Skip to Content.
Sympa Menu

en - RE: [sympa-users] S/MIME authentication for SMTP / debugging

Subject: The mailing list for listmasters using Sympa

List archive

Chronological Thread  
  • From: Steve Shipway <address@concealed>
  • To: Dirk Jahnke-Zumbusch <address@concealed>, "address@concealed" <address@concealed>
  • Subject: RE: [sympa-users] S/MIME authentication for SMTP / debugging
  • Date: Thu, 6 Dec 2012 00:29:49 +0000

> I am trying to setup SYMPA 6.1.16 with S/MIME-signed
> e-mail support as authentication mechanism and of course
> I try to debug myself in the first place.

I've done a lot of work on this recently, using 6.1.11 with a couple of
patches, and managed to make most of it work. The available documentation is
rather sparse and there are a couple of bugs, not to mention inadequate error
reporting.

Currently, Riseup (the people who made the list table performance patch) are
starting a project for improved documentation of features that pertain to
large installations (such as SMIME) that I'm helping with, but this will be
some ways down the track.

I found out that it was necessary for me to add the intermediate certificates
for the SMIME signatures we use to the CApath and recreate the links in order
to correctly verify SMIME signed messages. Both clear-signed and
opaque-signed work. Then, I managed to make smime authentication work... in
your scenario you mention, you should likely also allow MD5 posting else
people will not be able to post via the wwsympa or moderation.

Check that you definitely have the openssl option in Sympa.conf set correctly.

For debugging, I found that there are smime logs created in the syslog,
though you need to search for ssl and smime as they are not always easily
identified. I also added some extra ones to help. Normally it doesn’t seem
to log failed smime validation. Run at the highest level (debug2) and there
should be tools::smime_check function calls.

In lib/tools.pm are the smime functions. In subroutine smime_sign_check, I
modified the call to openssl to save error messages:

unless (open (MSGDUMP, "| $Conf::Conf{'openssl'} smime -verify
$trusted_ca_options -signer $temporary_file >/dev/null
2>/var/tmp/smime.log")) {
do_log('err', 'tools::smime_sign_check unable to call openssl to
verify smime signature from %s %s',$sender,$verify);
return undef ;
}

This is a bit ugly but allows me to look in /var/tmp/smime.log to see error
messages that would usually be thrown away. This helped with the debugging.

There are far more difficulties when you want to add a list certificate and
support signing of notification messages or encryption; this is too much to
get into now but email me directly if you'd like more info.

Steve


Steve Shipway
ITS Unix Services Design Lead
University of Auckland, New Zealand
Floor 1, 58 Symonds Street, Auckland
Phone: +64 (0)9 3737599 ext 86487
DDI: +64 (0)9 924 6487
Mobile: +64 (0)21 753 189
Email: address@concealed
 Please consider the environment before printing this e-mail :
打印本邮件,将减少一棵树存活的机会


Attachment: smime.p7s
Description: S/MIME cryptographic signature




Archive powered by MHonArc 2.6.19+.

Top of Page