On 03/09/2015 05:20 AM, Sebastian Nielsen wrote:
Does djigzo/ciphermail clear any X-Djigzo-Info-*
headers it find in
any mails before doing anything?
If a impostor put headers in the mail:
before sending, and ciphermail does not clear these, a MUA can be
tricked into displaying to a end user that the mail was securely
signed, when it was not.
Yes, I know that Ciphermail will always add these headers when a PGP
or SMIME mail arrives, so if a impostor both falsely S/MIME sign a
message (for example with an untrusted cert) *and* tries to add false
headers, the resulting mail will get double X-Djigzo-Info-* headers
that the MUA can raise an alert on since one of the headers are
But if a impostor adds these headers to an unsigned mail, where
Djigzo does not add any headers, the user can think the mail is
signed, if Djigzo does not clear these headers before processing the
These headers are cleared for email sent to internal users with the
following rule (see config.xml)
<!-- remove all X-Djigzo-* headers for incoming email -->
<mailet match="All" class="RemoveHeaders">
CipherMail email encryption
Open source email encryption gateway with support for S/MIME, OpenPGP
and PDF messaging.