[CipherMail User] S/Mime domain certificate

Martijn Brinkers martijn at ciphermail.com
Thu Dec 6 10:17:50 CET 2018



On 06-12-18 09:06, Weppert Juergen wrote:
> great! Now it is working. Thanks a lot. 
> I just have one more question. How can i see in the logs which certificate was used for decryption?

This is not logged. What should be logged and not logged is always a
tradeoff between logging to much and logging too little. Logging the
certificate details will add substantial information to the logs. An
email might even be encrypted with several certificates, for example a
recipient can have multiple certificates or there can be multiple
recipients. If logging which certificates are being used is a
requirement, it might be possible to add an additional rule to the mail
flow (this requires some coding however).

Kind regards,

Martijn Brinkers


> -----Ursprüngliche Nachricht-----
> Von: Martijn Brinkers [mailto:martijn at ciphermail.com] 
> Gesendet: Montag, 3. Dezember 2018 12:59
> An: Weppert Juergen <Juergen.Weppert at mediakom-online.de>
> Betreff: Re: AW: AW: AW: [CipherMail User] S/Mime domain certificate
> 
> You have enabled S/MIME strict mode. This will check whether there is a match between recipient address and email address in the email. This will not work for domain certificates without additional config (it should work if strict mode is not enabled). You need to explicitly tell the gateway that a domain certificate is used for that domain.
> 
> Please try to add the domain certificate to the domain mediakom-online.de
> 
> So open settings for domain mediakom-online.de, then "S/MIME -> encryption certificates" and select the domain certificate.
> 
> Kind regards,
> 
> Martijn Brinkers
> 
> On 03-12-18 12:49, Weppert Juergen wrote:
>> Hello,
>>
>> her are the relevant log lines.
>>
>> 03 Dec 2018 10:45:38 | INFO incoming; MailID: 
>> 63aa8793-84c2-470d-9322-1378313de4a7; Recipients: 
>> [juergen.weppert at mediakom-online.de]; Originator: 
>> michael.hengst at hkk.de; Sender: michael.hengst at hkk.de; Remote address: 
>> x.x.x.x; Subject: AW: Mailverschlüsselung; Message-ID: 
>> <518A63CC64BC574E9671E278570CF549C9E1969A-TvXsAYlA at s9103p051.hkk.lokal
>>> ; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #2]
>> 03 Dec 2018 10:45:38 | INFO Subject filter is disabled for the sender; 
>> MailID: 63aa8793-84c2-470d-9322-1378313de4a7; Recipients: 
>> [juergen.weppert at mediakom-online.de] 
>> (mitm.application.djigzo.james.mailets.Default) [Spool Thread #2]
>> 03 Dec 2018 10:45:38 | INFO To internal recipient(s); MailID: 
>> 63aa8793-84c2-470d-9322-1378313de4a7; Recipients: 
>> [juergen.weppert at mediakom-online.de] 
>> (mitm.application.djigzo.james.mailets.Default) [Spool Thread #2]
>> 03 Dec 2018 10:45:38 | INFO "S/MIME strict mode" is enabled for the 
>> recipient(s); MailID: 63aa8793-84c2-470d-9322-1378313de4a7; 
>> Recipients: [juergen.weppert at mediakom-online.de] 
>> (mitm.application.djigzo.james.mailets.Default) [Spool Thread #2]
>> 03 Dec 2018 10:45:38 | WARN S/MIME decryption key not found; MailID: 
>> 63aa8793-84c2-470d-9322-1378313de4a7; Message: A suitable decryption 
>> key could not be found. CMS Recipients: CN=evp.mediakom-online.de, 
>> OU=IT, O=MediaKom GmbH, L=Aschau, ST=Bayern, 
>> C=DE/92D94935F132BCB//1.2.840.113549.1.1.1 
>> (mitm.common.security.smime.handler.SMIMEHandler) [Spool Thread #2]
>> 03 Dec 2018 10:45:38 | INFO Message handling is finished. Sending to 
>> final recipient(s); MailID: 63aa8793-84c2-470d-9322-1378313de4a7; 
>> Recipients: [juergen.weppert at mediakom-online.de]; Originator: 
>> michael.hengst at hkk.de; Sender: michael.hengst at hkk.de; Remote address: 
>> x.x.x.x; Subject: AW: Mailverschlüsselung; Message-ID: 
>> <518A63CC64BC574E9671E278570CF549C9E1969A-TvXsAYlA at s9103p051.hkk.lokal
>>> ; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #1]
>>
>>
>> I have no personal S/Mime certificate so i think the warning is because no certificate matches my email address.
>>
>> Kind regards
>>
>> Jürgen Weppert
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Martijn Brinkers [mailto:martijn at ciphermail.com]
>> Gesendet: Montag, 3. Dezember 2018 12:38
>> An: Weppert Juergen <Juergen.Weppert at mediakom-online.de>
>> Betreff: Re: AW: AW: [CipherMail User] S/Mime domain certificate
>>
>> In that case the MPA log should provide more information.
>>
>> Can you provide the relevant log lines from the MPA log? It should tell exactly what happens when it handles the incoming email.
>>
>> Kind regards,
>>
>> Martijn Brinkers
>>
>> On 03-12-18 12:35, Weppert Juergen wrote:
>>> Hello,
>>>
>>> yes i imported the certificate and the private key.
>>> Yes the domain is internal.
>>>
>>> Kind regards
>>>
>>> Jürgen Weppert
>>>
>>>
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Martijn Brinkers [mailto:martijn at ciphermail.com]
>>> Gesendet: Montag, 3. Dezember 2018 12:15
>>> An: Weppert Juergen <Juergen.Weppert at mediakom-online.de>
>>> Betreff: Re: AW: [CipherMail User] S/Mime domain certificate
>>>
>>>
>>>
>>> On 03-12-18 11:19, Weppert Juergen wrote:
>>>> Hello,
>>>>
>>>> thanks for your feedback.
>>>>
>>>> For example, our Domain is mediakom-online.de and the domain of our 
>>>> partner is test.de. I added a new domain "test.de" and selected 
>>>> their certificate to encrypt Emails send tot hat domain.  And that 
>>>> works fine. But emails send from "test.de" to us are encrypted with 
>>>> our domain certificate. I importet our certificate only under 
>>>> "Certificates", is this OK?
>>>
>>> Are you absolutely certain that you imported the certificate *and* 
>>> private key? (i.e., imported a password protected p12 or pfx file)
>>>
>>>
>>>> But Ciphermail does not decrypt emails send to us. Must i select our 
>>>> certificate under our domain in ciphermail as you descriped below?
>>>
>>> Incoming email will be decrypted automaically if the recipient domain is set as an "Internal" domain *and* if there is a private key on the gateway which can be used to decrypt the email.
>>>
>>> So
>>>
>>> 1. Check if there is a valid private key available 2. Check if your 
>>> domain is configured as an Internal domain (i.e., locality is set to
>>> "Internal")
>>>
>>> Kind regards,
>>>
>>> Martijn Brinkers
>>>
>>>
>>>> -----Ursprüngliche Nachricht----- Von: Users 
>>>> [mailto:users-bounces at lists.ciphermail.com] Im Auftrag von Martijn 
>>>> Brinkers via Users Gesendet: Montag, 3. Dezember 2018 09:40 An:
>>>> users at lists.ciphermail.com Betreff: Re: [CipherMail User] S/Mime 
>>>> domain certificate
>>>>
>>>> On 30-11-18 13:09, Weppert Juergen via Users wrote:
>>>>> how can i use S/Mime encryption/decryption with an domain 
>>>>> certificate but only with one external partner (other domain)?
>>>>> Emails to other recipients must be encrypted with their personal 
>>>>> S/Mime certificate.
>>>>
>>>> I assume you are talking about using a domain certificate for the 
>>>> external domain? (and not a domain certificate for signing).
>>>>
>>>> If so, you need to add the external domain, then on the domain 
>>>> settings select "S/MIME -> encryption certificates" and select the 
>>>> certificate you want to use for that external domain.
>>>>
>>>> Kind regards,
>>>>
>>>> Martijn Brinkers
>>>>
>>>> -- CipherMail email encryption
>>>>
>>>> Email encryption with support for S/MIME, OpenPGP, PDF encryption 
>>>> and secure webmail pull. 
>>>> _______________________________________________
>>>> Users mailing list Users at lists.ciphermail.com 
>>>> https://lists.ciphermail.com/mailman/listinfo/users
>>>>
>>>
>>> --
>>> CipherMail email encryption
>>>
>>> Email encryption with support for S/MIME, OpenPGP, PDF encryption and secure webmail pull.
>>>
>>
>> --
>> CipherMail email encryption
>>
>> Email encryption with support for S/MIME, OpenPGP, PDF encryption and secure webmail pull.
>>
> 
> --
> CipherMail email encryption
> 
> Email encryption with support for S/MIME, OpenPGP, PDF encryption and secure webmail pull.
> 

-- 
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.


More information about the Users mailing list