2 questions on encrypt mode and crl distribution

hi,

i've got 2 questions:

issue 1:

i set up my evaluation scenario with the following values for my internal
domain as well as gobal settings:
encrypt mode: allow
password - send to originator: true
pdf encryption: true

given the case that i'm sending an email without the trigger in the subject
line from an internal address to an external address, i'd like djigzo to:
- encrypt the email if there is a encryption certificate availabe for the
given external adress
- send the email unencrypted if there is no certificate availabe
pdf encryption shall only be used if there is the trigger in the subject
line but no certificate available. with the settings mentioned above unkown
external addresses receive an encryptet pdf.

in other words: how to automatically encrypt emails if there is a
certificate available and only use pdf encryption if the trigger is used?

issue2:
is there feature to publish crls automatically upen creation or is it
necesarry to copy crls manually (or scripted) to the specified url
distribution point?

many thanks in advance!

kind regards,
bernhard

Hi Bernhard,

in other words: how to automatically encrypt emails if there is a
certificate available and only use pdf encryption if the trigger is
used?

This is currently not possible 'out of the box'. It is however possible
to manually modify an XML file containing the mail handling rules. You
can for example add a trigger specifically for PDF encryption. I can
send you some documentation on what to add to the config.xml file to
trigger PDF encryption with a subject trigger.

If you want you can add a feature request to JIRA to have this option
added to the gateway.

https://jira.djigzo.com/secure/Dashboard.jspa

is there feature to publish crls automatically upen creation or is it
necesarry to copy crls manually (or scripted) to the specified url
distribution point?

Currently the new CRL is not published automatically. The reason for
this is that the procedure for publishing the CRL is completely
different for every client. I could add a publish API that allows you to
write modify a Bash script which will be executed when a new CRL is
available.

Kind regards,

Martijn

Hi Martin,

many thanks for your advice.

This is currently not possible 'out of the box'. It is however possible
to manually modify an XML file containing the mail handling rules. You
can for example add a trigger specifically for PDF encryption. I can
send you some documentation on what to add to the config.xml file to
trigger PDF encryption with a subject trigger.

i'd appreciate it if you could send me this documentation

i've got a further question about encryption mode:
is there a way to automatically reject incoming unencrypted email, so
that only encrypted emails are processed and forwarded?

kind regards,
bernhard

Hi Bernhard,

This is currently not possible 'out of the box'. It is however
possible to manually modify an XML file containing the mail
handling rules. You can for example add a trigger specifically for
PDF encryption. I can send you some documentation on what to add to
the config.xml file to trigger PDF encryption with a subject
trigger.

i'd appreciate it if you could send me this documentation

By adding the following lines to the configuration file
/usr/share/djigzo/conf/james/SAR-INF/config.xml PDF encryption will be
skipped if the subject trigger is not specified:

<mailet
match="MailAttributeEvaluator=matchOnError=false,#{runtime.mustEncrypt}!='true'"
class="GotoProcessor">
    <processor> checkMustEncrypt </processor>
</mailet>

The above lines should be added at the start of the checkPDFEncrypt
processor:

<processor name="checkPDFEncrypt">
    <mailet match="All" class="Log">
        <comment> checkPDFEncrypt </comment>
    </mailet>

    <!-- only PDF encrypt when the subject trigger is set -->

    <mailet
match="MailAttributeEvaluator=matchOnError=false,#{runtime.mustEncrypt}!='true'"
class="GotoProcessor">
        <processor> checkMustEncrypt </processor>
    </mailet>

    <mailet
match="SenderEvaluateUserProperty=matchOnError=true,#{user.pdf.encryptionAllowed}!='true'"
class="GotoProcessor">
        <log> Sender PDF encryption is not allowed </log>
        <processor> checkMustEncrypt </processor>
    </mailet>

I have attached the complete config.xml with these changes. You can
replace the existing config.xml with this new version if you are using
Djigzo version 1.4.0 or 1.4.1 (make sure you create a copy of the
existing config.xml).

What the easiest way would be to copy the new config.xml to Djigzo
depends on your client system. If using Linux you can use SSH or use vi
to change the config.xml file yourself. If using Windows, the easiest
would be to install WinSCP (http://winscp.net/eng/index.php).

i've got a further question about encryption mode:
is there a way to automatically reject incoming unencrypted email, so
that only encrypted emails are processed and forwarded?

That depends what you mean with reject. The Djigzo encryption engine
functions as an after-queue filter. That means that the message is
already accepted by the MTA before the encryption engine handles the
email. The message can therefore not be rejected before accepting. The
message can only be 'bounced' back (i.e., a message that reports that
the message was not encrypted).

Kind regards,

Martijn

config.xml (79.6 KB)

Hi Martijn,

I have attached the complete config.xml with these changes. You can
replace the existing config.xml with this new version if you are using
Djigzo version 1.4.0 or 1.4.1 (make sure you create a copy of the
existing config.xml).

Many thanks for your great support!
This makes your nice gateway even better!

i've got a further question about encryption mode:
is there a way to automatically reject incoming unencrypted email, so
that only encrypted emails are processed and forwarded?

That depends what you mean with reject. The Djigzo encryption engine
functions as an after-queue filter. That means that the message is
already accepted by the MTA before the encryption engine handles the
email. The message can therefore not be rejected before accepting. The
message can only be 'bounced' back (i.e., a message that reports that
the message was not encrypted).

i'm sorry for not using the right terms. i'd like djigzo to bounce the
message and notifiy the sender that emails must be encryptet for the
specific recipient.

kind regard,
bernhard

i'm sorry for not using the right terms. i'd like djigzo to bounce the
message and notifiy the sender that emails must be encryptet for the
specific recipient.

Do you want this for all incoming messages? You can add a matcher that
detects whether the message is encrypted and if not send a notification
back to the sender. If you really want this, you must be sure that you
block 99.99% of all incoming spam otherwise you will be sending
notifications to 'fake' users.

Kind regards,

Martijn

Zitat von Martijn Brinkers <martijn(a)djigzo.com>:

i'm sorry for not using the right terms. i'd like djigzo to bounce the
message and notifiy the sender that emails must be encryptet for the
specific recipient.

Do you want this for all incoming messages? You can add a matcher that
detects whether the message is encrypted and if not send a notification
back to the sender. If you really want this, you must be sure that you
block 99.99% of all incoming spam otherwise you will be sending
notifications to 'fake' users.

This discussion came up on an other list some time ago. It is useless
to try to enforce encryption at the *receiving* side. If you bounce
the (unencrypted) message, it travels the net two times in clear
instead only once. Force encryption is the job of a Gateway at
*sender* side, so convice the remote site to use Djigzo would be a
solution....

Regards

Andreas

true words, didn't think about that.