[Djigzo users] Notify about a successfully complete forsigncheck

matthiasdort room_djigzousermaillist at dotronik.net
Thu Oct 27 12:13:42 CEST 2011


   
>  Do Okt 27 2011 10:32:06 CEST von  "Martijn Brinkers" <martijn at djigzo.com> 
>Betreff: Re: [Djigzo users] Notify about a successfully complete forsigncheck
>
>  
> On 10/27/2011 09:25 AM, matthiasdort wrote:
>  
>>  
>>>  
>>>>I guess something like a "[Signed]" tag in the subject to show the end 
>>>> user (internal recipient) that the message was signed and could be 
>>>> verified when hitting the Djigzo Gateway.
>>>> 
>>>> 
>>>> 
>>>>

>>>  Thank you Andreas, yes, this is exactly what i mean.
>>> 
>>>

>>  

>  This is not (yet?) supported. The main question is where are you using
> the tag for? The reason I'm asking is that a tag line can lead to a
> false sense of security. For example suppose an external sender sends a
> non-signed message that contains the tag [Signed] in the subject?
> You might argue that all incoming email should be scanned for such a tag
> and have the tag be removed. Ok, then what about [ signed ]? Again you
> might argue that the scanning should work on a regular expression and
> should skip all spaces. Ok, then I come up with the following example,
> {Signed}, or just Signed, or Signd.
> Just as long as your end-users just use the tag as an indication that
> the message *might* be signed, this should not be a problem. The problem
> starts when end-users *assume* the message is signed and trusted because
> the subject contains some kind of tag.
> 
> The best way to detect whether a message is signed and is trusted is by
> using an S/MIME capable email client. If however you are not using an
> S/MIME capable email client or are stripping the S/MIME signatures this
> won't help. The gateway will however add certain header fields which
> indicate whether the email is signed and whether the signature was
> trusted/valid etc. Appendix A of the "S/MIME setup guide" briefly
> explains these headers. Since all X-Djigzo-* headers are removed from
> any incoming email, those headers cannot be spoofed. The trouble however
> with these headers is that it's hard for end-users to read and interpret.
> 
> To conclude, I'm not saying that adding some kind of keyword/tag to the
> subject should never be done. But, you should be careful on what it
> means for your end-users when the subject contains a certain keyword/tag.
> 
> What is currently missing is a mailet (a mailet is a small piece of
> software that handles an email)  that can add something to the current
> subject of a message. I will add this to the todo list. If such a mailet
> is available, you can add this functionality to the xml mail flow
> specification and match when the email contains the keywords. This might
> actually be done with Postfix as a workaround.
> 
> One last question, is there a reason you cannot use an S/MIME email
> client to check the signatures?
> 
> Kind regards,
> 
> Martijn Brinkers
> 
> -- 
> Djigzo open source email encryption
> _______________________________________________
> Users mailing list
> Users at lists.djigzo.com
> http://lists.djigzo.com/lists/listinfo/users
> 
>
>
>  

  

ok, thank you for your detailed answer! i have understand the problem with a
tag in subject and the possibility of fake.  An other way to give the
(intern) user a notice about a successfull signcheck may be send a special
mail with subject related to the original mail, analog the notice about an
successfull encryption.  

Kind regards  

Matthias


More information about the Users mailing list