Double encryption?

On Thu, 2021-07-15 at 01:13 -0400, Jeremy Hansen via Users wrote:

--
CipherMail email encryption
Email encryption with support for S/MIME,
Ope
nPGP, PDF Messenger and Webmail Messenger

On Jul 20, 2021, at 7:56 AM, Martijn Brinkers via Users <users(a)lists.ciphermail.com> wrote:

On Thu, 2021-07-15 at 01:13 -0400, Jeremy Hansen via Users wrote:

Kind regards,

Martijn Brinkers

--
CipherMail email encryption
Email encryption with support for S/MIME,
Ope
nPGP, PDF Messenger and Webmail Messenger

Date: Thu, 22 Jul 2021 21:13:25 -0400
From: Jeremy Hansen <jeremy(a)coldlogix.com>
To: jeremy(a)losangelesrecording.com
Message-ID: <7ECACFC9-40EB-4080-A8A8-69C9AE105155(a)coldlogix.com>
Subject: Test
MIME-Version: 1.0
Content-Type: multipart/encrypted; protocol="application/pgp-encrypted";
  boundary="----=_Part_8_1019438032.1627002808114"
X-Virus-Scanned: amavisd-new at subtraverse.net
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.subtraverse.net 55C27146F9C
X-Mailer: Apple Mail (2.3654.100.0.2.22)
X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,ENCRYPTED_MESSAGE
  autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mx1.la1.clx.corp

------=_Part_8_1019438032.1627002808114
Content-Type: application/pgp-encrypted
Content-Transfer-Encoding: 7bit
Content-Description: PGP/MIME version identification

Version: 1

------=_Part_8_1019438032.1627002808114
Content-Type: application/octet-stream; name=encrypted.asc
Content-Transfer-Encoding: 7bit
Content-Description: OpenPGP encrypted message
Content-Disposition: inline; filename="encrypted.asc"

-----BEGIN PGP MESSAGE-----
Version: CipherMail (5.0.4)

hQIMA2Ju2ERNzXXmARAAhBNlL6BB6nc148QUFQy4u6CIiw1M2a+wKfhlrA5Mnpnx
tbkHNIPch90gGHFWgH/1fa+PlHfdj+EsYLow+b5+SSSZhrvyDvWCMvky+tJUN0va
qeWH8HfEgR2Pwj1/ziSxeUXZr8Kc5FScU/JKN/TEQcdP8mSZwkx146bbXU3a8yUi
PRdWc9UCFilN0HoNtZaNcW0Q0TdWySzi9+UFuighD/EqRozKin3Y6iKvb3zZxFIj
+u5s5FZta+Up9V/LN5CIH7IkbuSNhWMiSszf7zmwdowSyQDwx72a9xB2nndiOaWw
W4kcVK9LlcQSusbAVq9xfZ8LjJBNQMHJF84ppRn355tvRVuL6T9YyVnGmVX85G9Y
S3S3S5Z6nnNm4u7r6cD1p9dBWIDk8HiTvVjkdZAr+sGhy0Ukxm0Of+pbal+T4cgk
kxZHoS100XgTHZJWMzNT9F1WNAZnir4AgdD0P+5Q1uTvCKnWkzPdlxPZ26mwfd4D
pRB0W4Jg+uHfhVlgJp6kg0BJdXUQxxtlurk6o/F1GFNVI1WhTQEXzfnfnCNR/NO+
cvhmJhrplZts/3aqC6NSDT/bRsmDvAQbKenUWhUaqYBHkfS9jRl6UuU2jynnqhYS
IkVIMbrZS+9LTBYHirhLiYf6S7Sbxh5nXyNlEpeAhCFj5geIi47Y5/ll0+3qu6PS
yXABWC9M1+tp0TIkTcimbB8QwnJbDEovY9VQUJp7YKHQsNoixAmH1ZrEVuj3piqq
ifqnA84UJvSli7jCZjL4v4EgGnA/wuOHlBN4L1v4OxQrirbEsOYqxR0/6Pmg5pN2
die+pVZHqEU1nSvKLGHV7diTFXGJ7HrXJdRgp9pw+zCoUW2qxiDuZul2bh4FGGUH
Qe+XKtmo5PHYZW+y+l3CDW/DlActI9jXD3qng+ZDOJ7iTljCCmKHn84+3aueKv4p
Jx0I5Hnm7pfAujR9E/ZSFhYNd6aN4ZMd81ZLey+fvgGpHPD7P75oAVv/8b3pDkRf
ro2kaYoCdMZLUCUTtldHQOnjIicSB4O8BQzWNUwCS8ziurnnDKqv7n9iEM9t0Osi
5N5ol0JEPto2KEypAM/e85sKaSYVqP9LdczHj/ZpAsmYTa11i6F+CUZKZ/OFRP6L
/3aAnr5NpnSMBwC1+UYTyi7d5z5ZXuupwrSDTpQkbUgqBuEuQIhLmxf33bDFZ0Cl
HmxCc4jpW+oeRnGe2GFGfA19rNkAVIDhxEDHkXanxmVV8LuK7Dnx/0A//KkjFUQ4
r6r/rawe1adjIp02jpz6ft8RVQGpS1eVZID+D0w3gi+Era+S6slNi5UbzKuTyvSB
tNMhBvV4+Ga6RvvYMxXKs0gTwfUGY2cdRrEUjuh/HpwB5BCqJvXodrsG+V9xm/1t
C+VwtMXj7IRzB5d3WJgbG0DMumakwnjX11T30ZK+/J+MA/gWyrpdjsnQuYs+R5+J
CeqbmkKjfaQKdsJ6gPl30hhlXQPJEme7RMalm0hMGhv15730U4AsB/KuMEbPtCEp
E9Xnc4+aUjlmoDrOD0YgQgH6M8bxMja4xv2PSuU0CMqsXNn3AD8iIPgDHW0Chvyo
N16kunwbsbPn/iI3GWKKYAtnkef+tSz0MOnvaamXvvXAJXBSjTtRnN53W8FxHSeL
vnPn+/9vFOBEQK62VnexNrVd5sPRLwTU0D6yExLUxXRYHAxysq+FGJzxdh+9ZjkT
mEfiv/kzOWkowfS6ZlirpmgPP3b8XlaB68SOd3vnWwKEBzwQXjcHzlBb+0f26zrF
ix+6s2RLDD/t0o3WyGmkh1eQeaixLJ/6b1bBV5O/5MsNsSpbLRA/LhX/8OaFoRGl
2L09Bcbz6XqCWeTPIUrwGzwSdLeSW3T9akNelFFJ0GwMp15NDwlZ+XGvCCeFXejM
pQxs17Or9h4cPKe6BdTOjV8lD8IRc7tXa81xb0SlxPqQL0FiV/yI1BQcBOwe7o+j
aAoxFa3dcb99eGkiXyKobxqU3lkz/PbuBbLURUzjeaVx0EurQO9YWKxJyOt6M8l5
Q3E3lMYooUOVA1flLDw1Qg1hwIc3VCgPJ7Bkygt6r4IdDgQBNh3pEutfyW9wyUoN
sEedstCRUVptUOIhMZxuv6MYciA9W4hcPSrLgIdMF+aYC2IXYMo1lEGQnctk3n91
x6sWWk0YUB6+Yx8IA4s42mUwapY7dDWd4dsHQFBghU/xpGqnCYLx0RwUDjUxne16
1Ys+gNGk/TIApGBpPPO/DLBmDOGY+OWHRniYsvIRhR3PMoqVrSrF9n2tJfpDwSOC
kSL3vsPARIR+M/gCiIe03Z2gs7axBjhX1SLpK5tUpU5CRzeEOWGLOBv1bQioQomC
U3mi5gJIlo27wxUqdMJFA6Q1KhsDKPyIRYIFnrvhj4VZOnL+noy1/1gaaBiDA2Bd
9f23Dw+l0JQCdcDwPa8BPkEkcb+YJZDFqPxECm6smXYCAtBSojZpjkZPY1J6K5uk
O+8jAzQrfxk0CwEKCPQSnsTVb6Lp4ezsC7QClsU3nKmI4HXeddHzGXqhL/AEaDWn
WAUNFBycON8NNFOdro0i/2UT98bKMJKWKsl+aEpU/i07m5ycvIJ0MU33Kb8mN7RU
DHEHTt/be1O/kyWcT1iHBX+5NPVMEE7zq2G4L4dscudDU+WcM4YLIxo5uza2s+sn
rY0+zvFJdDSHocb8kpkfzXqktnNWlkYYDKkXmmBPG4Zn9yAid2vRdop3pJTw/Spw
Ns5ezpWnuhEalVltGuRYal0F0y1VoHkEobabuK6lhb0SPz/r5rn3StPDlhpv6rn/
oSA79BzFIunCsLkH5nkhGlbmUeUm8Ni/x8AXIdw57DMk5Kxp2bKFqWDFTCZY0bg9
8a+64I+oRqZeZH7VOW4lxRHBjwADSxGmhPwldb3I2sMh45teZ4nypPjm2i4yYGYI
4Naoo95m2NApbfX7M45OevJi6izjk6greCBmTSfNwfXCT+nCQ43DIOFD1Saq86s/
j3hopcpcegGvZlm+GtetnOvyZkycRAK1Qd8SnFVJl5OWaxXLz34jzs2JDHHAgEYw
9ACSkJvKOLFtKp1jK4yf/Eldbsy5lFOUxSlUl0fjWcxQb/IhTB27i2VtARkj57aO
qacb+wu0iVn7+rNYKq0o/Jk6Lzv7TDE4k//+lZvgZUKQLN1TnelMeamRPbZy25Ql
GEwpBI7B8K1NvKzNInrYpe+kTh/1jvAMQHcREjDKBkxDEqFgM7VOaRt0x+RP3Tvo
z7h/MXK0MJ+K2nGMSYmSaUjLQIns8a2XlFCaJTRQ08kt+s5aKFNCS27NT46ZYteh
kNPq87iCdaTlaVszgT6SJnud5+KtaUF4dMPAV4glLneaLFccRH6MAloo1VPT7ahw
YbTnrOAObjcNBZ3PSHc7YIQDbcBdRCjE628Ya52k4sDJAu3+m8d6fKEs48bkfcqg
YQ04i0MqkjyZn8YOjWtuSX4dOEschJpoxpPcvUmYAvkPk9k6fwiJV186ha9mnVds
YDJjfQOGP7nBRWSVO275ktBPtWMhvTJzAcPOyWb5WVjfSljeM2HpcjHB6vlmeLYe
ZGHzEPiYUT9iEFA1WT1dchOxHMWd2A+BqtfrMwQGlWkgdOWbTeXxS2toHrpjFeKv
2TKPSSh1gJ3jjlHZtPUFbIVns44FQFq/XsAg/gx/T/p+oNVWdZoeRnQbzTEZUzMo
1A2xXB+TgIPFnxbG7fPqydcuT5so77V1SE46ZY159bkwlgOO0W2yTdmhdQqWrShk
eDYYgiRxVsonwf96/S3zaRTStE/fhAMmhBHBMvj5XXF7o7nlXJ/mKHFB7Gf4INYT
QkNyAX+Y2SmQ3FD99f3crL3XfxlvjMU2CVCeh2T0s4J1P9CLAkuuh3YDlO8g6X6N
rJEjg8NmZ8mw4RZg6LQanOoLTPBAEKN5BWrt+j2yLqFqkh3+m6j5izoGFXCCJfNP
zGNFqTzuduJluF3OIyTAfdY2rl/UDlluTSXym9x7172FI7IJqO38YjNlmeI5HgBV
5Y+C52CN6W+QKSKxKqnmYfwhV3KOTgjPkhSBouv2F5w97IHjPwRF53ztFLxwBrnj
qOR33eE5MuIk4FJti7EsRZMZxYcpn9vy1CNoQUT1YKP6PjQRl6SZpa76DhnWjr20
o4pEYQoUnd1qZ3/6AJdXj2Et
=emEv
-----END PGP MESSAGE-----

------=_Part_8_1019438032.1627002808114--

The message is being encrypted initially on the client side using Apple Mail and the GPG Suite plugin for MacOS.

Here is my postfix configuration on the ciphermail host:

djigzo_myhostname = smtp.coldlogix.com
djigzo_mydestination =
djigzo_mynetworks = 192.168.10.0/24, 192.168.50.0/24, 192.168.100.0/24, 192.168.200.0/24, 192.168.30.0/24, 10.10.10.0/27
djigzo_relayhost = mx1.la1.clx.corp
djigzo_relayhost_mx_lookup =
djigzo_relayhost_port = 25
djigzo_relay_domains = losangelesrecording.com
djigzo_before_filter_message_size_limit = 0
djigzo_calculated_after_filter_message_size_limit = 0
djigzo_after_filter_message_size_limit = ${djigzo_calculated_after_filter_message_size_limit}
djigzo_mailbox_size_limit = 512000000
djigzo_smtp_helo_name = smtp.coldlogix.com
djigzo_relay_transport_host = mx1.la1.clx.corp
djigzo_relay_transport_host_mx_lookup =
djigzo_relay_transport_host_port = 25
djigzo_reject_unverified_recipient =
djigzo_unverified_recipient_reject_code = 450
djigzo_parent_domain_matches_subdomains = relay_domains
djigzo_rbl_clients =
djigzo_calculated_queue_minfree = 0
myhostname = ${djigzo_myhostname}
mydestination = ${djigzo_mydestination}
mynetworks = 127.0.0.0/8, [::1]/128, ${djigzo_mynetworks}
relay_domains = ${djigzo_relay_domains}
parent_domain_matches_subdomains = ${djigzo_parent_domain_matches_subdomains}
smtp_helo_name = ${djigzo_smtp_helo_name?$djigzo_smtp_helo_name}${djigzo_smtp_helo_name:${myhostname}}
relay_transport = relay${djigzo_relay_transport_host?:${djigzo_relay_transport_host_mx_lookup:[}${djigzo_relay_transport_host}${djigzo_relay_transport_host_mx_lookup:]}:${djigzo_relay_transport_host_port}}
relayhost = ${djigzo_relayhost_mx_lookup:${djigzo_relayhost?[}}${djigzo_relayhost}${djigzo_relayhost_mx_lookup:${djigzo_relayhost?]}}${djigzo_relayhost?:${djigzo_relayhost_port}}
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
    ${djigzo_rbl_clients}
    ${djigzo_reject_unverified_recipient? reject_unverified_recipient}
unverified_recipient_reject_code = ${djigzo_unverified_recipient_reject_code}
smtpd_discard_ehlo_keywords = silent-discard, dsn, etrn
smtpd_etrn_restrictions = reject
local_transport = error:local mail delivery is disabled
local_recipient_maps =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
message_size_limit = ${djigzo_after_filter_message_size_limit}
mailbox_size_limit = ${djigzo_mailbox_size_limit}
queue_minfree = ${djigzo_calculated_queue_minfree}
smtpd_authorized_xforward_hosts = 127.0.0.1/32
content_filter = djigzo:[127.0.0.1]:10025

smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
tls_preempt_cipherlist = yes
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = $smtpd_tls_protocols
smtpd_tls_exclude_ciphers = AESCCM8, aNULL, ARIA, DES, DSS, eNULL, EXPORT, IDEA, MD5, PSK, RC4, SEED
smtp_tls_CAfile = /etc/pki/ca-trust/extracted/pem/ColdLogixCA-chain.pem
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_protocols = $smtpd_tls_protocols
smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/smtp_client_passwd
smtp_sasl_type = cyrus
smtp_sasl_security_options =
mail_name = CipherMail
smtpd_banner = $myhostname ESMTP $mail_name
append_dot_mydomain = no
biff = no
recipient_delimiter = +
notify_classes =
enable_long_queue_ids = yes
smtp_address_preference = ipv4

and master.cf:

smtp inet n - n - - smtpd
            -o message_size_limit=${djigzo_before_filter_message_size_limit}
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
        -o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
djigzo unix - - n - 4 smtp
            -o smtp_send_xforward_command=yes
            -o disable_dns_lookups=yes
            -o smtp_generic_maps=
cleanup_reinject unix n - n - 0 cleanup
            -o hopcount_limit=100
127.0.0.1:10026 inet n - n - 10 smtpd
            -o content_filter=
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
            -o smtpd_helo_restrictions=
            -o smtpd_client_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o smtpd_tls_security_level=
            -o mynetworks=127.0.0.0/8
            -o smtpd_authorized_xforward_hosts=127.0.0.0/8
            -o smtpd_authorized_xclient_hosts=127.0.0.0/8
            -o cleanup_service_name=cleanup_reinject
smtps inet n - y - - smtpd
            -o content_filter=
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
            -o smtpd_helo_restrictions=
            -o smtpd_client_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o smtpd_tls_security_level=
            -o mynetworks=127.0.0.0/8
            -o smtpd_authorized_xforward_hosts=127.0.0.0/8
            -o smtpd_authorized_xclient_hosts=127.0.0.0/8
            -o cleanup_service_name=cleanup_reinject
submission inet n - y - - smtpd
            -o content_filter=
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
            -o smtpd_helo_restrictions=
            -o smtpd_client_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o smtpd_tls_security_level=
            -o mynetworks=127.0.0.0/8
            -o smtpd_authorized_xforward_hosts=127.0.0.0/8
            -o smtpd_authorized_xclient_hosts=127.0.0.0/8
            -o cleanup_service_name=cleanup_reinject
127.0.0.1:10027 inet n - n - 10 smtpd
            -o smtpd_helo_restrictions=
            -o smtpd_client_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o smtpd_tls_security_level=
            -o mynetworks=127.0.0.0/8
            -o syslog_name=postfix/10027
            -o message_size_limit=${djigzo_before_filter_message_size_limit}

All settings from the Ciphermail interface is set up with “inherit” for all the options.

Using version 5.0.4:

rpm -qa | grep djig
djigzo-web-5.0.4-1.noarch
djigzo-5.0.4-1.noarch

Mail is set to relay to another postfix host for its final destination.

-jeremy

On Jul 20, 2021, at 9:30 AM, Jeremy Hansen via Users <users(a)lists.ciphermail.com> wrote:

On Jul 20, 2021, at 7:56 AM, Martijn Brinkers via Users <users(a)lists.ciphermail.com> wrote:

On Thu, 2021-07-15 at 01:13 -0400, Jeremy Hansen via Users wrote:
I noticed if I sent a message that is encrypted at the client,
ciphermail will encrypt that message again and the original message
is sent as an attachment.

What type of encryption is applied at the client side and what
encryption is applied server side?

PGP on both sides.

I also noticed if I send a message from a host using something like
mailx, the body of the message is never included in the email.

What do you mean with "the body of the message is never included in the
email"?

echo test | mail -s Test jeremy(a)losangelesrecording.com

The message comes through encrypted but I don’t see “test” in the body of the email.

Thank you!

Kind regards,

Martijn Brinkers

--
CipherMail email encryption
Email encryption with support for S/MIME,
Ope
nPGP, PDF Messenger and Webmail Messenger

On Jul 22, 2021, at 7:26 PM, Jeremy Hansen via Users <users(a)lists.ciphermail.com> wrote:

Here’s the full headers of my message:

Return-Path: <jeremy(a)coldlogix.com>
Delivered-To: jeremy(a)losangelesrecording.com
Received: from mx1.la1.clx.corp
  by mx1.la1.clx.corp with LMTP
  id 0eMYEMQX+mD9BAIAzivOYw
  (envelope-from <jeremy(a)coldlogix.com>)
  for <jeremy(a)losangelesrecording.com>; Thu, 22 Jul 2021 18:13:40 -0700
Received: from localhost (localhost [127.0.0.1])
  by mx1.la1.clx.corp (Postfix) with ESMTP id E5761412E05
  for <jeremy(a)losangelesrecording.com>; Thu, 22 Jul 2021 18:13:39 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.la1.clx.corp E5761412E05
X-Virus-Scanned: amavisd-new at coldlogix.com
Received: from smtp.coldlogix.com ([127.0.0.1])
  by localhost (smtp.coldlogix.com [127.0.0.1]) (amavisd-new, port 10024)
  with ESMTP id 3RyMjMJsZQrY for <jeremy(a)losangelesrecording.com>;
  Thu, 22 Jul 2021 18:13:36 -0700 (PDT)
Received: from smtp.coldlogix.com (cmx01.la1.clx.corp [192.168.30.23])
  by mx1.la1.clx.corp (Postfix) with ESMTPS id 6F1F74C3589
  for <jeremy(a)losangelesrecording.com>; Thu, 22 Jul 2021 18:13:28 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.la1.clx.corp 6F1F74C3589
Received: from cmx01.la1.clx.corp (localhost [127.0.0.1])
  by smtp.coldlogix.com (CipherMail) with ESMTP id 4GWBCX1P3Rz2SSxp
  for <jeremy(a)losangelesrecording.com>; Thu, 22 Jul 2021 18:13:28 -0700 (PDT)
Received: from mail.subtraverse.net (netman.subtraverse.intra [192.168.10.10])
  by smtp.coldlogix.com (CipherMail) with ESMTP id 4GWBCW49cKz2SSxp
  for <jeremy(a)losangelesrecording.com>; Thu, 22 Jul 2021 18:13:27 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1])
  by mail.subtraverse.net (Postfix) with ESMTP id 5C3F2146F9E
  for <jeremy(a)losangelesrecording.com>; Thu, 22 Jul 2021 18:13:27 -0700 (PDT)
Received: from mail.subtraverse.net ([127.0.0.1])
  by localhost (mail.subtraverse.net [127.0.0.1]) (amavisd-new, port 10024)
  with LMTP id mmNPq8Z2mIx2 for <jeremy(a)losangelesrecording.com>;
  Thu, 22 Jul 2021 18:13:26 -0700 (PDT)
Received: from smtpclient.apple (unknown [10.10.10.2])
  (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
  (No client certificate requested)
  by mail.subtraverse.net (Postfix) with ESMTPSA id 55C27146F9C
  for <jeremy(a)losangelesrecording.com>; Thu, 22 Jul 2021 18:13:26 -0700 (PDT)
Date: Thu, 22 Jul 2021 21:13:25 -0400
From: Jeremy Hansen <jeremy(a)coldlogix.com>
To: jeremy(a)losangelesrecording.com
Message-ID: <7ECACFC9-40EB-4080-A8A8-69C9AE105155(a)coldlogix.com>
Subject: Test
MIME-Version: 1.0
Content-Type: multipart/encrypted; protocol="application/pgp-encrypted";
  boundary="----=_Part_8_1019438032.1627002808114"
X-Virus-Scanned: amavisd-new at subtraverse.net
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.subtraverse.net 55C27146F9C
X-Mailer: Apple Mail (2.3654.100.0.2.22)
X-Spam-Status: No, score=-2.0 required=5.0 tests=ALL_TRUSTED,ENCRYPTED_MESSAGE
  autolearn=ham autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on mx1.la1.clx.corp

------=_Part_8_1019438032.1627002808114
Content-Type: application/pgp-encrypted
Content-Transfer-Encoding: 7bit
Content-Description: PGP/MIME version identification

Version: 1

------=_Part_8_1019438032.1627002808114
Content-Type: application/octet-stream; name=encrypted.asc
Content-Transfer-Encoding: 7bit
Content-Description: OpenPGP encrypted message
Content-Disposition: inline; filename="encrypted.asc"

Content-Type: multipart/encrypted;
  boundary="Apple-Mail=_7D9B459F-746A-4970-8672-402CD4581A22";
  protocol="application/pgp-encrypted"

This is an OpenPGP/MIME encrypted message (RFC 2440 and 3156)
--Apple-Mail=_7D9B459F-746A-4970-8672-402CD4581A22
Content-Transfer-Encoding: 7bit
Content-Type: application/pgp-encrypted
Content-Description: PGP/MIME Versions Identification

Version: 1

--Apple-Mail=_7D9B459F-746A-4970-8672-402CD4581A22
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
  filename=encrypted.asc
Content-Type: application/octet-stream;
  name=encrypted.asc
Content-Description: OpenPGP encrypted message

-----BEGIN PGP MESSAGE-----

hQIMA8de+J6NLzLYAQ/5AU3DMoY1Sc/gGUptX2K2cEZ2MaPfG5uJjr9d02HDlma1
UXc4K9TDd+ym3u06r5sLf3R+IAkot5shms5PCGsjqnhPEUtJwxp9cA4peL40OH+z
qQfSOMqnD9MzW5qgM28+fj8R4C1R9OeZrBwcUS9MatIch2fqW6dNZcHEOcxThEOG
ek/Qv58fAbZCv5QUmn8FyELDw3E6Ms4W/9slViG45gLminVSl7ZeAGSdsOjnwG0Q
3rWb4ARWVsu/69U/Fjltf46krS3UGdFyNh7xyg+YRfAiigLOa+LawIJ18ct9TgDq
bnh9u4fa3CJ4rwLiLFskwhEk0bVRf9XgSmTZtUQku652xlCmGNmmyfzwfOhBfdXT
uDufDOpi94JV8W/Q+Bsul0VKVCzVpCO4vJUxMNry9U3YAXplFaaLhgZjnwm8/IU9
8wVJF5U9DZ16rOYiQqG0BlSkuigmyhV4YztM1iNxYnODzQb/svrCFYkhSZZzNyAe
PKJzliFTZ7KbiCbwkSdWLIjESoJROnaxGeMctC1tB0Ah2l2Vf7UWJSrJgkcqtV96
SsjCZasTtOlK1kozzdZ9OVKJyVzrA8SkKIR1DwCL71P/0SnqXBBRb30xg3v0PZS9
79L818dMlkpn0gT3wKn4vMjXlHgbJax9Pp0A89c4hPNnrc8fQn35TvaxiD0IhTiF
AgwDYm7YRE3NdeYBD/9GwYDpbx3GuHof3sumG2gzGWCnT3w83x12xuGGnU3FmVdX
WqIuIe2Q3dtA0hltWI1r4YlA5xEymVrFsr1e4DIwHVlljRcTk0tOWxWLHSjjc41B
RLhN1Qh0J3O/xPIs62riSc4Gkr160z5oz3ojR6gmW8gHyltMdBf6l4lyM9vojc++
nFHhBdOeBOoUlWZXFp96RBfeVVWAYDS3oQjLRPfsKY5AQL9V5WsCRhQHCSbatnua
xwHyIlsF5wbcIOnRwitjYVlUqOOXHGJTWG8/9maAOUFuzR8JZZ9GuMsiFPljlPKk
XP+Fq1Maa5dz4pnySMTOuNe/s1hiXDOb+sFzXx0nHDJvM3SKq1hKvFXMpv0Rg9Kp
L3YYwqdIlo53tEAAEsHmBUUNEk2zKFn6OiBHBXNgge8AiEPbmO+bylG0rl4oNwY7
kVvJw8vi59V08H6h92GSwosD3tJCj1xsjVpJ09kUKijk9RgrbjQGsgnZWLsDY5Hp
2CKT+BHehaQ96xiW8wro609h4d2bcdKDK5cU9r6yGgcM84etZ8X3hWhbJYwJEeVB
mCltyc62KvqKRhktvs4xxFgloZYTcoWlLK8auriATVxO8nBS6Cn7zrpEG65isY4W
4PBX6ct0OMrcD56RTouGwFOiLjype0vzLk9zhOJ9GbM7RLjCgm/MvWdhKxySjNLp
ATDVnNsfZdMJoRaKaFQSQhgu8t++C5AUrYIZDsrtmq0txODgdG7L2u2wQCHFV9Y/
5KBB04RLfiKH2GL41bf1CkxaZX6f/ZrJBDvY3xMIA2CIrvB9yx/Z6XFi1vtJ8M/A
f2at7u959FbVBVxw/L6LVU9xMD/2w+FBeucDuPWDPbQDpWa2IibZlQYAeJS3lcLv
6KDg4EU72jA2hTQb2COxneZUhtCsep6GC7cuGnaIk0qv6UhOIKSWfIA4TkJoiPi+
QrE3wJ8fELGgZcyAhHkulvdXf61ts6fK9xQVdfUgaJxUdUvKWBC5QjTDXMjc2faP
5erzlfGXDpNunKik6rmZxhrgs1y4oP9JT8EQI+esvVSeuMaqzn2h1lYpUIuDKE4K
lsXNl+8Cro0k46Tgjccdo5kANJxMm3BvwZ98vFVwaBF28pp4x+nsJyJ+DMA0xUnb
52jJDKjo8gS4P95PAjL7ZdjBByY/lKFhWGHcxSUAJ0H7cJJdrCV/lrX7neeaPtcM
qTVsTW4ObWEfD2RqAtAngxO9oWyWU95SKnpz31VQIgfOeOMtJrkIYGQbGQg4eLIZ
UAQamiawgxxg6FLJbKZiiT3pnG4i84DV8rD42Q4nIlkDU71fDSpz9b7h110UIqeb
GrqUW0XVDgDdp4TjKQ1iPhw65J+R+mdUeg9WftHonxbBKg1Qd2fm3htYm1qtMCg7
gnXsZ7ufH4V4PwtJDRNumEmePZcfU3SpgMo1LJkhnyTID4rofIRn+lnRX51/RGj5
E1525t0irN5bfzjMUWCPG8Sq+6ENoUHoFJcaOn/Y7c+rIK4L/H3zPTpqr4Rs6e6y
BNy36ZrOCyAOFdSdAUz5XwTCAN4Mha3joCcDQ4PKTwjijLc69fqbgt+ovjntVNMJ
YxN2MH1c+0DA0oGd2/hdraAifEmLakZIiNfNex4gWGOm2jRlvaGVQnjUucQ1eqmH
imrO+wFRXAa90jjR2wXnDg2egCbZ/Wit+FTUiMWBAuvv1kdo1MUIkoqi7ehTLYUO
12756gYu/cY8f/uxtDZ+n8UP8YbbLlwVI70aibKb2wAQkGEF1PL3iVjvYwnD/ViE
3kWpVaxfr7sQ231Ki58oDfkbQysR+F13Kk9se7a8MWGvIEnhX2v0fMF2kWhfKjCW
naewmZLdTbxop0SZRC0xtug3vEQ2TZizihZ/OObOA+D6JUA4OLJ/T3uvWIYSDxt+
P8zV+hIsUn/LCcSDyq3LZ/n5r9LYmjOd5BVcqn3SVafHHN439Y8x8rQnKjqu4yNn
kL8qqrrH5KR8NOMyp43veLt1VbpBCDSf7M2Mn5J+i6k6abhpsB1KPxXOmx8=
=s4+/
-----END PGP MESSAGE-----

--Apple-Mail=_7D9B459F-746A-4970-8672-402CD4581A22--

------=_Part_8_1019438032.1627002808114--

The message is being encrypted initially on the client side using Apple Mail and the GPG Suite plugin for MacOS.

Here is my postfix configuration on the ciphermail host:

djigzo_myhostname = smtp.coldlogix.com
djigzo_mydestination =
djigzo_mynetworks = 192.168.10.0/24, 192.168.50.0/24, 192.168.100.0/24, 192.168.200.0/24, 192.168.30.0/24, 10.10.10.0/27
djigzo_relayhost = mx1.la1.clx.corp
djigzo_relayhost_mx_lookup =
djigzo_relayhost_port = 25
djigzo_relay_domains = losangelesrecording.com
djigzo_before_filter_message_size_limit = 0
djigzo_calculated_after_filter_message_size_limit = 0
djigzo_after_filter_message_size_limit = ${djigzo_calculated_after_filter_message_size_limit}
djigzo_mailbox_size_limit = 512000000
djigzo_smtp_helo_name = smtp.coldlogix.com
djigzo_relay_transport_host = mx1.la1.clx.corp
djigzo_relay_transport_host_mx_lookup =
djigzo_relay_transport_host_port = 25
djigzo_reject_unverified_recipient =
djigzo_unverified_recipient_reject_code = 450
djigzo_parent_domain_matches_subdomains = relay_domains
djigzo_rbl_clients =
djigzo_calculated_queue_minfree = 0
myhostname = ${djigzo_myhostname}
mydestination = ${djigzo_mydestination}
mynetworks = 127.0.0.0/8, [::1]/128, ${djigzo_mynetworks}
relay_domains = ${djigzo_relay_domains}
parent_domain_matches_subdomains = ${djigzo_parent_domain_matches_subdomains}
smtp_helo_name = ${djigzo_smtp_helo_name?$djigzo_smtp_helo_name}${djigzo_smtp_helo_name:${myhostname}}
relay_transport = relay${djigzo_relay_transport_host?:${djigzo_relay_transport_host_mx_lookup:[}${djigzo_relay_transport_host}${djigzo_relay_transport_host_mx_lookup:]}:${djigzo_relay_transport_host_port}}
relayhost = ${djigzo_relayhost_mx_lookup:${djigzo_relayhost?[}}${djigzo_relayhost}${djigzo_relayhost_mx_lookup:${djigzo_relayhost?]}}${djigzo_relayhost?:${djigzo_relayhost_port}}
smtpd_recipient_restrictions = permit_mynetworks reject_unauth_destination
    ${djigzo_rbl_clients}
    ${djigzo_reject_unverified_recipient? reject_unverified_recipient}
unverified_recipient_reject_code = ${djigzo_unverified_recipient_reject_code}
smtpd_discard_ehlo_keywords = silent-discard, dsn, etrn
smtpd_etrn_restrictions = reject
local_transport = error:local mail delivery is disabled
local_recipient_maps =
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
message_size_limit = ${djigzo_after_filter_message_size_limit}
mailbox_size_limit = ${djigzo_mailbox_size_limit}
queue_minfree = ${djigzo_calculated_queue_minfree}
smtpd_authorized_xforward_hosts = 127.0.0.1/32
content_filter = djigzo:[127.0.0.1]:10025

smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.pem
smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
smtpd_tls_security_level = may
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
tls_preempt_cipherlist = yes
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_mandatory_protocols = $smtpd_tls_protocols
smtpd_tls_exclude_ciphers = AESCCM8, aNULL, ARIA, DES, DSS, eNULL, EXPORT, IDEA, MD5, PSK, RC4, SEED
smtp_tls_CAfile = /etc/pki/ca-trust/extracted/pem/ColdLogixCA-chain.pem
smtp_tls_security_level = may
smtp_tls_loglevel = 1
smtp_tls_protocols = $smtpd_tls_protocols
smtp_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
smtp_tls_exclude_ciphers = $smtpd_tls_exclude_ciphers
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/smtp_client_passwd
smtp_sasl_type = cyrus
smtp_sasl_security_options =
mail_name = CipherMail
smtpd_banner = $myhostname ESMTP $mail_name
append_dot_mydomain = no
biff = no
recipient_delimiter = +
notify_classes =
enable_long_queue_ids = yes
smtp_address_preference = ipv4

and master.cf:

smtp inet n - n - - smtpd
            -o message_size_limit=${djigzo_before_filter_message_size_limit}
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
relay unix - - n - - smtp
        -o smtp_fallback_relay=
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
djigzo unix - - n - 4 smtp
            -o smtp_send_xforward_command=yes
            -o disable_dns_lookups=yes
            -o smtp_generic_maps=
cleanup_reinject unix n - n - 0 cleanup
            -o hopcount_limit=100
127.0.0.1:10026 inet n - n - 10 smtpd
            -o content_filter=
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
            -o smtpd_helo_restrictions=
            -o smtpd_client_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o smtpd_tls_security_level=
            -o mynetworks=127.0.0.0/8
            -o smtpd_authorized_xforward_hosts=127.0.0.0/8
            -o smtpd_authorized_xclient_hosts=127.0.0.0/8
            -o cleanup_service_name=cleanup_reinject
smtps inet n - y - - smtpd
            -o content_filter=
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
            -o smtpd_helo_restrictions=
            -o smtpd_client_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o smtpd_tls_security_level=
            -o mynetworks=127.0.0.0/8
            -o smtpd_authorized_xforward_hosts=127.0.0.0/8
            -o smtpd_authorized_xclient_hosts=127.0.0.0/8
            -o cleanup_service_name=cleanup_reinject
submission inet n - y - - smtpd
            -o content_filter=
            -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks,no_milters
            -o smtpd_helo_restrictions=
            -o smtpd_client_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o smtpd_tls_security_level=
            -o mynetworks=127.0.0.0/8
            -o smtpd_authorized_xforward_hosts=127.0.0.0/8
            -o smtpd_authorized_xclient_hosts=127.0.0.0/8
            -o cleanup_service_name=cleanup_reinject
127.0.0.1:10027 inet n - n - 10 smtpd
            -o smtpd_helo_restrictions=
            -o smtpd_client_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject
            -o smtpd_tls_security_level=
            -o mynetworks=127.0.0.0/8
            -o syslog_name=postfix/10027
            -o message_size_limit=${djigzo_before_filter_message_size_limit}

All settings from the Ciphermail interface is set up with “inherit” for all the options.

Using version 5.0.4:

rpm -qa | grep djig
djigzo-web-5.0.4-1.noarch
djigzo-5.0.4-1.noarch

Mail is set to relay to another postfix host for its final destination.

-jeremy

> On Jul 20, 2021, at 9:30 AM, Jeremy Hansen via Users <users(a)lists.ciphermail.com> wrote:
>
>
>
>> On Jul 20, 2021, at 7:56 AM, Martijn Brinkers via Users <users(a)lists.ciphermail.com> wrote:
>>
>> 
>>
>>
>>> On Thu, 2021-07-15 at 01:13 -0400, Jeremy Hansen via Users wrote:
>>> I noticed if I sent a message that is encrypted at the client,
>>> ciphermail will encrypt that message again and the original message
>>> is sent as an attachment.
>>
>> What type of encryption is applied at the client side and what
>> encryption is applied server side?
>
> PGP on both sides.
>
>>
>>> I also noticed if I send a message from a host using something like
>>> mailx, the body of the message is never included in the email.
>>
>> What do you mean with "the body of the message is never included in the
>> email"?
>
> echo test | mail -s Test jeremy(a)losangelesrecording.com
>
> The message comes through encrypted but I don’t see “test” in the body of the email.
>
> Thank you!
>
>>
>> Kind regards,
>>
>> Martijn Brinkers
>>
>> --
>> CipherMail email encryption
>> Email encryption with support for S/MIME,
>> Ope
>> nPGP, PDF Messenger and Webmail Messenger
>>

On Tue, 2021-07-20 at 10:30 -0400, Jeremy Hansen wrote:

> On Jul 20, 2021, at 7:56 AM, Martijn Brinkers via Users < > > users(a)lists.ciphermail.com> wrote:
>
> 
>
>
> > On Thu, 2021-07-15 at 01:13 -0400, Jeremy Hansen via Users wrote:
> > I noticed if I sent a message that is encrypted at the client,
> > ciphermail will encrypt that message again and the original
> > message
> > is sent as an attachment.
>
> What type of encryption is applied at the client side and what
> encryption is applied server side?

PGP on both sides.

> > I also noticed if I send a message from a host using something
> > like
> > mailx, the body of the message is never included in the email.
>
> What do you mean with "the body of the message is never included in
> the
> email"?

echo test | mail -s Test jeremy(a)losangelesrecording.com

The message comes through encrypted but I don’t see “test” in the
body of the email.

Thank you!

> Kind regards,
>
> Martijn Brinkers
>
> --
> CipherMail email encryption
> Email encryption with support for S/MIME,
> Ope
> nPGP, PDF Messenger and Webmail Messenger
>

--
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF Messenger and Webmail Messenger

On Wednesday, Jul 28, 2021 at 6:52 AM, Martijn Brinkers <martijn(a)ciphermail.com (mailto:martijn(a)ciphermail.com)> wrote:
By default, the gateway does not check whether the message is already
PGP encrypted and therefore it will be double encrypted if the gateway
has a valid PGP key for the recipient.

Why there is no check for already encrypted PGP message is because
checking this for PGP is not always easy/reliable. With PGP/Inline, you
cannot reliably detect whether every part of the email is encrypted.
For example how should the gateway react if some MIME part is encrypted
or not but the other parts are not? With PGP/Inline it's also hard to
detect whether a MIME part is really encrypted or not.

For example is the following part encrypted? Or is it just an example
of an encrypted inline part which is not valid:

-----BEGIN PGP MESSAGE-----
BLABLA
-----END PGP MESSAGE-----

With PGP/Inline you can have mixed content, i.e., some parts of the
body are encrypted and some parts are not.

Checking PGP/MIME is easier because there is a clear and distinct
content type. You might add a check which checks the content type for
PGP/MIME encryption and skip further handling.

Why has this not been added? Various reasons, historical and the fact
that this has never been requested. If you want to support encryption
on the desktop and on the gateway, the best would be to not add a valid
key for the recipient on the gateway.

That said, you can add the following snippet to config.xml to skip
further encryption if the message is already PGP/MIME encrypted (to be
precise if the content type contains a specific protocol value)

Add the following check just below the existing "message is already
S/MIME encrypted" part (add to config.xml)

<mailet match="HeaderValueRegEx=matchOnError=false,content-
type=(?i)protocol=&quot;application/pgp-encrypted&quot;"
class="GotoProcessor">
<log> message is already PGP/MIME encrypted </log>
<processor> dkim-sign </processor>
</mailet>

After adding the above snippet, the back-end should be restarted.

Kind regards,

Martijn Brinkers

On Tue, 2021-07-20 at 10:30 -0400, Jeremy Hansen wrote:
> > On Jul 20, 2021, at 7:56 AM, Martijn Brinkers via Users < > > > users(a)lists.ciphermail.com> wrote:
> >
> > 
> >
> >
> > > On Thu, 2021-07-15 at 01:13 -0400, Jeremy Hansen via Users wrote:
> > > I noticed if I sent a message that is encrypted at the client,
> > > ciphermail will encrypt that message again and the original
> > > message
> > > is sent as an attachment.
> >
> > What type of encryption is applied at the client side and what
> > encryption is applied server side?
>
> PGP on both sides.
>
> > > I also noticed if I send a message from a host using something
> > > like
> > > mailx, the body of the message is never included in the email.
> >
> > What do you mean with "the body of the message is never included in
> > the
> > email"?
>
> echo test | mail -s Test jeremy(a)losangelesrecording.com
>
> The message comes through encrypted but I don’t see “test” in the
> body of the email.
>
> Thank you!
>
> > Kind regards,
> >
> > Martijn Brinkers
> >
> > --
> > CipherMail email encryption
> > Email encryption with support for S/MIME,
> > Ope
> > nPGP, PDF Messenger and Webmail Messenger
> >
--
CipherMail email encryption
Email encryption with support for S/MIME,
OpenPGP, PDF Messenger and Webmail Messenger