Users May 2018

users@lists.ciphermail.com

8 participants
8 discussions

Re: [Djigzo users] Deployment of CipherMail

by Ralf Kirmis

Dear Sebastian, we are planning to deploy ciphermail and use exim as our MTA. Can you post some of your config snippets, for using exim with ciphermail? Mit freundlichen Grüßen Ralf Kirmis Neue Straße 52 D-27432 Bremervörde Telefon 04761-9941-0 Fax 04761-9941-400 Unseren Service erreichen Sie unter: Tel: +49 4761-9941-120, Fax: +49 4761-9941-420, service(a)wizard.de Den Vertrieb erreichen Sie unter: Tel: +49 4761-9941-130, Fax: +49 4761-9941-430, vertrieb(a)wizard.de

3 years, 4 months

[Djigzo users] Invalid S/Mime signatures

by lists

Hi, recently I've seen this: 22 May 2018 20:58:46 | INFO incoming; MailID: d6c60f00-eefe-47d9-be9e-cd8fc989034b; Recipients: [recipent(a)dest-domain.com]; Originator: sender(a)sender-domain.com; Sender: sender(a)sender-domain.com; Remote address: 192.168.100.252; Subject: test; Message-ID: <77b959d08e1d4bf4a5b39bf36825dfce(a)SBAAS292.kliniken.ssb.local>; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #3] 22 May 2018 20:58:46 | INFO Subject filter is disabled for the sender; MailID: d6c60f00-eefe-47d9-be9e-cd8fc989034b; Recipients: [recipent(a)dest-domain.com] (mitm.application.djigzo.james.mailets.Default) [Spool Thread #3] 22 May 2018 20:58:46 | INFO To internal recipient(s); MailID: d6c60f00-eefe-47d9-be9e-cd8fc989034b; Recipients: [recipent(a)dest-domain.com] (mitm.application.djigzo.james.mailets.Default) [Spool Thread #3] 22 May 2018 20:58:46 | INFO "remove S/MIME signature" is enabled for the recipient(s); MailID: d6c60f00-eefe-47d9-be9e-cd8fc989034b; Recipients: [recipent(a)dest-domain.com] (mitm.application.djigzo.james.mailets.Default) [Spool Thread #3] 22 May 2018 20:58:46 | INFO S/MIME message has been decrypted. MailID: d6c60f00-eefe-47d9-be9e-cd8fc989034b; Recipients: [recipent(a)dest-domain.com] (mitm.application.djigzo.james.mailets.SMIMEHandler) [Spool Thread #3] 22 May 2018 20:58:46 | WARN Signature could not be verified. Message: Message content cannot be verified with the signers public key. (mitm.common.security.smime.handler.SMIMEInfoHandlerImpl) [Spool Thread #3] 22 May 2018 20:58:46 | WARN S/MIME signature was not valid; Signer IDs: CN=D-TRUST CA 2-1 2015, O=D-Trust GmbH, L=Berlin, C=DE/715FBC297CC280DEF937EF0AF42176B6/; MailID: d6c60f00-eefe-47d9-be9e-cd8fc989034b (mitm.application.djigzo.james.mailets.SMIMEHandler) [Spool Thread #3] 22 May 2018 20:58:47 | INFO Message handling is finished. Sending to final recipient(s); MailID: d6c60f00-eefe-47d9-be9e-cd8fc989034b; Recipients: [recipent(a)dest-domain.com]; Originator: sender(a)sender-domain.com; Sender: sender(a)sender-domain.com; Remote address: 192.168.100.252; Subject: test; Message-ID: <77b959d08e1d4bf4a5b39bf36825dfce(a)SBAAS292.kliniken.ssb.local>; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0]22 May 2018 20:58:46 | INFO incoming; MailID: d6c60f00-eefe-47d9-be9e-cd8fc989034b; Recipients: [recipent(a)dest-domain.com]; Originator: sender(a)sender-domain.com; Sender: sender(a)sender-domain.com; Remote address: 192.168.100.252; Subject: test; Message-ID: <77b959d08e1d4bf4a5b39bf36825dfce(a)SBAAS292.kliniken.ssb.local>; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #3] 22 May 2018 20:58:46 | INFO Subject filter is disabled for the sender; MailID: d6c60f00-eefe-47d9-be9e-cd8fc989034b; Recipients: [recipent(a)dest-domain.com] (mitm.application.djigzo.james.mailets.Default) [Spool Thread #3] 22 May 2018 20:58:46 | INFO To internal recipient(s); MailID: d6c60f00-eefe-47d9-be9e-cd8fc989034b; Recipients: [recipent(a)dest-domain.com] (mitm.application.djigzo.james.mailets.Default) [Spool Thread #3] 22 May 2018 20:58:46 | INFO "remove S/MIME signature" is enabled for the recipient(s); MailID: d6c60f00-eefe-47d9-be9e-cd8fc989034b; Recipients: [recipent(a)dest-domain.com] (mitm.application.djigzo.james.mailets.Default) [Spool Thread #3] 22 May 2018 20:58:46 | INFO S/MIME message has been decrypted. MailID: d6c60f00-eefe-47d9-be9e-cd8fc989034b; Recipients: [recipent(a)dest-domain.com] (mitm.application.djigzo.james.mailets.SMIMEHandler) [Spool Thread #3] 22 May 2018 20:58:46 | WARN Signature could not be verified. Message: Message content cannot be verified with the signers public key. (mitm.common.security.smime.handler.SMIMEInfoHandlerImpl) [Spool Thread #3] 22 May 2018 20:58:46 | WARN S/MIME signature was not valid; Signer IDs: CN=D-TRUST CA 2-1 2015, O=D-Trust GmbH, L=Berlin, C=DE/715FBC297CC280DEF937EF0AF42176B6/; MailID: d6c60f00-eefe-47d9-be9e-cd8fc989034b (mitm.application.djigzo.james.mailets.SMIMEHandler) [Spool Thread #3] 22 May 2018 20:58:47 | INFO Message handling is finished. Sending to final recipient(s); MailID: d6c60f00-eefe-47d9-be9e-cd8fc989034b; Recipients: [recipent(a)dest-domain.com]; Originator: sender(a)sender-domain.com; Sender: sender(a)sender-domain.com; Remote address: 192.168.100.252; Subject: test; Message-ID: <77b959d08e1d4bf4a5b39bf36825dfce(a)SBAAS292.kliniken.ssb.local>; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0] All certificates and chains are present in certificate store. Wy does the signature not get veified? TIA Matthias -- MHC SoftWare GmbH Fichtera 17 96274 Itzgrund/Germany voice: +49-(0)9533-92006-0 fax: +49-(0)9533-92006-6 e-mail: info(a)mhcsoftware.de HR Coburg: B2242 Geschaeftsfuehrer: Matthias Henze

3 years, 4 months

[Djigzo users] PGP New Vulnerabilities

by CipherMail

Hi, This morning we were alerted about a new PGP vulnerability. English: https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabiliti… Dutch: https://tweakers.net/nieuws/138557/onderzoekers-stop-direct-met-gebruik-pgp… -- With kind regards, Arie PGP: https://mail.koppelaar.org/arie.asc

3 years, 5 months

[Djigzo users] EFAIL: how to detect you are being attacked?

by Martijn Brinkers

Hi, A short article on how to detect whether an EFAIL attack was used. https://www.ciphermail.com/blog/efail-how-to-detect-you-are-being-attacked.… Kind regards, Martijn Brinkers -- CipherMail email encryption Email encryption with support for S/MIME, OpenPGP, PDF encryption and secure webmail pull. https://www.ciphermail.com Twitter: http://twitter.com/CipherMail

3 years, 5 months

[Djigzo users] Is Ciphermail save against "Efail"?

by lst_hoe02＠kwsoft.de

Hello, today a new threat againts encrypted e-mail (PGP and S/MIME) is in the news: https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabiliti… From what i understand the basic problem is that it is possible to inject special data in already encrypted e-mail, which than will be reported back after decryption with HTML URLs to the attacker and can be used to derive the key used for encryption. So i guess one would need the following conditions to be true for the attack to succeed - The MUA access external URLs to load content in HTML e-mail (automatically) - The e-mail will be decode despite the altered content (not vaild signed at least) - Probably many e-mails are needed to get the oracle attack to work? So for Ciphermail there should be no direct problem because it does not "read" the e-mail or obey URLs in the e-mail? But the question remains if there is a possibilty to prevent the "vulnerable" clients againts attack e-mail passing Ciphermail by not decrypting them or something like that? Maybe i'm totaly wrong, but thanks for any feedback on this Regards Andreas

3 years, 5 months

[Djigzo users] New release of the CipherMail Email Encryption Gateway available (4.1.0-0)

by Martijn Brinkers

A new version of the CipherMail Email Encryption Gateway is available (4.1.0-0) Virtual Appliance downloads: https://www.ciphermail.com/downloads-virtual-appliance.html Distribution packages downloads: https://www.ciphermail.com/downloads-gateway-distributions.html Release notes: New * CertStore command line tool can now export certificates and keys * PGP commons line tool can now export public and secret keys * The back-end now supports a Mail attribute named remote-delivery.smtp.relay-host. It can be used to deliver email to a different relay host or local port based on content. * SetRecipients mailet added. This can be used to change the recipients of an email. * Post smime and pgp processor is now only called when a message was/is s/mime or PGP. This can be used to add specific behavior when a message is S/MIME or PGP (for example redirect to content scanner) * Systemd fetchmail.service unit file added. * Matcher added which can match on a user configurable list of senders/recipients. This also works for Exchange journaling messages by looking inside the journal [PRO/ENT]. * Intellicard Certificate Request handler added [PRO/ENT]. * Export database to XML [PRO/ENT]. Bugs/Improvements/Changes * Cipher suites for HTTPClient are no longer set. The Cipher suites config resulted in a bug after a Java update. The Java bug was only triggered in old versions of CipherMail that used a link to sunjce_provider.jar in /usr/share/djigzo/james-2.3.1/lib. * SleepTimeOnError added to SMSGatewayImpl background thread. The thread will sleep for 30 sec (default) if there was an exception in the background thread not caused by a transport. This is done to prevent filling up the logs if there is a problem with the database. * SMIME command line tool refactored. Now uses long option names. * System property ciphermail.crypto.cms.mustProduceEncodableUnwrappedKey added. This sets the mustProduceEncodableUnwrappedKey BC property. This is needed for supporting Utimaco HSMs. * MySQL/MariaDB SQL config minor change. varchar columns with size 128 increased to 255.The alias field was too short to fit a sha512 thumbprint and some prefix used by a cert request handler This resulted in an field too small error when trying to set the key alias (this was only an issue with the prof/ent. edition) * Postgres 10 does not allow the JDBC URL to end with /. The last / has been removed from the URL. * Postgres JDB driver updated to support Postgres 10. * Most required/depends removed from RPM and DEB conf files. It is impossible to support different RH/CentOS, Ubuntu. releases with one RPM or DEB because packages are renamed/removed. * The back-end front-end SOAP layer now uses Basic Authentication mode instead of WS security to work around a recently introduced Java bug in Java 1.8.0_162. (https://bugs.openjdk.java.net/browse/JDK-8196491, https://github.com/javaee/metro-jax-ws/issues/1209) * The CipherMail Virtual Appliance is now using CentOS 7 instead of Ubuntu and uses MariaDB instead of Postgres. This means that back-ups of previous CipherMail Virtual Appliance cannot be directly imported because the database type is changed. Users with a support contract can contact Us for help with migrating the database to the new version. Note: this only impacts users using the Virtual Appliance who wish to upgrade to the new CentOS based Virtual Appliance. * HSM module now supports RSAES-OAEP encryption scheme (requirement for the German edi@energy standard) [PRO/ENT]. * License check only checked if license was valid at startup [PRO/ENT]. * Selected Certificate Request Handler is now session persistent so the selection is remembered while session is active. * Jetty upgraded to release 9.4. This requires java 8 or up [PRO/ENT]. Upgrade guide can be downloaded from: http://www.ciphermail.com/documents/upgrade-guide.pdf Kind regards, Martijn Brinkers -- CipherMail email encryption Email encryption with support for S/MIME, OpenPGP, PDF encryption and secure webmail pull. https://www.ciphermail.com Twitter: http://twitter.com/CipherMail

3 years, 5 months

[Djigzo users] Rookie Question - G Suite

by Greg Williams

Hi, How to I get Ciphermail to accept email from G Suite (this is where our emails are hosted) Our domain is setup both in domains and relay but I do not know how to get it to accept our outgoing emails without giving access to anyone who uses gmail? Any help would be great Greg

3 years, 5 months

[Djigzo users] Export CRL List from internal CA via command line

by gulchi

Hi Martijn, hi list, thank you for your help in advance. I use Ciphermails internal CA for creating SMIME certificates. Now I download the CRLs manually from Ciphermails Web Interface. Is there a way to create and download the crl with the command line tool? Thank you very much. Best regards. Christian

3 years, 5 months

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

Users May 2018