We use ciphermail for domain encryption with S/MIME and PGP. Our S/MIME domain certificate is self-signed and does not contain a CRL. Today we ran into the issue that a new partner declines our encrypted and signed mail due to the missing CRL in our S/MIME certificate. One possible solution (at least in theory) would be to turn off signing of our mails for that specific recipient.
However the only configuration options for signing that I could find are defined on sender level and not per recipient. The only exception to this seems to be the option “Only sign when encrypt” which would not help for this use case.
Is there a configuration option to turn off email signing on a recipient basis that I might have missed?
There is no option for this out of the box. You can change the mail flow and make some sort of exception. This requires changing config.xml file which configures the complete mail flow.
CipherMail currently doesn’t support disabling email signing certificates on a per-recipient basis directly. A practical workaround is to create a separate mail rule or use a routing policy to handle that specific recipient via a different gateway or connector without signing. Alternatively, consider replacing the self-signed certificate with one from a trusted CA that includes a CRL.
Mainly we would like to avoid the check of the missing CRL entry of our certificate that is done by some partners before decrypting incoming messages (if these messages are signed).
However, there might be other usecases where only encryption of the transmitted data is wanted to keep them confidential, but verifying the sender is not required.