globalsign.com/gspersonalsign2sha2g3.crl (mitm.common.security.crl.CRLDownloaderImpl) [CRL Updater thread]
When we start the process, information of the memory is missing:
* DJIGZO_HOME=/usr/local/djigzo
* Starting CipherMail
* Total memory: MB
* JVM max memory: MB
The system is a Ubuntu 16.04 64bit with 8 GB RAM and 4 GB SWAP. There is only Ciphermail running, together with nearly 20 IPSec VPNs.
Shall we fine tune the memory settings of Ciphermail? And if yes, what are recommended settings?
Thanks for any suggestions.
Best regards,
Stefan
Hello,
I have two test users, both with valid root, intermediate, and personal
certs with the correct usage entitlements. Both certificates have a
white, valid background,
For the two users, I have their S/MIME certificates selected in their
profile for signing and encryption (though I'm only trying to get
signing to work at the moment). I have both forced signing via header
"X-Sign" and subject signing via the example in the documentation (
(?i)\[\s*sign\s*\] ). I am using this script to test both the subject
and header, and Thunderbird to test the subject by sending a mail via
ciphercrypt.
#!/usr/bin/env python
import smtplib
from email.MIMEMultipart import MIMEMultipart
from email.MIMEText import MIMEText
fromaddr = "user1(a)domain.tld"
toaddr = "user2(a)domain.tld"
msg = MIMEMultipart()
msg['From'] = fromaddr
msg['To'] = toaddr
msg['Subject'] = "mail subject [sign]"
msg['X-Sign'] = ""
body = "dummy body message"
msg.attach(MIMEText(body, 'plain'))
server = smtplib.SMTP('ciphermail.domain.tld', 25)
server.ehlo('ciphermail.domain.tld')
text = msg.as_string()
server.sendmail(fromaddr, toaddr, text)
server.quit()
I receive the email in the destination inbox, however, it is never
signed. I can verify from the headers that the "X-Sign" header is
present in the email. Currently the MTA/MPA isn't giving a lot of
information to debug. I can see the mail passing through, but there is
no mention of an attempt for any extra processing. I was wondering what
options in logging I can turn on to help debug this issue.
Thanks,
Craig
On 09-01-18 18:22, Paul Bronson wrote:
> Okay. How would you advise the built in one be setup? Not sure how that
> would work if I have multiple domains that need to be signed and all
> separate keys. I tried looking on KB and I am not sure that applies to
> me because I have multiple different domains.
Yes can configure DKIM on a domain basis. So for every domain you sent
email for (and want to DKIM sign for) configure DKIM. Do not configure
DKIM on the global level but per domain.
> I tried looking on KB and I am not sure that applies to
> me because I have multiple different domains.
What do you mean with KB?
Kind regards,
Martijn Brinkers
> On Tue, Jan 9, 2018 at 12:19 PM, Martijn Brinkers
> <martijn(a)ciphermail.com <mailto:martijn@ciphermail.com>> wrote:
>
> On 09-01-18 17:53, Paul Bronson wrote:
> > The email server is signing message but it seems like as soon as it
> > passes through cipher mail, it strips the DKIM signature.
>
> I'm not aware of any reason why CipherMail strips a DKIM signature.
>
> Does this happen for all outgoing email? or only for email which is
> signed or encrypted?
>
> Note that if a message is modified by CipherMail, the original DKIM
> signature is no longer valid. It is therefore advised to DKIM signing
> after encryption/signing (either using the built-in DKIM signer or using
> some postfix DKIM signing milter)
>
> Kind regards,
>
> Martijn Brinkers
>
>
> > Screenshot for current configuration: https://cl.ly/1i3C232s151e
> >
> >
> > On Tue, Jan 9, 2018 at 10:43 AM, Martijn Brinkers
> > <martijn(a)ciphermail.com <mailto:martijn@ciphermail.com>
> <mailto:martijn@ciphermail.com <mailto:martijn@ciphermail.com>>> wrote:
> >
> > On 09-01-18 16:42, Paul Bronson wrote:
> > > @martijn are you sure this allows it to pass right through with the
> > > settings configured above? (inherit - off)
> > >
> > > It doesnt seem to want to pass through...
> >
> > What do you mean with "pass through"? meaning the message is not DKIM
> > signed? Or the message is not delivered?
> >
> > Kind regards,
> >
> > Martijn Brinkers
> >
> >
> > > On Tue, Jan 9, 2018 at 10:30 AM, Paul Bronson <signaldeveloper(a)gmail.com <mailto:signaldeveloper@gmail.com>
> <mailto:signaldeveloper@gmail.com <mailto:signaldeveloper@gmail.com>>
> > > <mailto:signaldeveloper@gmail.com
> <mailto:signaldeveloper@gmail.com>
> > <mailto:signaldeveloper@gmail.com
> <mailto:signaldeveloper@gmail.com>>>> wrote:
> > >
> > > I have a plesk server that is setup to send DKIM-signed
> messages.
> > > This worked previous to putting in ciphermail.
> > >
> > > There are many domains on my plesk server sending emails.
> > >
> > > Do I need to setup something on Ciphermail to allow it
> to pass
> > through?
> > >
> > > Screenshot for current configuration:
> > https://cl.ly/1i3C232s151e
> > >
> > >
> > >
> > > Remember, there are multiple domains on the email server
> > behind the
> > > ciphermail that is sending email that needs to keep it's
> DKIM
> > signature
> > >
> > >
> >
> >
> > --
> > CipherMail email encryption
> >
> > Email encryption with support for S/MIME, OpenPGP, PDF
> encryption and
> > secure webmail pull.
> >
> > https://www.ciphermail.com
> >
> > Twitter: http://twitter.com/CipherMail
> >
> >
>
>
> --
> CipherMail email encryption
>
> Email encryption with support for S/MIME, OpenPGP, PDF encryption and
> secure webmail pull.
>
> https://www.ciphermail.com
>
> Twitter: http://twitter.com/CipherMail
>
>
--
CipherMail email encryption
Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.
https://www.ciphermail.com
Twitter: http://twitter.com/CipherMail
I have a plesk server that is setup to send DKIM-signed messages. This
worked previous to putting in ciphermail.
There are many domains on my plesk server sending emails.
Do I need to setup something on Ciphermail to allow it to pass through?
Screenshot for current configuration: https://cl.ly/1i3C232s151e
Remember, there are multiple domains on the email server behind the
ciphermail that is sending email that needs to keep it's DKIM signature
Hi Martijn,
thanks for adding new encryption scheme and signing algorithm in 3.3.1-0.
(RSAES-OAEP)
As these are required for German energy market and beyond this not widely
supported by many destination systems I would like to configure ciphermail
to only use for certain sending (internal) users.
Currently I cannot set this. It seems that S/MIME encr. scheme and signing
algo. can only be set for (external) receivers.
In case of using that feature for enery market there might be 1000 external
partners and 1-2 internal senders for whom this feature may be enabled.
Any idea how to configure that?
Mit freundlichen Grüßen
Philipp Thielke
