Dzigzo with Email Client (roundcube) to access Gmail

Hi,

I'm currently accessing Gmail through an email client (roundcube). I would like
my emails to be encrypted and would like to use Djigzo as a Gateway. This is how
it would be:

Email Client -> Djigzo -> Gmail

My current understanding is that I've to add "smtp.gmail.com" under "External
relay host" under MTA config for Djigzo along with username and passwords for
all users. What I don't know are the settings that need to be done at the email
client's end (smtp, pop/imap, port numbers) to be able to access and send emails
through Djigzo.

The DJIGZO gateway only supports the SMTP part. It does provide any POP3
or IMAP functionality. Based on your description it seems you are using
Roundcube as an email client for your email stored on Gmail. So in this
case the DJIGZO gateway will only support outgoing email:

Roundcube -> DJIGZO -> Gmail -> Internet recipient(s)

Since the DJIGZO gateway does *not* provide POP3 or IMAP, decryption of
incoming email cannot be directly handled by the DJIGZO gateway unless
the email is sent by SMTP to the DJIGZO gateway. Support for decryption
"on the fly" requires a POP3 or IMAP proxy that can decrypt email when
it's downloaded.

I can think of three options.

1. Use Fetchmail to download email from Gmail to a local email box. New
email will be downloaded from Gmail and then sent through the gateway
for decryption and after decryption the email is sent to the internal
email from which you can POP3 or IMAP. This is supported out of the box
with the DJIGZO virtual appliance (you should enable Fetchmail support
on the console). Downside of this approach is that the email on Gmail is
more or less duplicated on your own local box

2. Do the decryption on Roundcube. Seems however that Roundcube does not
yet support S/MIME in the client (it's a planned feature). Some other
webmail clients (like for example Horde) support S/MIME in the client.

3. Use PDF encryption instead of S/MIME. With PDF encryption you can
locally decrypt the file. Downside is that if all your email is PDF
encrypted, opening an email is kind of a burden since you need to
provide a password all the time.

Kind regards,

Martijn

···

On 10/25/2012 11:33 PM, A G wrote:

Hi,

I'm currently accessing Gmail through an email client (roundcube). I would like
my emails to be encrypted and would like to use Djigzo as a Gateway. This is how
it would be:

Email Client -> Djigzo -> Gmail

My current understanding is that I've to add "smtp.gmail.com" under "External
relay host" under MTA config for Djigzo along with username and passwords for
all users. What I don't know are the settings that need to be done at the email
client's end (smtp, pop/imap, port numbers) to be able to access and send emails
through Djigzo.

--
DJIGZO email encryption

The DJIGZO gateway only supports the SMTP part. It does provide any
POP3 or IMAP functionality.

What Martijn meant to say is that the DJIGZO gateway does not provide
POP# or IMAP functionality. He accidentally left out the word "not",
which I hope was obvious, if not, it made the email somewhat hard to
understand :slight_smile:

dagdag
Christine

···

On 10/26/2012 09:37 AM, Martijn Brinkers wrote:

Based on your description it seems you are using Roundcube as an email
client for your email stored on Gmail. So in this case the DJIGZO
gateway will only support outgoing email: Roundcube -> DJIGZO -> Gmail
-> Internet recipient(s) Since the DJIGZO gateway does *not* provide
POP3 or IMAP, decryption of incoming email cannot be directly handled
by the DJIGZO gateway unless the email is sent by SMTP to the DJIGZO
gateway. Support for decryption "on the fly" requires a POP3 or IMAP
proxy that can decrypt email when it's downloaded. I can think of
three options. 1. Use Fetchmail to download email from Gmail to a
local email box. New email will be downloaded from Gmail and then sent
through the gateway for decryption and after decryption the email is
sent to the internal email from which you can POP3 or IMAP. This is
supported out of the box with the DJIGZO virtual appliance (you should
enable Fetchmail support on the console). Downside of this approach is
that the email on Gmail is more or less duplicated on your own local
box 2. Do the decryption on Roundcube. Seems however that Roundcube
does not yet support S/MIME in the client (it's a planned feature).
Some other webmail clients (like for example Horde) support S/MIME in
the client. 3. Use PDF encryption instead of S/MIME. With PDF
encryption you can locally decrypt the file. Downside is that if all
your email is PDF encrypted, opening an email is kind of a burden
since you need to provide a password all the time. Kind regards, Martijn

--
dagdag is just a two character rotation of byebye

Martijn,

Thanks for your inputs. I went ahead with option 3 that you suggested.

I've implemented TLS on the server and enabled pdf encryption instead of S/MIME.
The mail is sent successfully from Roundcube and is also received by the Djigzo
gateway. When it is sent from the gateway, the mail is not getting delivered to
the recepient from the Gmail server. The external user has been added under
"Settings".

Following are the additional lines that I added for TLS in MTA Raw config:

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/smtp_client_passwd
smtp_sasl_type = cyrus
#smtp_tls_CApath = /etc/postfix/certs/
smtp_sasl_security_options =

smtp_tls_CApath = /etc/postfix/certs/
smtpd_tls_cert_file = /etc/postfix/ssl/ssl.pem
smtpd_tls_key_file = /etc/postfix/ssl/ssl.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_tls_loglevel = 1

smtpd_use_tls = yes
smtpd_tls_auth_only = no

Also, following is what shows up in the "Logs" tab:

status=deferred (conversation with smtp.gmail.com[173.194.76.109] timed out
while receiving the initial server greeting)

Any idea what I might be doing wrong here?

Can you check the following:

1. Check if the "External relay host" on the MTA page is set to:

host: smtp.gmail.com
mx: do not select
port: 587

2. Did you add your Gmail credentials on the sasl passwords page:

Add a new sals password entry with the following settings:

Server: smtp.gmail.com
Port: 587
Username: YOUR_GMAIL_ADDRESS(a)gmail.com
Password: YOUR_PASSWORD

Make sure you apply the settings on the SASL passwords page to make the
sasl settings active.

Kind regards,

Martijn Brinkers

···

On 11/18/2012 05:09 AM, A G wrote:

Martijn,

Thanks for your inputs. I went ahead with option 3 that you suggested.

I've implemented TLS on the server and enabled pdf encryption instead of S/MIME.
The mail is sent successfully from Roundcube and is also received by the Djigzo
gateway. When it is sent from the gateway, the mail is not getting delivered to
the recepient from the Gmail server. The external user has been added under
"Settings".

Following are the additional lines that I added for TLS in MTA Raw config:

smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/smtp_client_passwd
smtp_sasl_type = cyrus
#smtp_tls_CApath = /etc/postfix/certs/
smtp_sasl_security_options =

smtp_tls_CApath = /etc/postfix/certs/
smtpd_tls_cert_file = /etc/postfix/ssl/ssl.pem
smtpd_tls_key_file = /etc/postfix/ssl/ssl.key
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

smtpd_tls_loglevel = 1

smtpd_use_tls = yes
smtpd_tls_auth_only = no

Also, following is what shows up in the "Logs" tab:

status=deferred (conversation with smtp.gmail.com[173.194.76.109] timed out
while receiving the initial server greeting)

Any idea what I might be doing wrong here?

--
DJIGZO email encryption

Hi Martijn,

Thanks for your reply. I got it working. I had to delete few lines in MTA
Raw config. I've another query regarding pdf encryption using random password
generation. Presently, there is an option to send the password to the sender. Is
it possible to send it to the recipient also? My only concern is the additional
step a sender has to take to deliver a message to the receiver.

Thanks

Although you might get this behaviour by modifying the config.xml file
(which contains all the mail handling rules), sending the password to
the recipient by email kind of defeats the purpose of encryption since
the email with the password will be sent by plain text.

I suggest you try the One Time Password (OTP) mode first to see whether
that is an acceptable procedure. The OTP mode is in my view a good
trade-of between security and ease of use.

Kind regards

Martijn Brinkers

···

On 01/03/2013 11:25 PM, AG wrote:

Thanks for your reply. I got it working. I had to delete few lines in MTA
Raw config. I've another query regarding pdf encryption using random password
generation. Presently, there is an option to send the password to the sender. Is
it possible to send it to the recipient also? My only concern is the additional
step a sender has to take to deliver a message to the receiver.

--
DJIGZO email encryption

If OTP could include pictures as-well then it would be an awesome tool! :slight_smile: (am working on Zimbra as-well!;))

···

----- Original Message -----
From: "Martijn Brinkers" <martijn(a)djigzo.com>
To: users(a)lists.djigzo.com
Sent: Thursday, 3 January, 2013 10:34:39 PM
Subject: Re: Dzigzo with Email Client (roundcube) to access Gmail

On 01/03/2013 11:25 PM, AG wrote:

Thanks for your reply. I got it working. I had to delete few lines in MTA
Raw config. I've another query regarding pdf encryption using random password
generation. Presently, there is an option to send the password to the sender. Is
it possible to send it to the recipient also? My only concern is the additional
step a sender has to take to deliver a message to the receiver.

Although you might get this behaviour by modifying the config.xml file
(which contains all the mail handling rules), sending the password to
the recipient by email kind of defeats the purpose of encryption since
the email with the password will be sent by plain text.

I suggest you try the One Time Password (OTP) mode first to see whether
that is an acceptable procedure. The OTP mode is in my view a good
trade-of between security and ease of use.

Kind regards

Martijn Brinkers

--
DJIGZO email encryption
_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users

We had a pen test performed on our external facing hosts and the Djigzo
appliance (2.4.0.3) had a finding where the internal IP address was
disclosed by performing a HTTP 1.0 GET request (redirect response link
show's IP rather than hostname). Do you have any guidance on how to set the
response to return the hostname?

Thanks

···

On Thu, Jan 3, 2013 at 5:34 PM, Martijn Brinkers <martijn(a)djigzo.com> wrote:

On 01/03/2013 11:25 PM, AG wrote:
> Thanks for your reply. I got it working. I had to delete few lines in MTA
> Raw config. I've another query regarding pdf encryption using random
password
> generation. Presently, there is an option to send the password to the
sender. Is
> it possible to send it to the recipient also? My only concern is the
additional
> step a sender has to take to deliver a message to the receiver.

Although you might get this behaviour by modifying the config.xml file
(which contains all the mail handling rules), sending the password to
the recipient by email kind of defeats the purpose of encryption since
the email with the password will be sent by plain text.

I suggest you try the One Time Password (OTP) mode first to see whether
that is an acceptable procedure. The OTP mode is in my view a good
trade-of between security and ease of use.

Kind regards

Martijn Brinkers

--
DJIGZO email encryption
_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users

Hi,

Can you send me some more information off-list? It's not yet clear for
me what the exact problem is.

Kind regards,

Martijn

···

On 02/05/2013 05:32 PM, bentscrewdriver wrote:

We had a pen test performed on our external facing hosts and the Djigzo
appliance (2.4.0.3) had a finding where the internal IP address was
disclosed by performing a HTTP 1.0 GET request (redirect response link
show's IP rather than hostname). Do you have any guidance on how to set the
response to return the hostname?

Thanks

On Thu, Jan 3, 2013 at 5:34 PM, Martijn Brinkers <martijn(a)djigzo.com> wrote:

On 01/03/2013 11:25 PM, AG wrote:

Thanks for your reply. I got it working. I had to delete few lines in MTA
Raw config. I've another query regarding pdf encryption using random

password

generation. Presently, there is an option to send the password to the

sender. Is

it possible to send it to the recipient also? My only concern is the

additional

step a sender has to take to deliver a message to the receiver.

Although you might get this behaviour by modifying the config.xml file
(which contains all the mail handling rules), sending the password to
the recipient by email kind of defeats the purpose of encryption since
the email with the password will be sent by plain text.

I suggest you try the One Time Password (OTP) mode first to see whether
that is an acceptable procedure. The OTP mode is in my view a good
trade-of between security and ease of use.

Kind regards

Martijn Brinkers

--
DJIGZO email encryption
_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users

_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users

--
DJIGZO email encryption