CipherMail decryption Milter; Postfix Milter order

Gateway
1

Hello,

okay so, I am currently trying to get CipherMail to work with rspamd and having Problems with the Milter execution order and CipherMails decryption Milter.

When an E-Mail arrives from the Internet, it should go this route:
Internet → Firewall → Postfix → CipherMail Decryption Milter → rspamd Milter → Postfix → Mail Server

When an E-Mail gets send by an internal user, it should go this route:
Mail Server → Postfix → rspamd Milter → CipherMail Content-Scanner → Postfix → Firewall → Internet

In both cases, the bold and italiacs text is the CipherMail Gateway Server.

As you can see, my general Plan is it, to have just one Gateway Server, which uses both CipherMail to Encrypt and Decrypt Mails and apply DKIM and rspamd to scan them for spam and viruses.

Now, if rspamd rejects a message, I want the Postfix Server to answer with a SMTP 500 or 400 response code to the originating Server. But if a message is encrypted, it needs to be decrypted before the scan, so it has to go through CipherMail first.
The Problem with that is, that, as far as my understanding goes, Content-Scanners are not able to reject Mails with an SMTP respose code. Instead they have to use a bounce message, which is less than ideal. Additionally Milters always go before Content-Scanners. That means, that for incomming messages rspamd runs before CipherMail, which is less than ideal as well.

I read here, that there is a decryption only Milter from CipherMail for exactly this case, but how do I implement it? I’ve found no documentation about the Milter besides of this one paragraph I just linked.

Another Problem is the Milter Order. So far I haven’t found out, how to specifiy the order Milters run in. Also, I should Probably skip the CipherMail Content-Scanner for incomming Mails, since they get served by the decryption Milter… so thats also something I’ve to figure out. But one thing after another:

first, how do I implement the CipherMail decryption Milter?
after that, how can I tell Postfix the order for the Milters?
and finally, how can I tell Postfix to bypass the Content-Scanner for outgoing Mails?

And yes, the latter 2 questions are probably for Postfix and not for CipherMail, so the first one is the important one.

2

First some background information about before queue versus after queue filters.

Typically the CipherMail encryption/decryption back-end is configured as a postfix after queue filter. What this means is that the back-end handles the message after postfix has accepted the email.

An after queue filter provides flexibility and has good performance. An after queue filter for example supports one message in, multiple messages out, whereas a before queue filter (like a milter) only supports one message in, one message out.

A before queue filter is not suitable for encrypting email in general because of one message in, one message out. The CipherMail gateway supports multiple encryption options, S/MIME, PGP, PDF encryption etc. If for example an email is sent to two recipients and one recipients has a valid S/MIME certificate and the other one has a PGP key, two encrypted emails will be sent. One encrypted with S/MIME and the other encrypted with PGP.

A problem with an after queue filter is that you cannot bounce the email at SMTP level, i.e., before the email is accepted. If you want to bounce an email in an after queue filter, you need to send a Non Delivery Report (NDR). Sending an NDR should be avoided because the NDRs are considered to be Backscatter (email) - Wikipedia which might lead to your server being blacklisted.

The problem with encrypted email is that you cannot scan the email for spam and viruses. You therefore first need to decrypt the email before you can scan. If decryption is done in an after queue filter, the email was already accepted and should therefore not be bounced but be placed in quarantine or, in case of a virus or spam score 100%, deleted.

This works in the general case. However, we have been told that there is a German law (for which I do not know the details) that says that you are not allowed to silently drop an email once the email is accepted (with the exception of email that might harm your system like a virus).

If you need to scan the content of an encrypted email before accepting the email so you can properly bounce the email at SMTP level, you need to decrypt and scan the email in a before queue filter (typically a milter).

The professional edition of the CipherMail gateway has support for a after queue decryption milter. This however is not part of the community edition.

As far as we know, postfix handles the milters in the order as they are defined. You therefore need to make sure that any decryption milter is configured before the rspmd milter.

1 Like
3

However, we have been told that there is a German law […] that says that you are not allowed to silently drop an email once the email is accepted

This, in fact, does apply to my case, since I am in Germany.

The professional edition of the CipherMail gateway has support for a after queue decryption milter.

After queue Milter also doesn’t sound like its helping in this case. Or was this is typo and you meant before queue Milter? Otherwise, what would even be the point of the Decryption Milter, if its after queue?

4

The professional edition of the CipherMail gateway has support for a after queue decryption milter.

After queue Milter also doesn’t sound like its helping in this case. Or was this is typo and you meant before queue Milter? Otherwise, what would even be the point of the Decryption Milter, if its after queue?

Yes you are right, this was a typo. Should have been before queue milter.