Dear Sebastian,
we are planning to deploy ciphermail and use exim as our MTA.
Can you post some of your config snippets, for using exim with ciphermail?
Mit freundlichen Grüßen
Ralf Kirmis
Neue Straße 52 D-27432
Bremervörde
Telefon 04761-9941-0 Fax 04761-9941-400
Unseren Service erreichen Sie unter: Tel: +49 4761-9941-120, Fax: +49
4761-9941-420, service(a)wizard.de
Den Vertrieb erreichen Sie unter: Tel: +49 4761-9941-130, Fax: +49
4761-9941-430, vertrieb(a)wizard.de
Hello,
today a new threat againts encrypted e-mail (PGP and S/MIME) is in the news:
https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabiliti…
From what i understand the basic problem is that it is possible to
inject special data in already encrypted e-mail, which than will be
reported back after decryption with HTML URLs to the attacker and can
be used to derive the key used for encryption.
So i guess one would need the following conditions to be true for the
attack to succeed
- The MUA access external URLs to load content in HTML e-mail (automatically)
- The e-mail will be decode despite the altered content (not vaild
signed at least)
- Probably many e-mails are needed to get the oracle attack to work?
So for Ciphermail there should be no direct problem because it does
not "read" the e-mail or obey URLs in the e-mail? But the question
remains if there is a possibilty to prevent the "vulnerable" clients
againts attack e-mail passing Ciphermail by not decrypting them or
something like that?
Maybe i'm totaly wrong, but thanks for any feedback on this
Regards
Andreas
A new version of the CipherMail Email Encryption Gateway is available
(4.1.0-0)
Virtual Appliance downloads:
https://www.ciphermail.com/downloads-virtual-appliance.html
Distribution packages downloads:
https://www.ciphermail.com/downloads-gateway-distributions.html
Release notes:
New
* CertStore command line tool can now export certificates and keys
* PGP commons line tool can now export public and secret keys
* The back-end now supports a Mail attribute named
remote-delivery.smtp.relay-host. It can be used to deliver email to
a different relay host or local port based on content.
* SetRecipients mailet added. This can be used to change the recipients
of an email.
* Post smime and pgp processor is now only called when a message was/is
s/mime or PGP. This can be used to add specific behavior when a
message is S/MIME or PGP (for example redirect to
content scanner)
* Systemd fetchmail.service unit file added.
* Matcher added which can match on a user configurable list of
senders/recipients. This also works for
Exchange journaling messages by looking inside the journal [PRO/ENT].
* Intellicard Certificate Request handler added [PRO/ENT].
* Export database to XML [PRO/ENT].
Bugs/Improvements/Changes
* Cipher suites for HTTPClient are no longer set. The Cipher suites
config resulted in a bug after a Java update.
The Java bug was only triggered in old versions of CipherMail that
used a link to sunjce_provider.jar in
/usr/share/djigzo/james-2.3.1/lib.
* SleepTimeOnError added to SMSGatewayImpl background thread. The thread
will sleep for 30 sec (default) if there was an exception in the
background thread not caused by a transport. This is done to prevent
filling up the logs if there is a problem with the database.
* SMIME command line tool refactored. Now uses long option names.
* System property ciphermail.crypto.cms.mustProduceEncodableUnwrappedKey
added. This sets the mustProduceEncodableUnwrappedKey BC property.
This is needed for supporting Utimaco HSMs.
* MySQL/MariaDB SQL config minor change. varchar columns with size 128
increased to 255.The alias field was too short to fit a sha512
thumbprint and some prefix used by a cert request handler
This resulted in an field too small error when trying to set the key
alias (this was only an issue with the prof/ent. edition)
* Postgres 10 does not allow the JDBC URL to end with /. The last /
has been removed from the URL.
* Postgres JDB driver updated to support Postgres 10.
* Most required/depends removed from RPM and DEB conf files. It is
impossible to support different RH/CentOS, Ubuntu. releases with
one RPM or DEB because packages are renamed/removed.
* The back-end front-end SOAP layer now uses Basic Authentication mode
instead of WS security to work around a recently introduced Java bug
in Java
1.8.0_162. (https://bugs.openjdk.java.net/browse/JDK-8196491,
https://github.com/javaee/metro-jax-ws/issues/1209)
* The CipherMail Virtual Appliance is now using CentOS 7 instead of
Ubuntu and uses MariaDB instead of Postgres. This means that
back-ups of previous CipherMail Virtual Appliance cannot be
directly imported because the database type is changed. Users
with a support contract can contact Us for help with migrating the
database to the new version. Note: this only impacts users using the
Virtual Appliance who wish to upgrade to the new CentOS based
Virtual Appliance.
* HSM module now supports RSAES-OAEP encryption scheme (requirement
for the German edi@energy standard) [PRO/ENT].
* License check only checked if license was valid at startup [PRO/ENT].
* Selected Certificate Request Handler is now session persistent so
the selection is remembered while session is active.
* Jetty upgraded to release 9.4. This requires java 8 or up [PRO/ENT].
Upgrade guide can be downloaded from:
http://www.ciphermail.com/documents/upgrade-guide.pdf
Kind regards,
Martijn Brinkers
--
CipherMail email encryption
Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.
https://www.ciphermail.com
Twitter: http://twitter.com/CipherMail
Hi,
How to I get Ciphermail to accept email from G Suite (this is where our
emails are hosted)
Our domain is setup both in domains and relay but I do not know how to get
it to accept our outgoing emails without giving access to anyone who uses
gmail?
Any help would be great
Greg
Hi Martijn, hi list,
thank you for your help in advance.
I use Ciphermails internal CA for creating SMIME certificates. Now I
download the CRLs manually from Ciphermails Web Interface.
Is there a way to create and download the crl with the command line tool?
Thank you very much.
Best regards.
Christian