The mailing list for listmasters using Sympa

[Steve Shipway <address@concealed>]

> i have a awful request from some members. they told me that they could not
> delete some messages, which are sent from the list. this appears in outlook
> and the following error message appears:
>
> The name of your digital ID could not be found in the underlying security
> system.
>
> so this is clear, the problem is around the outlook and the 
> signature...but...
>
> is there any possibility to get rid of the smime.p7s, something like a 
> smime-
> garbage-collector in sympa?

The smime.p7s attachment file is the S/MIME digital signature; probably the 
original message was digitally signed with an 'open signature' (which 
preserves the original plain text), but the list server configuration made 
changes (changing subject, adding a footer, mailmerge etc) which broke the 
signature -- or else, the signing certificate is itself signed by a CA cert 
which is not in everyones CA.

I think the largest problem is that your SMIME itself is not correctly 
configured; making Sympa strip signatures is a workaround at best and a 
downgrading of ssecurity.

So, what you need to do then is one of these.

1. Get the CA cert installed into the clients which are having a problem - 
sort out your Outlook/Exchange setup.  This will make the problem go away. 
Who is the provider for the SMIME certs that are failing?  Did the original 
sender include the public key with their signature (it is a setting in 
Outlook)?  Do digital signatures work when mailed direct (not via a list)? 
Have you installed any necessary intermediate certificates for the SMIME 
signatures into the /etc/sympa/CA directory and set capath=/etc/sympa/CA in 
the sympa.conf?

2. Make Sympa strip the attachment.  This is not possible with a normal 
Sympa, 
but you can likely add an additional function and option to do this.  It 
would 
be a good feature for Sympa 6.2 to have :)

3. Modify the Send scenario to deny send if there is a digital signature. 
This is possible, and I do it on the mailmerge lists here, as Sympa disables 
the merge if a message is digitally signed since then it cannot be modified 
without breaking the signature.  To do this, add a scenario line of the form
true()   smime     -> reject(reason='send_nosmime')

4. Change the list configuration to not add footers or headers.  This should 
not happen with digitally signed messages, but there was a bug in versions 
prior to 6.1.twentyish that meant it happened anyway.

HTH

Steve

Steve Shipway
address@concealed

Attachment: smime.p7s
Description: S/MIME cryptographic signature