S/Mime domain certificate

Gateway
1

great! Now it is working. Thanks a lot.
I just have one more question. How can i see in the logs which certificate was used for decryption?

This is not logged. What should be logged and not logged is always a
tradeoff between logging to much and logging too little. Logging the
certificate details will add substantial information to the logs. An
email might even be encrypted with several certificates, for example a
recipient can have multiple certificates or there can be multiple
recipients. If logging which certificates are being used is a
requirement, it might be possible to add an additional rule to the mail
flow (this requires some coding however).

Kind regards,

Martijn Brinkers

···

On 06-12-18 09:06, Weppert Juergen wrote:

-----Ursprüngliche Nachricht-----
Von: Martijn Brinkers [mailto:martijn(a)ciphermail.com]
Gesendet: Montag, 3. Dezember 2018 12:59
An: Weppert Juergen <Juergen.Weppert(a)mediakom-online.de>
Betreff: Re: AW: AW: AW: S/Mime domain certificate

You have enabled S/MIME strict mode. This will check whether there is a match between recipient address and email address in the email. This will not work for domain certificates without additional config (it should work if strict mode is not enabled). You need to explicitly tell the gateway that a domain certificate is used for that domain.

Please try to add the domain certificate to the domain mediakom-online.de

So open settings for domain mediakom-online.de, then "S/MIME -> encryption certificates" and select the domain certificate.

Kind regards,

Martijn Brinkers

On 03-12-18 12:49, Weppert Juergen wrote:

Hello,

her are the relevant log lines.

03 Dec 2018 10:45:38 | INFO incoming; MailID:
63aa8793-84c2-470d-9322-1378313de4a7; Recipients:
[juergen.weppert(a)mediakom-online.de]; Originator:
michael.hengst(a)hkk.de; Sender: michael.hengst(a)hkk.de; Remote address:
x.x.x.x; Subject: AW: Mailverschlüsselung; Message-ID:
<518A63CC64BC574E9671E278570CF549C9E1969A-TvXsAYlA(a)s9103p051.hkk.lokal

; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #2]

03 Dec 2018 10:45:38 | INFO Subject filter is disabled for the sender;
MailID: 63aa8793-84c2-470d-9322-1378313de4a7; Recipients:
[juergen.weppert(a)mediakom-online.de]
(mitm.application.djigzo.james.mailets.Default) [Spool Thread #2]
03 Dec 2018 10:45:38 | INFO To internal recipient(s); MailID:
63aa8793-84c2-470d-9322-1378313de4a7; Recipients:
[juergen.weppert(a)mediakom-online.de]
(mitm.application.djigzo.james.mailets.Default) [Spool Thread #2]
03 Dec 2018 10:45:38 | INFO "S/MIME strict mode" is enabled for the
recipient(s); MailID: 63aa8793-84c2-470d-9322-1378313de4a7;
Recipients: [juergen.weppert(a)mediakom-online.de]
(mitm.application.djigzo.james.mailets.Default) [Spool Thread #2]
03 Dec 2018 10:45:38 | WARN S/MIME decryption key not found; MailID:
63aa8793-84c2-470d-9322-1378313de4a7; Message: A suitable decryption
key could not be found. CMS Recipients: CN=evp.mediakom-online.de,
OU=IT, O=MediaKom GmbH, L=Aschau, ST=Bayern,
C=DE/92D94935F132BCB//1.2.840.113549.1.1.1
(mitm.common.security.smime.handler.SMIMEHandler) [Spool Thread #2]
03 Dec 2018 10:45:38 | INFO Message handling is finished. Sending to
final recipient(s); MailID: 63aa8793-84c2-470d-9322-1378313de4a7;
Recipients: [juergen.weppert(a)mediakom-online.de]; Originator:
michael.hengst(a)hkk.de; Sender: michael.hengst(a)hkk.de; Remote address:
x.x.x.x; Subject: AW: Mailverschlüsselung; Message-ID:
<518A63CC64BC574E9671E278570CF549C9E1969A-TvXsAYlA(a)s9103p051.hkk.lokal

; (mitm.application.djigzo.james.mailets.Log) [Spool Thread #1]

I have no personal S/Mime certificate so i think the warning is because no certificate matches my email address.

Kind regards

Jürgen Weppert

-----Ursprüngliche Nachricht-----
Von: Martijn Brinkers [mailto:martijn(a)ciphermail.com]
Gesendet: Montag, 3. Dezember 2018 12:38
An: Weppert Juergen <Juergen.Weppert(a)mediakom-online.de>
Betreff: Re: AW: AW: S/Mime domain certificate

In that case the MPA log should provide more information.

Can you provide the relevant log lines from the MPA log? It should tell exactly what happens when it handles the incoming email.

Kind regards,

Martijn Brinkers

On 03-12-18 12:35, Weppert Juergen wrote:

Hello,

yes i imported the certificate and the private key.
Yes the domain is internal.

Kind regards

Jürgen Weppert

-----Ursprüngliche Nachricht-----
Von: Martijn Brinkers [mailto:martijn(a)ciphermail.com]
Gesendet: Montag, 3. Dezember 2018 12:15
An: Weppert Juergen <Juergen.Weppert(a)mediakom-online.de>
Betreff: Re: AW: S/Mime domain certificate

On 03-12-18 11:19, Weppert Juergen wrote:

Hello,

thanks for your feedback.

For example, our Domain is mediakom-online.de and the domain of our
partner is test.de. I added a new domain "test.de" and selected
their certificate to encrypt Emails send tot hat domain. And that
works fine. But emails send from "test.de" to us are encrypted with
our domain certificate. I importet our certificate only under
"Certificates", is this OK?

Are you absolutely certain that you imported the certificate *and*
private key? (i.e., imported a password protected p12 or pfx file)

But Ciphermail does not decrypt emails send to us. Must i select our
certificate under our domain in ciphermail as you descriped below?

Incoming email will be decrypted automaically if the recipient domain is set as an "Internal" domain *and* if there is a private key on the gateway which can be used to decrypt the email.

So

1. Check if there is a valid private key available 2. Check if your
domain is configured as an Internal domain (i.e., locality is set to
"Internal")

Kind regards,

Martijn Brinkers

-----Ursprüngliche Nachricht----- Von: Users
[mailto:users-bounces(a)lists.ciphermail.com] Im Auftrag von Martijn
Brinkers via Users Gesendet: Montag, 3. Dezember 2018 09:40 An:
users(a)lists.ciphermail.com Betreff: Re: S/Mime
domain certificate

On 30-11-18 13:09, Weppert Juergen via Users wrote:

how can i use S/Mime encryption/decryption with an domain
certificate but only with one external partner (other domain)?
Emails to other recipients must be encrypted with their personal
S/Mime certificate.

I assume you are talking about using a domain certificate for the
external domain? (and not a domain certificate for signing).

If so, you need to add the external domain, then on the domain
settings select "S/MIME -> encryption certificates" and select the
certificate you want to use for that external domain.

Kind regards,

Martijn Brinkers

-- CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption
and secure webmail pull.
_______________________________________________
Users mailing list Users(a)lists.ciphermail.com
https://lists.ciphermail.com/mailman/listinfo/users

--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and secure webmail pull.

--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and secure webmail pull.

--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and secure webmail pull.

--
CipherMail email encryption

Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.