The mailing list for listmasters using Sympa

[Steve Shipway <address@concealed>]

>  - as far as I understand the idea of signing, the list should not sign
> mails itself, but the sender should sign the mail and the list just
> must not modify its contents. Distributing signed mails is usually no
> problem even without special S/MIME configuration of the list.

I have this much working fine, since I installed the necessary certs in the 
CA dir and rehashed it. 

The Sympa 6.1.11 seems to sign messages from the list admin (moderation 
notifications etc) but not messages being passed via the list, even if 
initially unsigned.  I was hoping to get messages signed by the list cert in 
order to add some verification to the postings on official announcement 
lists...

The signing only seems to work if I add the -nodetach option to openssl, so 
that it is a pure signed message.  Reading up on openssl, this seems to be a 
'fault' of openssl being strict to the RFC with respect to \r\n line 
terminators, whereas exchange/outlook are not and so generated signatures 
fail.  I can find no workaround for this (the -binary option does not work 
either).

>  - mail encryption did not work with sympa 6.1.7 out of the box. I sent
> some patches to the sympa-users list on 16.12.2011. I didn't check,
> whether they were included in the current release. As an alternative it
> was possible to use the mail.pm module from sympa 6.2 sources.

I'll check this out.  Mail encryption produces an 'internal error' for me 
that Im still trying to track down.  I'd rather not modify the distributed 
source too much if at all possible though.

The Sympa documentation is very, very sparse on this subject, sadly.  Many 
things (such as having two certs for a list, one for signing and one for 
encryption) I only found out by reading the code... also how to install the 
list public cert into outlook in order to send encrypted emails was not 
simple!

There is some strange behaviour in smime_sign that looks in list_data/sympa 
for a certificate when signing a moderator notification, rather than in 
list_data/$robot/$list.  I think it may be trying to find a certificate for 
Sympa itself?

Steve

Steve Shipway
ITS Unix Services Design Lead
University of Auckland, New Zealand
Floor 1, 58 Symonds Street, Auckland
Phone: +64 (0)9 3737599 ext 86487
DDI: +64 (0)9 924 6487
Mobile: +64 (0)21 753 189
Email: address@concealed
 Please consider the environment before printing this e-mail

Attachment: smime.p7s
Description: S/MIME cryptographic signature