[Djigzo users] Reject unencrypted mail

Martijn Brinkers martijn at djigzo.com
Fri Apr 29 15:09:04 CEST 2011


Forgot to add the following note:

The IsSMIME matcher checks the message for a specific S/MIME content
type. It is possible to 'fake' an encrypted email by taking a plain text
email and set the content type to:

application/pkcs7-mime; name="smime.p7m"; smime-type=enveloped-data

If your requirements are such that you need to be 100% sure that an
email is encrypted (and also be sure that it is encrypted with a strong
enough cipher), a specialized matcher should be created that checks the
smime.p7m attachment (CMS blob) and checks whether it is encrypted with
a strong enough cipher.

Kind regards,

Martijn Brinkers


On 01/-10/-28163 08:59 PM, Martijn Brinkers wrote:
> Hi Ralf,
> 
>> post suggests, I want to reject all mail that's not encrypted. I
>> know there has been a discussion on this maillinglist regarding the 
>> usefulness of this measure, but we have a special environment in
>> which rejecting unencrypted messages is a "must have". I know I
>> should add a matcher to the james/config.xml, but I cannot define the
>> right matcher. Could someone help me defining the right matcher for
>> rejecting all non encrypted mail? Thank you in advance!
> 
> The following matcher matches whether the content-type of the message
> says the message is encrypted, and if so, the next processor will handle
> the message (change *CHANGE_THIS* to match the processor you want to use
> when the message is encrypted)
> 
> <mailet match="IsSMIME=matchOnError=false,encrypted" class="GotoProcessor">
>     <processor> *CHANGE_THIS* </processor>
> </mailet>
> 
> Note: the above matcher is already used in the current config.xml file
> to check whether the message is already encrypted.
> 
> Unfortunately it's not possible to inverse the matcher so if you want to
> do handle the email differently when not encrypted add it after the
> matcher for encryption. For example like this:
> 
> <mailet match="IsSMIME=matchOnError=false,encrypted" class="GotoProcessor">
>     <processor> *CHANGE_THIS* </processor>
> </mailet>
> 
> <mailet match="All" class="GotoProcessor">
>     <processor> *PROCESSOR_NOT_ENCRYPTED* </processor>
> </mailet>
> 
> 
> A question, are you only interested in whether outgoing email is
> encrypted or also incoming email? If you only need to be sure that
> outgoing email is encrypted you can set the encrypt mode to "Mandatory".
> 
> If you want to check whether incoming email is encrypted what do you
> want to do with the message if the message is not encrypted?
> 
> As Andreas noted, the email has already been accepted and bouncing it
> back to the sender can cause your SMTP server to be blacklisted (search
> for the term Backscatter) if you are not 100% certain that the message
> was not spam.
> 
> Kind regards,
> 
> Martijn Brinkers
> 
> 
> On 01/-10/-28163 08:59 PM, Ralf Bardoel wrote:
>> Dear users of Djigzo,
>>
>> First of all I want to say I love your product! Like the subject of my
>> post suggests, I want to reject all mail that's not encrypted. I know
>> there has been a discussion on this maillinglist regarding the
>> usefulness of this measure, but we  have a special environment in which
>> rejecting unencrypted messages is a "must have". I know I should add a
>> matcher to the james/config.xml, but I cannot define the right matcher.
>> Could someone help me defining the right matcher for rejecting all non
>> encrypted mail? Thank you in advance!
>>
>> Kind regards,
>>
>> Ralf Bardoel
>>
> 
> 


-- 
Djigzo open source email encryption
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3398 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.ciphermail.com/pipermail/users/attachments/20110429/9d5de0f2/attachment-0001.p7s>


More information about the Users mailing list