Hi.
We have installed the Djigzo gateway and everything Works great if we do not try to encrypt and sign outgoing messages.
It seems that Djigzo is signing and then encrypting the messages. Is that how it should be? And is there a way to do it Vice Versa?
On the other hand, all signed and encrypted incoming mail is not decrypted.
We have double checked the participants certificates and they are OK.
BR,
Erki Naumanis
Zitat von Erki Naumanis <erki.naumanis(a)just.ee>:
Hi.
We have installed the Djigzo gateway and everything Works great if
we do not try to encrypt and sign outgoing messages.
It seems that Djigzo is signing and then encrypting the messages. Is
that how it should be? And is there a way to do it Vice Versa?
Not sure about this one but it looks like standard behaviour as
encrypted messages should protect *all* mail content which includes
the signing parts...
On the other hand, all signed and encrypted incoming mail is not decrypted.
We have double checked the participants certificates and they are OK.
This looks like you either have not correctly assigned the
internal/external properties or you don't have the required private
key (not certificate) to decrypt the incoming mail.
Try the following:
- Send from an internal user a message signed by Djigzo to some
external account
- Reply from the external account and choose "encrypt the mail"
Regards
Andreas
Zitat von Erki Naumanis <erki.naumanis(a)just.ee>:
Hi.
We have installed the Djigzo gateway and everything Works great if we
do not try to encrypt and sign outgoing messages.
It seems that Djigzo is signing and then encrypting the messages. Is
that how it should be? And is there a way to do it Vice Versa?Not sure about this one but it looks like standard behaviour as
encrypted messages should protect *all* mail content which includes the
signing parts...
It depends on how the gateway was setup whether it encrypts by default.
If encrypt mode is set to "Allow", it encrypts if possible. So if there
is a valid certificate for the recipient and encrypt mode is allow, the
email will be encrypted. If you want to encrypt only when the subject
contains some keyword, you should set encrypt mode to "No encryption"
and use the subject trigger to trigger encryption.
>> And is there a way to do it Vice Versa?
What do you mean with that? You want to encrypt and then sign?
On the other hand, all signed and encrypted incoming mail is not
decrypted.
We have double checked the participants certificates and they are OK.This looks like you either have not correctly assigned the
internal/external properties or you don't have the required private key
(not certificate) to decrypt the incoming mail.Try the following:
- Send from an internal user a message signed by Djigzo to some external
account
- Reply from the external account and choose "encrypt the mail"
I think Andreas is right. You probably forgot to add a domain for which
you receive email (for example just.ee) and set the domain to be an
internal domain. Only email sent to internal users are decrypted.
Kind regards,
Martijn
Hello,
I continue describing Erki's issue.
We have 2 problems:
a) incoming messages are not being decrypted, if we forward them and choose to send ourselves in our Inbox with .p7m attached, then Djigzos manages to decrypt.
b) outgoing messages are signed and then crypted, but we have a requirement to first encrypt and then sign the message.
We have defined our domain as internal and other domains as external.
We have imported and whitelisted external certificates and our private key (there's a key icon next to our certificate).
External domains have their certs for encrypting and ours for signing, we have tried both Allow/Force encrypt options and other S/MIME section Strict mode off/on, only sign when encrypt on/off.
Our internal domain has our cert for encryption (which we believe should be picked up for decrypting) and for signing we have also our certificate.
I also add a log of sending the mail out(none of the certificates do have a CA):
07 Dec 2011 12:44:11 | INFO incoming | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp(a)internal_domain_here.com; Sender: spoc_fp(a)internal_domain_here.com; Remote address: 192.168.212.231; Recipients: [spoc_fp(a)external_domain_here.com]; Subject: LT/CPS; Message-ID: <20111207104411.8603C1014F(a)pruem.ee.eu-admin.net>; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0]
07 Dec 2011 12:44:11 | INFO external | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp(a)internal_domain_here.com; Sender: spoc_fp(a)internal_domain_here.com; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0]
07 Dec 2011 12:44:11 | INFO postDLP | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp(a)internal_domain_here.com; Sender: spoc_fp(a)internal_domain_here.com; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0]
07 Dec 2011 12:44:11 | INFO checkForceEncryptHeader | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp(a)internal_domain_here.com; Sender: spoc_fp(a)internal_domain_here.com; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0]
07 Dec 2011 12:44:11 | INFO checkEncryptMode | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp(a)internal_domain_here.com; Sender: spoc_fp(a)internal_domain_here.com; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0]
07 Dec 2011 12:44:11 | INFO checkSMIME | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp(a)internal_domain_here.com; Sender: spoc_fp(a)internal_domain_here.com; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0]
07 Dec 2011 12:44:12 | INFO Rebuilding trust anchor cache. (mitm.common.security.certpath.CertStoreTrustAnchorBuilder) [Spool Thread #0]
07 Dec 2011 12:44:12 | INFO smime | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp(a)internal_domain_here.com; Sender: spoc_fp(a)internal_domain_here.com; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0]
07 Dec 2011 12:44:12 | WARN Error building path for signing certificate. CertPathBuilderException: There are no roots. (mitm.application.djigzo.james.mailets.SMIMESign) [Spool Thread #0]
07 Dec 2011 12:44:12 | INFO smimeEncrypt | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp(a)internal_domain_here.com; Sender: spoc_fp(a)internal_domain_here.com; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0]
07 Dec 2011 12:44:12 | INFO encryptionNotification | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp(a)internal_domain_here.com; Sender: spoc_fp(a)internal_domain_here.com; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0]
07 Dec 2011 12:44:12 | INFO blackberrySMIMEAdapter | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp(a)internal_domain_here.com; Sender: spoc_fp(a)internal_domain_here.com; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0]
07 Dec 2011 12:44:12 | INFO transport | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: spoc_fp(a)internal_domain_here.com; Sender: spoc_fp(a)internal_domain_here.com; Remote address: 192.168.212.231; Recipients: [spoc_fp(a)external_domain_here.com]; Subject: LT/CPS; Message-ID: <20111207104411.8603C1014F(a)pruem.ee.eu-admin.net>; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0]
07 Dec 2011 12:44:12 | INFO transport-auto-submitted | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: <>; Sender: <>; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0]
07 Dec 2011 12:44:12 | INFO transport | MailID: 09e24fb0-8c92-4183-8174-5fa2f498dc2d; Originator: <>; Sender: <>; Remote address: 192.168.212.231; Recipients: [spoc_fp(a)internal_domain_here.com]; Subject: The message has been encrypted; Message-ID: <919396785.6.1323254652780.JavaMail.djigzo(a)pruem.ee.eu-admin.net>; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0]
Best regards,
Ragnar
-----Original Message-----
From: users-bounces(a)lists.djigzo.com [mailto:users-bounces(a)lists.djigzo.com] On Behalf Of Martijn Brinkers
Sent: Wednesday, December 07, 2011 2:29 PM
To: users(a)lists.djigzo.com
Subject: Re: Problem with encryption and signing, and incoming mail is not decrypted
Zitat von Erki Naumanis <erki.naumanis(a)just.ee>:
Hi.
We have installed the Djigzo gateway and everything Works great if we
do not try to encrypt and sign outgoing messages.
It seems that Djigzo is signing and then encrypting the messages. Is
that how it should be? And is there a way to do it Vice Versa?Not sure about this one but it looks like standard behaviour as
encrypted messages should protect *all* mail content which includes the
signing parts...
It depends on how the gateway was setup whether it encrypts by default.
If encrypt mode is set to "Allow", it encrypts if possible. So if there
is a valid certificate for the recipient and encrypt mode is allow, the
email will be encrypted. If you want to encrypt only when the subject
contains some keyword, you should set encrypt mode to "No encryption"
and use the subject trigger to trigger encryption.
>> And is there a way to do it Vice Versa?
What do you mean with that? You want to encrypt and then sign?
On the other hand, all signed and encrypted incoming mail is not
decrypted.
We have double checked the participants certificates and they are OK.This looks like you either have not correctly assigned the
internal/external properties or you don't have the required private key
(not certificate) to decrypt the incoming mail.Try the following:
- Send from an internal user a message signed by Djigzo to some external
account
- Reply from the external account and choose "encrypt the mail"
I think Andreas is right. You probably forgot to add a domain for which
you receive email (for example just.ee) and set the domain to be an
internal domain. Only email sent to internal users are decrypted.
Kind regards,
Martijn
_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users
Sorry for the previous message. Accidentally pressed send.
I continue describing Erki's issue.
We have 2 problems: a) incoming messages are not being decrypted, if
we forward them and choose to send ourselves in our Inbox with .p7m
attached, then Djigzos manages to decrypt.
Did you enable "S/MIME strict mode"?
Can you send a log of incoming email which should be decrypted but is not.
b) outgoing messages are signed and then crypted, but we have a
requirement to first encrypt and then sign the message.
That's possible but requires some changes to an xml file that defines
how email is handled (config.xml). You can even sign, then encrypt and
then sign again. This however is not default so it requires some changes
to config.xml. If I have time I will test this and send you some
instructions on how to modify config.xml to do that.
We have defined our domain as internal and other domains as
external. We have imported and whitelisted external certificates and
our private key (there's a key icon next to our certificate).External domains have their certs for encrypting and ours for
signing, we have tried both Allow/Force encrypt options and other
S/MIME section Strict mode off/on, only sign when encrypt on/off. Our
internal domain has our cert for encryption (which we believe should
be picked up for decrypting) and for signing we have also our
certificate.I also add a log of sending the mail out(none of the certificates do
have a CA):
Can you provide a log of incoming email which should be decrypted but is
not?
Kind regards,
Martijn Brinkers
On 12/07/2011 02:00 PM, Ragnar Plint wrote:
Hi Martijn,
Thank you for the prompt reply.
The log from MPA is:
07 Dec 2011 10:48:51 | INFO incoming | MailID: 992a90be-119f-4a78-8562-e0d01fd4dbd1; Originator: spoc_fp(a)remote_address.com; Sender: spoc_fp(a)remote_address.com; Remote address: 10.10.10.10; Recipients: [spoc_fp(a)local_address.com]; Subject: LT; Message-ID: <941732911.799.1323248317015.JavaMail.cafis(a)iface1>; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #3]
07 Dec 2011 10:48:51 | INFO internal | MailID: 992a90be-119f-4a78-8562-e0d01fd4dbd1; Originator: spoc_fp(a)remote_address.com; Sender: spoc_fp(a)remote_address.com; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #3]
07 Dec 2011 10:48:51 | INFO postDecrypt | MailID: 992a90be-119f-4a78-8562-e0d01fd4dbd1; Originator: spoc_fp(a)remote_address.com; Sender: spoc_fp(a)remote_address.com; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0]
07 Dec 2011 10:48:52 | INFO transport | MailID: 992a90be-119f-4a78-8562-e0d01fd4dbd1; Originator: spoc_fp(a)remote_address.com; Sender: spoc_fp(a)remote_address.com; Remote address: 10.10.10.10; Recipients: [spoc_fp(a)local_address.com]; Subject: LT; Message-ID: <941732911.799.1323248317015.JavaMail.cafis(a)iface1>; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #0]
BR,
Erki Naumanis
-----Original Message-----
From: users-bounces(a)lists.djigzo.com [mailto:users-bounces(a)lists.djigzo.com] On Behalf Of Martijn Brinkers
Sent: Wednesday, December 07, 2011 3:48 PM
To: users(a)lists.djigzo.com
Subject: Re: Problem with encryption and signing, and incoming mail is not decrypted
Sorry for the previous message. Accidentally pressed send.
On 12/07/2011 02:00 PM, Ragnar Plint wrote:
I continue describing Erki's issue.
We have 2 problems: a) incoming messages are not being decrypted, if
we forward them and choose to send ourselves in our Inbox with .p7m
attached, then Djigzos manages to decrypt.
Did you enable "S/MIME strict mode"?
Can you send a log of incoming email which should be decrypted but is not.
b) outgoing messages are signed and then crypted, but we have a
requirement to first encrypt and then sign the message.
That's possible but requires some changes to an xml file that defines
how email is handled (config.xml). You can even sign, then encrypt and
then sign again. This however is not default so it requires some changes
to config.xml. If I have time I will test this and send you some
instructions on how to modify config.xml to do that.
We have defined our domain as internal and other domains as
external. We have imported and whitelisted external certificates and
our private key (there's a key icon next to our certificate).External domains have their certs for encrypting and ours for
signing, we have tried both Allow/Force encrypt options and other
S/MIME section Strict mode off/on, only sign when encrypt on/off. Our
internal domain has our cert for encryption (which we believe should
be picked up for decrypting) and for signing we have also our
certificate.I also add a log of sending the mail out(none of the certificates do
have a CA):
Can you provide a log of incoming email which should be decrypted but is
not?
Kind regards,
Martijn Brinkers
_______________________________________________
Users mailing list
Users(a)lists.djigzo.com
http://lists.djigzo.com/lists/listinfo/users