The mailing list for listmasters using Sympa

[Serge Aumont <address@concealed>]

Adam Bernstein a écrit :
> So now I'm curious, is there anybody else out there using S/MIME with 
> Sympa?  Or are we on the bleeding edge?  Because unless I'm very much 
> mistaken, you would have had to overcome the same problems we've been 
> dealing with, and I'd love to confirm our solutions or find new ones.
>
> Now for some more questions and tips:
>
> 1. Is the welcome message for a list with an installed certificate 
> always supposed to be signed?  I've found that if the subscription was 
> completed via email (ie. by the subscriber), the welcome message is 
> signed, but if the subscriber was added by the administrator via 
> WWSympa, the welcome message is not signed.  Could that possibly be 
> because we're using HTTP and not SSL for the Web connection -- does 
> Sympa relate the use of X.509 email certs to the use of SSL for Web?
No, this is a bug. The welcome message is not signed by the list owner 
but the list server itself.
> 2. Has anyone successfully added a signing cert from a new CA to the 
> ca-bundle.crt file that comes with Sympa?  We've been successful using 
> CAs that are already listed there (Thawte), but we haven't been able 
> to get it working with a new CA (Comodo) even though we've put their 
> certificate in what seems to be the right format in a modified 
> ca-bundle.crt file.  We could use some help figuring out why.
That's really strange because Sympa just uses openssl so may be you have 
configuration problem (sympa.conf) with the parameter to specify the ca 
bundle location ? You are probably using the default openssl bundle.
> 3. On distributing list certificates to subscribers: As previously 
> mentioned, using the Load Certificate link on the list's Web page does 
> not work for anyone but the creator of the certificate, who won't need 
> it.  The problem is that the cert will be loaded by the subscriber's 
> browser into the "Other people's certs" section, and there is no 
> button to export/backup certs from there (at least in Firefox), so 
> they can't export it to their email client.
Ok, I understand why that's so important for you to send a signed 
welcome message. We may propose 2 solutions :

  1. fix the problem related to signed welcome message
  2. propose a link for downloading the list cert in way that user can
     save it to a file. If you have some sugestion on the http header
     (content-type etc) you are welcome.


> But this feature is actually unnecessary because the list will sign 
> various messages to subscribers once it's configured, including the 
> "an encrypted message has been sent to the list but we don't yet have 
> your certificate" notice.  These signed messages will get the list 
> cert directly into the subscriber's email client soon enough, although 
> they may miss seeing one encrypted message first.  It would be even 
> better if the welcome message was always signed, because then we could 
> rely on that happening for everyone at the beginning.
>
> 4. In the current Sympa you will have to customize your 
> request_auth.tt2 template in order to fix a problem with replies to 
> subscription confirmation requests going to the list owners instead of 
> back to Sympa, when a list cert is installed.  This bug is reported 
> and discussed here:
>
> https://sourcesup.cru.fr/tracker/index.php?func=detail&aid=4157&group_id=23&atid=167 
>
>
> 5. I have more, but this is already way too long.  :) 
Thanks Adam for your report (and also for all your contribs). It's quite 
difficult for us to solve all the reported bugs, especially thoses 
related to features we don't use.

FYI : the CRU as its own PKI for a long time, but we decided to stop it 
a few time ago. We decided this because of the very hight administrative 
cost of any PKI and the poor integration of user certs in users 
environement.   We do not deliver anymore users certificates and we are 
going to revoque our root cert in September.