Skip to Content.
Sympa Menu

en - RE: [sympa-users] smime.p7s

Subject: The mailing list for listmasters using Sympa

List archive

Chronological Thread  
  • From: Steve Shipway <address@concealed>
  • To: "address@concealed" <address@concealed>, "address@concealed" <address@concealed>
  • Subject: RE: [sympa-users] smime.p7s
  • Date: Tue, 17 Feb 2015 20:57:49 +0000

> i have a awful request from some members. they told me that they could not
> delete some messages, which are sent from the list. this appears in outlook
> and the following error message appears:
>
> The name of your digital ID could not be found in the underlying security
> system.
>
> so this is clear, the problem is around the outlook and the
> signature...but...
>
> is there any possibility to get rid of the smime.p7s, something like a
> smime-
> garbage-collector in sympa?

The smime.p7s attachment file is the S/MIME digital signature; probably the
original message was digitally signed with an 'open signature' (which
preserves the original plain text), but the list server configuration made
changes (changing subject, adding a footer, mailmerge etc) which broke the
signature -- or else, the signing certificate is itself signed by a CA cert
which is not in everyones CA.

I think the largest problem is that your SMIME itself is not correctly
configured; making Sympa strip signatures is a workaround at best and a
downgrading of ssecurity.

So, what you need to do then is one of these.

1. Get the CA cert installed into the clients which are having a problem -
sort out your Outlook/Exchange setup. This will make the problem go away.
Who is the provider for the SMIME certs that are failing? Did the original
sender include the public key with their signature (it is a setting in
Outlook)? Do digital signatures work when mailed direct (not via a list)?
Have you installed any necessary intermediate certificates for the SMIME
signatures into the /etc/sympa/CA directory and set capath=/etc/sympa/CA in
the sympa.conf?

2. Make Sympa strip the attachment. This is not possible with a normal
Sympa,
but you can likely add an additional function and option to do this. It
would
be a good feature for Sympa 6.2 to have :)

3. Modify the Send scenario to deny send if there is a digital signature.
This is possible, and I do it on the mailmerge lists here, as Sympa disables
the merge if a message is digitally signed since then it cannot be modified
without breaking the signature. To do this, add a scenario line of the form
true() smime -> reject(reason='send_nosmime')

4. Change the list configuration to not add footers or headers. This should
not happen with digitally signed messages, but there was a bug in versions
prior to 6.1.twentyish that meant it happened anyway.

HTH

Steve

Steve Shipway
address@concealed


Attachment: smime.p7s
Description: S/MIME cryptographic signature



  • [sympa-users] smime.p7s, Timon Roth (Weblaw AG), 02/17/2015
    • RE: [sympa-users] smime.p7s, Steve Shipway, 02/17/2015

Archive powered by MHonArc 2.6.19+.

Top of Page