The mailing list for listmasters using Sympa

[Steve Shipway <address@concealed>]

> I am trying to setup SYMPA 6.1.16 with S/MIME-signed
> e-mail support as authentication mechanism and of course
> I try to debug myself in the first place.

I've done a lot of work on this recently, using 6.1.11 with a couple of 
patches, and managed to make most of it work.  The available documentation is 
rather sparse and there are a couple of bugs, not to mention inadequate error 
reporting.

Currently, Riseup (the people who made the list table performance patch) are 
starting a project for improved documentation of features that pertain to 
large installations (such as SMIME) that I'm helping with, but this will be 
some ways down the track.

I found out that it was necessary for me to add the intermediate certificates 
for the SMIME signatures we use to the CApath and recreate the links in order 
to correctly verify SMIME signed messages.  Both clear-signed and 
opaque-signed work.  Then, I managed to make smime authentication work... in 
your scenario you mention, you should likely also allow MD5 posting else 
people will not be able to post via the wwsympa or moderation.

Check that you definitely have the openssl option in Sympa.conf set correctly.

For debugging, I found that there are smime logs created in the syslog, 
though you need to search for ssl and smime as they are not always easily 
identified.  I also added some extra ones to help.  Normally it doesn’t seem 
to log failed smime validation.  Run at the highest level (debug2) and there 
should be tools::smime_check function calls.

In lib/tools.pm are the smime functions.  In subroutine smime_sign_check, I 
modified the call to openssl to save error messages:

    unless (open (MSGDUMP, "| $Conf::Conf{'openssl'} smime -verify  
$trusted_ca_options -signer $temporary_file >/dev/null 
2>/var/tmp/smime.log")) {
        do_log('err', 'tools::smime_sign_check unable to call openssl to 
verify smime signature from %s %s',$sender,$verify);
        return undef ;
    }

This is a bit ugly but allows me to look in /var/tmp/smime.log to see error 
messages that would usually be thrown away.  This helped with the debugging.

There are far more difficulties when you want to add a list certificate and 
support signing of notification messages or encryption; this is too much to 
get into now but email me directly if you'd like more info.

Steve


Steve Shipway
ITS Unix Services Design Lead
University of Auckland, New Zealand
Floor 1, 58 Symonds Street, Auckland
Phone: +64 (0)9 3737599 ext 86487
DDI: +64 (0)9 924 6487
Mobile: +64 (0)21 753 189
Email: address@concealed
 Please consider the environment before printing this e-mail : 
打印本邮件，将减少一棵树存活的机会

Attachment: smime.p7s
Description: S/MIME cryptographic signature