noname and encrypted.asc

Gateway
1

Hi List,

I was trying ciphermail out and I have it configured like the O365 setup
even though I'm not using O365 (link
<https://www.ciphermail.com/documents/ciphermail-o365-intergration-guide.pdf&gt;
):

ciphermail (10.0.10.21 w/virtual public IP on my fireall & all port
forwards necessary) <> Internet. <-- this way it's on the public
Internet. It works perfectly also though I find it odd that port 443 and
8443 serve the same page and admin can log into both (no biggie but seems
redundant).

I then have another site, mail.somedomain.com as the "internal relay" I
think it was noted in the web ui (that is a public IP hosted elsewhere - a
CPanel server used as a mail server). All outbound email is the standard
default setup so it can relay anything outbound to anything that was not
mail.somedomain.com.

On page 7 of the PDF document for O365 setup it said to test via telnet.
That works perfectly, I get the email (someone(a)somedomain.com for example).

someone(a)somedomain.com is a forwarder to my gmail for testing purposes but
I don't think that would affect the content I received below.

When I get the email though I get two file attachments.

noname
encrypted.asc

The contents of the "noname" file are: "Version: 1"

The encrypted.asc file is:

-----BEGIN PGP MESSAGE-----
Version: CipherMail (4.3.0-1)

...with a long encryption string of characters...

-----END PGP MESSAGE-----

So...I assume the content of my message is in the long encryption string
but if I'm looking at that in my GMail for example or other mail clients of
any kind I can't see anything but the encrypted.asc's long string of junk.

How is anyone supposed to use the community version to encrypt & decrypt
stuff so they can see the content of received email? I have a hard time
believing regular users can figure out how to do that who aren't
technical. I've gone through the admin guide but nothing is standing out
to me. I see you can do S/MIME, PGP, PDF, etc. For whatever reason (and
the admin guide states why I think) PGP was selected to encrypt my test
message that I sent inbound. I haven't tried outbound yet.

Any insight would be helpful.

I'm guessing I need to do something with the public key and run that email
through the public key or something but I'm scratching my head and stuck.
I think I'm almost there but I'm struggling to find any help online about
this.

Thanks for any insight!

2

Hi Rafael,

See my comments inline

[SNIP]

So...I assume the content of my message is in the long encryption string
but if I'm looking at that in my GMail for example or other mail clients of
any kind I can't see anything but the encrypted.asc's long string of junk.

How is anyone supposed to use the community version to encrypt & decrypt
stuff so they can see the content of received email? I have a hard time
believing regular users can figure out how to do that who aren't
technical. I've gone through the admin guide but nothing is standing out
to me. I see you can do S/MIME, PGP, PDF, etc. For whatever reason (and
the admin guide states why I think) PGP was selected to encrypt my test
message that I sent inbound. I haven't tried outbound yet.

The most likely reason why your email sent to your internal domains is
encrypted is that you did not configure that domain to be an internal
domain. The CipherMail gateway has to decide whether an email must be
handled by the encryption or by the decryption pipeline. If an email is
sent to an "Internal" domain, the email is handled by the decryption
pipeline and if the email is sent to an "External" domain, the email is
handled by the encryption pipeline. By default a domain is considered to
be "External" (you only own a few domains, the rest of all existing
domains are external). You therefore need to add the domains for which
you receive email (the "Internal" domains) and override the "Locality"
for those domains from External to Internal.

Kind regards,

Martijn Brinkers

···

On 03-03-19 15:24, Rafael Wolf via Users wrote:

--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.

3

Thank you,

I have in relay domains:

domain.com

I have in the internal relay host:

mail.domain.com

So...is it getting a bit confused between the root domain name and the sub
domain perhaps?

The email when testing via telnet to: user(a)domain.com then it gets relayed
to mail.domain...

I would think it just kicks it out and doesn't do anything special with it
but it must be detecting it as an external and not internal address.

domain.com and mail.domain.com are the same IP (shared hosting on CPanel).

Looking at their DNS records their mail.domain.com doesn't have an A record
only an MX...that might be the problem. I'll make an A record and retest.

Thanks,

Rafael

···

On Thu, Mar 7, 2019 at 3:48 AM Martijn Brinkers via Users < users(a)lists.ciphermail.com> wrote:

Hi Rafael,

See my comments inline

On 03-03-19 15:24, Rafael Wolf via Users wrote:
[SNIP]

> So...I assume the content of my message is in the long encryption string
> but if I'm looking at that in my GMail for example or other mail clients
of
> any kind I can't see anything but the encrypted.asc's long string of
junk.
>
> How is anyone supposed to use the community version to encrypt & decrypt
> stuff so they can see the content of received email? I have a hard time
> believing regular users can figure out how to do that who aren't
> technical. I've gone through the admin guide but nothing is standing out
> to me. I see you can do S/MIME, PGP, PDF, etc. For whatever reason (and
> the admin guide states why I think) PGP was selected to encrypt my test
> message that I sent inbound. I haven't tried outbound yet.

The most likely reason why your email sent to your internal domains is
encrypted is that you did not configure that domain to be an internal
domain. The CipherMail gateway has to decide whether an email must be
handled by the encryption or by the decryption pipeline. If an email is
sent to an "Internal" domain, the email is handled by the decryption
pipeline and if the email is sent to an "External" domain, the email is
handled by the encryption pipeline. By default a domain is considered to
be "External" (you only own a few domains, the rest of all existing
domains are external). You therefore need to add the domains for which
you receive email (the "Internal" domains) and override the "Locality"
for those domains from External to Internal.

Kind regards,

Martijn Brinkers

--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.
_______________________________________________
Users mailing list
Users(a)lists.ciphermail.com
https://lists.ciphermail.com/mailman/listinfo/users

--
Rafael

765-714-7257

4

See my comments inline

Thank you,

I have in relay domains:

domain.com <http://domain.com>

I have in the internal relay host:

mail.domain.com <http://mail.domain.com>

So...is it getting a bit confused between the root domain name and the
sub domain perhaps?

The gateway is split into separate parts: MTA (Postfix), which is
responsible for sending and receiving email, the MPA (mail processing
agent) which is responsible for encryption/decryption, the database
(which stores all settings), the Web GUI.

The MPA is where all heavy lifting takes place like
encryption/decryption. The MPA need to know for which domains email
should be encrypted or decrypted. Therefore you need to manually add
your domains and set them to Internal.

For all your domains do the following:

1. Add domain (from GUI, select domains, click "Add domain", Click
"Add", then on the "Edit domain" page, uncheck inherit for Locality and
set Locality to "Internal", then apply

2. Repeat 1 for your other domains.

Kind regards,

Martijn Brinkers

···

On 07-03-19 14:57, Rafael Wolf wrote:

The email when testing via telnet to: user(a)domain.com
<mailto:user(a)domain.com> then it gets relayed to mail.domain...

I would think it just kicks it out and doesn't do anything special with
it but it must be detecting it as an external and not internal address.

domain.com <http://domain.com> and mail.domain.com
<http://mail.domain.com> are the same IP (shared hosting on CPanel).

Looking at their DNS records their mail.domain.com
<http://mail.domain.com> doesn't have an A record only an MX...that
might be the problem. I'll make an A record and retest.

On Thu, Mar 7, 2019 at 3:48 AM Martijn Brinkers via Users > <users(a)lists.ciphermail.com <mailto:users(a)lists.ciphermail.com>> wrote:

    Hi Rafael,

    See my comments inline

    On 03-03-19 15:24, Rafael Wolf via Users wrote:
    [SNIP]

    > So...I assume the content of my message is in the long encryption
    string
    > but if I'm looking at that in my GMail for example or other mail
    clients of
    > any kind I can't see anything but the encrypted.asc's long string
    of junk.
    >
    > How is anyone supposed to use the community version to encrypt &
    decrypt
    > stuff so they can see the content of received email? I have a
    hard time
    > believing regular users can figure out how to do that who aren't
    > technical. I've gone through the admin guide but nothing is
    standing out
    > to me. I see you can do S/MIME, PGP, PDF, etc. For whatever
    reason (and
    > the admin guide states why I think) PGP was selected to encrypt my
    test
    > message that I sent inbound. I haven't tried outbound yet.

    The most likely reason why your email sent to your internal domains is
    encrypted is that you did not configure that domain to be an internal
    domain. The CipherMail gateway has to decide whether an email must be
    handled by the encryption or by the decryption pipeline. If an email is
    sent to an "Internal" domain, the email is handled by the decryption
    pipeline and if the email is sent to an "External" domain, the email is
    handled by the encryption pipeline. By default a domain is considered to
    be "External" (you only own a few domains, the rest of all existing
    domains are external). You therefore need to add the domains for which
    you receive email (the "Internal" domains) and override the "Locality"
    for those domains from External to Internal.

    Kind regards,

    Martijn Brinkers

    --
    CipherMail email encryption

    Email encryption with support for S/MIME, OpenPGP, PDF encryption and
    secure webmail pull.
    _______________________________________________
    Users mailing list
    Users(a)lists.ciphermail.com <mailto:Users(a)lists.ciphermail.com>
    https://lists.ciphermail.com/mailman/listinfo/users

--
Rafael

765-714-7257

--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.

5

Thank you for all your help, I'm picking this back up where we left off.

Setting it to "internal" helped as you suggested. I can now telnet from
off site to the server's port 25 and send email via telnet but of course,
only after adjusting the MTA (admin > mta > config > my networks > add my
current public IP where I'm testing from). I get that, to avoid anonymous
relay.

When I telnet test email it seems to send it in plain text...should I
expect some kind of link to a portal or something? Is it because the mail
was sent via TLS to Gmail that it didn't re-encrypt the contents?

telnet x.x.x.x 25
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
220 cipher.domain.com ESMTP CipherMail
ehlo mail.internaldomain.com
250-cipher.domain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-STARTTLS
250-ENHANCEDSTATUSCODES
250 8BITMIME
mail from:user(a)domain.com
250 2.1.0 Ok
rcpt to:user(a)gmail.com
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
Test encryption number 5.
.
250 2.0.0 Ok: queued as 44W61p2hVVz7SFG3
quit
221 2.0.0 Bye

I was expecting Ciphermail to encrypt the contents somehow. I'm also
confused a bit when the recipient gets the email (contents, attachments,
etc) how the user decrypts the contents or the message.

I'm still a bit foggy on that with my setup of ciphermail.

I haven't found anything clear on the exact setup. Of course, I haven't
put this server "in line" (internet > ciperhmail <> mail server) yet
instead it's internet | ciphermail > mail server and the ciphermail is kind
of standing out there with nothing pointing at it which lets me be able to
test with telnet to see how it reacts both inbound from outside (telnet,
from outside domain) and inside from (telnet trusted IP in MTA, from inside
user(a)domain.com).

Hope that all makes sense. Maybe it's encrypting via TLS so since it's
doing that it doesn't need to encrypt PGP or any other way...?

Thanks for the help in understanding the process.

···

Subject: Encrypt

On Thu, Mar 7, 2019 at 9:38 AM Martijn Brinkers <martijn(a)ciphermail.com> wrote:

See my comments inline

On 07-03-19 14:57, Rafael Wolf wrote:
> Thank you,
>
> I have in relay domains:
>
> domain.com <http://domain.com>
>
> I have in the internal relay host:
>
> mail.domain.com <http://mail.domain.com>
>
> So...is it getting a bit confused between the root domain name and the
> sub domain perhaps?

The gateway is split into separate parts: MTA (Postfix), which is
responsible for sending and receiving email, the MPA (mail processing
agent) which is responsible for encryption/decryption, the database
(which stores all settings), the Web GUI.

The MPA is where all heavy lifting takes place like
encryption/decryption. The MPA need to know for which domains email
should be encrypted or decrypted. Therefore you need to manually add
your domains and set them to Internal.

For all your domains do the following:

1. Add domain (from GUI, select domains, click "Add domain", Click
"Add", then on the "Edit domain" page, uncheck inherit for Locality and
set Locality to "Internal", then apply

2. Repeat 1 for your other domains.

Kind regards,

Martijn Brinkers

> The email when testing via telnet to: user(a)domain.com
> <mailto:user(a)domain.com> then it gets relayed to mail.domain...
>
> I would think it just kicks it out and doesn't do anything special with
> it but it must be detecting it as an external and not internal address.
>
> domain.com <http://domain.com> and mail.domain.com
> <http://mail.domain.com> are the same IP (shared hosting on CPanel).
>
> Looking at their DNS records their mail.domain.com
> <http://mail.domain.com> doesn't have an A record only an MX...that
> might be the problem. I'll make an A record and retest.
>
>
> On Thu, Mar 7, 2019 at 3:48 AM Martijn Brinkers via Users > > <users(a)lists.ciphermail.com <mailto:users(a)lists.ciphermail.com>> wrote:
>
> Hi Rafael,
>
> See my comments inline
>
> On 03-03-19 15:24, Rafael Wolf via Users wrote:
> [SNIP]
>
> > So...I assume the content of my message is in the long encryption
> string
> > but if I'm looking at that in my GMail for example or other mail
> clients of
> > any kind I can't see anything but the encrypted.asc's long string
> of junk.
> >
> > How is anyone supposed to use the community version to encrypt &
> decrypt
> > stuff so they can see the content of received email? I have a
> hard time
> > believing regular users can figure out how to do that who aren't
> > technical. I've gone through the admin guide but nothing is
> standing out
> > to me. I see you can do S/MIME, PGP, PDF, etc. For whatever
> reason (and
> > the admin guide states why I think) PGP was selected to encrypt my
> test
> > message that I sent inbound. I haven't tried outbound yet.
>
> The most likely reason why your email sent to your internal domains
is
> encrypted is that you did not configure that domain to be an internal
> domain. The CipherMail gateway has to decide whether an email must be
> handled by the encryption or by the decryption pipeline. If an email
is
> sent to an "Internal" domain, the email is handled by the decryption
> pipeline and if the email is sent to an "External" domain, the email
is
> handled by the encryption pipeline. By default a domain is
considered to
> be "External" (you only own a few domains, the rest of all existing
> domains are external). You therefore need to add the domains for
which
> you receive email (the "Internal" domains) and override the
"Locality"
> for those domains from External to Internal.
>
> Kind regards,
>
> Martijn Brinkers
>
> --
> CipherMail email encryption
>
> Email encryption with support for S/MIME, OpenPGP, PDF encryption and
> secure webmail pull.
> _______________________________________________
> Users mailing list
> Users(a)lists.ciphermail.com <mailto:Users(a)lists.ciphermail.com>
> https://lists.ciphermail.com/mailman/listinfo/users
>
>
>
> --
> Rafael
>
>

--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.

--
Rafael