On 09-01-18 17:06, Andi via Users wrote: > > Zitat von Philipp Thielke via Users <users@lists.djigzo.com>: > >> Hi Martijn, >> >> thanks for adding new encryption scheme and signing algorithm in 3.3.1-0. >> (RSAES-OAEP) >> >> As these are required for German energy market and beyond this not widely >> supported by many destination systems I would like to configure >> ciphermail >> to only use for certain sending (internal) users. >> >> Currently I cannot set this. It seems that S/MIME encr. scheme and >> signing >> algo. can only be set for (external) receivers. >> >> In case of using that feature for enery market there might be 1000 >> external >> partners and 1-2 internal senders for whom this feature may be enabled. >> >> Any idea how to configure that? >> >> >> >> Mit freundlichen Grüßen >> >> Philipp Thielke >> > > To my knowledge you can create "Users" identified by e-mail address > which can be internal or external, there is even a setting to create > them at first e-mail with valid S/MIME type. You should be able to > assign this Users the encryption settings you need.
Unfortunately, by default, the signing and encryption algorithm is a recipient only property. This makes sense in most cases because not every recipient might support the new signing algorithm (RSASSA-PSS) or padding scheme (RSAES-OAEP). You can then select per domain (or recipient) whether the recipient support it or not. The OP however want to use RSAES-OAEP when an email is sent by some domain (or users) irrespective of whether the recipient support this (at least that is my understanding). This is not possible with the default config. This can however be changed by modifying the file that defines the mail flow. The mail flow, i.e., what should happen when, is defined in the file config.xml. Within this file you have a processor called "smime" (search for <processor name="smime">). Within this processor there are rules that setup s/mime signing. For example there is the rule: <mailet match="RecipientEvaluateUserProperty=matchOnError=false,#{user.sMIMESigningAlgorithm}=='SHA256WithRSAEncryption'" class="SetAttributes"> <runtime.smime.signingAlgorithm> SHA256WithRSAEncryption </runtime.smime.signingAlgorithm> <processor> smime-sign </processor> </mailet> This rule defines that if the S/MIME signing algorithm of a recipient is set to SHA256WithRSAEncryption, then a local attribute for that email will set to make sure the message is signed with SHA256 and then the flow continues (jumps) to the "smime-sign" processor. One option is to short circuit this with a check for a sender property. For example add the following part before the SHA256WithRSAEncryption check (not tested!!) <mailet match="SenderEvaluateUserProperty=matchOnError=false,#{user.sMIMESigningAlgorithm}=='SHA256WithRSAAndMGF1'" class="SetAttributes"> <runtime.smime.signingAlgorithm> SHA256WithRSAAndMGF1 </runtime.smime.signingAlgorithm> <processor> smime-sign </processor> </mailet> This will check whether the sender configured SHA256WithRSAAndMGF1 (RSASSA-PSS) as the signing algorithm and if so, will sign the message with RSASSA-PSS SHA256. It's important that this check is done before the other signing algorithm checks. With this new rule in place, if a sender has configured SHA256WithRSAAndMGF1 as the signing algorithm, the email will be signed with RSASSA-PSS SHA256. Similar changes can be done for the encryption algorithm. I did not test the above changes (but it should work :) Note: after changing config.xml it's important to restart the back-end (sudo service djigzo restart) Kind regards, Martijn Brinkers -- CipherMail email encryption Email encryption with support for S/MIME, OpenPGP, PDF encryption and secure webmail pull. https://www.ciphermail.com Twitter: http://twitter.com/CipherMail _______________________________________________ Users mailing list Users@lists.djigzo.com https://lists.djigzo.com/lists/listinfo/users