Release candidate 2.1.1 available

Hi,

A new Djigzo Gateway release candidate (2.1.1) is available.

http://www.djigzo.com/beta.html

Release notes:

New

* Advanced S/MIME setting "Always use freshest signing certificate"
  added. If checked, every time the sender needs to sign a message,
  the most recent (i.e., the latest "not before" date) signing
  certificate will be used (GATEWAY-14).
* Advanced PDF setting "Only encrypt if mandatory" added (GATEWAY-22).
  If checked, PDF encryption will only be activated if encryption is
  mandatory.
* DLP setting "Quarantine on failed encryption" added. If checked and
  encryption is mandatory and a message cannot be encrypted, the
  message will be quarantined and not "bounced". Note: this required
  minor changes to the "DLP quarantine" template.
* Quarantined emails can now be "released as-is". When a quarantined
  email is released as-is, no further processing of the email is done
  and the email is immediately delivered.
* The admin can now specify how many rows the grid should show per
  page (users, certificates, MTA queue) (GATEWAY-23)
* The admin can now filter for specific email in the MTA queue.
* The MTA logs are now by default shown in "raw" format (i.e., in
  exact same order as the log file). To view the MTA logs grouped on
  queue ID (the old behavior), the admin should select "Grouped".
* If a certificate chain is valid, the issuer of the certificate in
  the certificate view can be clicked to open the issuer certificate
  view.

Improvements

* The BlackBerry and mobile settings are moved to a specialized mobile
  settings page. New role ROLE_MOBILE_MANAGER added.
* Some settings are moved to advanced settings.
* New charsets can be added to the PDF encryption module (should be
  enabled from the command line) to support charsets not supported
  "out of the box" by Acrobat reader. For example certain Turkish
  characters are not supported "out of the box" by Acrobat reader
  (GATEWAY-20)
* If a certificate was available for a recipient, a user object was
  always created for that recipient. The user is no longer added by
  default.

Bug fix

* With S/MIME "strict mode" enabled, S/MIME messages were only handled
  by the S/MIME handler if the recipient had a valid certificate with
  private key. If a digitally signed message was received for a
  recipient not having a private key, the certificates were not
  extracted from the message and the signature was not removed when
  "Remove signature" was enabled for that recipient. The message is
  now always handled by the S/MIME handler. (GATEWAY-27)
* Under certain special conditions, the base64 encoder of Javamail
  sometimes created lines with more than 76 characters (only a few
  characters extra). OpenSSL (which is used by some S/MIME gateways)
  cannot handle base64 encoded parts containing lines longer than 76
  characters. Javamail has been updated (GATEWAY-29)

This release has been extensively tested. If no "show stoppers" are
found within the next two weeks, it will be released as the new stable
version.

Kind regards,

Martijn Brinkers

Zitat von Martijn Brinkers <martijn(a)djigzo.com>:

Hi,

A new Djigzo Gateway release candidate (2.1.1) is available.

http://www.djigzo.com/beta.html

Release notes:

Improvements

* If a certificate was available for a recipient, a user object was
  always created for that recipient. The user is no longer added by
  default.

What is the reasoning behind this one? I found it handsome to which
addresses where handled by S/MIME and which not by consulting the user
list.

Regards

Andreas

My thinking was that you only need to add a user when you need to
override an inherited setting. Adding an external user when a
certificate is available for the user resulted in a lot of pointless
users when using domain to domain encryption since a certificate is
available for every sender.

I can however see your point in that it helps you to see for which
external users a certificate is available. The old behavior can be
reenabled by replacing

RecipientHasCertificates=matchOnError=false,false

with

RecipientHasCertificates=matchOnError=false,true

but this requires you to change the config.xml file. I guess you want it
to be configurable from the GUI?

Kind regards,

Martijn

I will add a setting that allows you to specify whether you want a user
to be created automatically when the recipient has a certificate. If you
use domain to domain encryption you can then set the domain setting for
that particular domain to not add a user for every recipient of that
domain.

Kind regards,

Martijn

Zitat von Martijn Brinkers <martijn(a)djigzo.com>:

Zitat von Martijn Brinkers <martijn(a)djigzo.com>:

Hi,

A new Djigzo Gateway release candidate (2.1.1) is available.

http://www.djigzo.com/beta.html

Release notes:

Improvements

* If a certificate was available for a recipient, a user object was
  always created for that recipient. The user is no longer added by
  default.

What is the reasoning behind this one? I found it handsome to which
addresses where handled by S/MIME and which not by consulting the user
list.

My thinking was that you only need to add a user when you need to
override an inherited setting. Adding an external user when a
certificate is available for the user resulted in a lot of pointless
users when using domain to domain encryption since a certificate is
available for every sender.

I can however see your point in that it helps you to see for which
external users a certificate is available. The old behavior can be
reenabled by replacing

RecipientHasCertificates=matchOnError=false,false

with

RecipientHasCertificates=matchOnError=false,true

but this requires you to change the config.xml file. I guess you want it
to be configurable from the GUI?

It isn't that important to clutter the GUI with just another setting i
guess, it just was "handsome" to quickly alter problematic receivers
because the user already exists. Would it be possible to not auto
create users for domains the domain-to-domain encryption is configured
or something like "auto-create-user-strict-mode" so only users are
auto created when exactly matching certificates are involved?

Regards

Andreas

Zitat von Martijn Brinkers <martijn(a)djigzo.com>:

Zitat von Martijn Brinkers <martijn(a)djigzo.com>:

Hi,

A new Djigzo Gateway release candidate (2.1.1) is available.

http://www.djigzo.com/beta.html

Release notes:

Improvements

* If a certificate was available for a recipient, a user object was
  always created for that recipient. The user is no longer added by
  default.

What is the reasoning behind this one? I found it handsome to which
addresses where handled by S/MIME and which not by consulting the user
list.

My thinking was that you only need to add a user when you need to
override an inherited setting. Adding an external user when a
certificate is available for the user resulted in a lot of pointless
users when using domain to domain encryption since a certificate is
available for every sender.

I can however see your point in that it helps you to see for which
external users a certificate is available. The old behavior can be
reenabled by replacing

RecipientHasCertificates=matchOnError=false,false

with

RecipientHasCertificates=matchOnError=false,true

but this requires you to change the config.xml file. I guess you want it
to be configurable from the GUI?

It isn't that important to clutter the GUI with just another setting i
guess, it just was "handsome" to quickly alter problematic receivers
because the user already exists. Would it be possible to not auto create
users for domains the domain-to-domain encryption is configured or
something like "auto-create-user-strict-mode" so only users are auto
created when exactly matching certificates are involved?

Detecting whether the recipient is using domain to domain encryption is
possible but a lot more work than using a setting and slower since
instead of just retrieving the list of all certs, a check should be done
to see whether the cert was a domain cert or not. It's doable but if I
have to choose between an extra advanced setting or checking for domain
certs etc. I prefer the extra setting.

Yesterday there was a question about syncing with LDAP and getting a
list of users that are using S/MIME encryption so I guess you are not
the only one that likes that feature so I guess it's better to allow the
admin to decide whether to automatically add a user or not.

It isn't that important to clutter the GUI with just another setting..

I moved some settings (the mobile settings) to a specialized page. This
Perhaps I can move certain properties to a specialized page?

Kind regards,

Martijn

Zitat von Martijn Brinkers <martijn(a)djigzo.com>:

Zitat von Martijn Brinkers <martijn(a)djigzo.com>:

Zitat von Martijn Brinkers <martijn(a)djigzo.com>:

Hi,

A new Djigzo Gateway release candidate (2.1.1) is available.

http://www.djigzo.com/beta.html

Release notes:

Improvements

* If a certificate was available for a recipient, a user object was
  always created for that recipient. The user is no longer added by
  default.

What is the reasoning behind this one? I found it handsome to which
addresses where handled by S/MIME and which not by consulting the user
list.

My thinking was that you only need to add a user when you need to
override an inherited setting. Adding an external user when a
certificate is available for the user resulted in a lot of pointless
users when using domain to domain encryption since a certificate is
available for every sender.

I can however see your point in that it helps you to see for which
external users a certificate is available. The old behavior can be
reenabled by replacing

RecipientHasCertificates=matchOnError=false,false

with

RecipientHasCertificates=matchOnError=false,true

but this requires you to change the config.xml file. I guess you want it
to be configurable from the GUI?

It isn't that important to clutter the GUI with just another setting i
guess, it just was "handsome" to quickly alter problematic receivers
because the user already exists. Would it be possible to not auto create
users for domains the domain-to-domain encryption is configured or
something like "auto-create-user-strict-mode" so only users are auto
created when exactly matching certificates are involved?

Detecting whether the recipient is using domain to domain encryption is
possible but a lot more work than using a setting and slower since
instead of just retrieving the list of all certs, a check should be done
to see whether the cert was a domain cert or not. It's doable but if I
have to choose between an extra advanced setting or checking for domain
certs etc. I prefer the extra setting.

In this case the extra setting is the better way to go of course.

Yesterday there was a question about syncing with LDAP and getting a
list of users that are using S/MIME encryption so I guess you are not
the only one that likes that feature so I guess it's better to allow the
admin to decide whether to automatically add a user or not.

It isn't that important to clutter the GUI with just another setting..

I moved some settings (the mobile settings) to a specialized page. This
Perhaps I can move certain properties to a specialized page?

Maybe it's time to group the S/MIME special settings like
"strict-mode", "skip-invites" and the like on one page...

Regards

Andreas