Unfortunately, by default, the signing and encryption algorithm is a
recipient only property. This makes sense in most cases because not
every recipient might support the new signing algorithm (RSASSA-PSS) or
padding scheme (RSAES-OAEP). You can then select per domain (or
recipient) whether the recipient support it or not. The OP however want
to use RSAES-OAEP when an email is sent by some domain (or users)
irrespective of whether the recipient support this (at least that is my
understanding). This is not possible with the default config. This can
however be changed by modifying the file that defines the mail flow. The
mail flow, i.e., what should happen when, is defined in the file
config.xml. Within this file you have a processor called "smime" (search
for <processor name="smime">).
Within this processor there are rules that setup s/mime signing. For
example there is the rule:
<mailet
match="RecipientEvaluateUserProperty=matchOnError=false,#{user.sMIMESigningAlgorithm}=='SHA256WithRSAEncryption'"
class="SetAttributes">
<runtime.smime.signingAlgorithm> SHA256WithRSAEncryption
</runtime.smime.signingAlgorithm>
<processor> smime-sign </processor>
</mailet>
This rule defines that if the S/MIME signing algorithm of a recipient is
set to SHA256WithRSAEncryption, then a local attribute for that email
will set to make sure the message is signed with SHA256 and then the
flow continues (jumps) to the "smime-sign" processor.
One option is to short circuit this with a check for a sender property.
For example add the following part before the SHA256WithRSAEncryption
check (not tested!!)
<mailet
match="SenderEvaluateUserProperty=matchOnError=false,#{user.sMIMESigningAlgorithm}=='SHA256WithRSAAndMGF1'"
class="SetAttributes">
<runtime.smime.signingAlgorithm> SHA256WithRSAAndMGF1
</runtime.smime.signingAlgorithm>
<processor> smime-sign </processor>
</mailet>
This will check whether the sender configured SHA256WithRSAAndMGF1
(RSASSA-PSS) as the signing algorithm and if so, will sign the message
with RSASSA-PSS SHA256.
It's important that this check is done before the other signing
algorithm checks. With this new rule in place, if a sender has
configured SHA256WithRSAAndMGF1 as the signing algorithm, the email will
be signed with RSASSA-PSS SHA256.
Similar changes can be done for the encryption algorithm.
I did not test the above changes (but it should work 
Note: after changing config.xml it's important to restart the back-end
(sudo service djigzo restart)
Kind regards,
Martijn Brinkers
···
On 09-01-18 17:06, Andi via Users wrote:
Zitat von Philipp Thielke via Users <users(a)lists.djigzo.com>:
Hi Martijn,
thanks for adding new encryption scheme and signing algorithm in 3.3.1-0.
(RSAES-OAEP)
As these are required for German energy market and beyond this not widely
supported by many destination systems I would like to configure
ciphermail
to only use for certain sending (internal) users.
Currently I cannot set this. It seems that S/MIME encr. scheme and
signing
algo. can only be set for (external) receivers.
In case of using that feature for enery market there might be 1000
external
partners and 1-2 internal senders for whom this feature may be enabled.
Any idea how to configure that?
Mit freundlichen Grüßen
Philipp Thielke
To my knowledge you can create "Users" identified by e-mail address
which can be internal or external, there is even a setting to create
them at first e-mail with valid S/MIME type. You should be able to
assign this Users the encryption settings you need.
--
CipherMail email encryption
Email encryption with support for S/MIME, OpenPGP, PDF encryption and
secure webmail pull.
Twitter: http://twitter.com/CipherMail