We have a process that generates invoices and automatically emails then to
our clients. We are being required to apply a digital signature to the
messages.
Our process relays the message thru a sendmail server. Can I have the
sendmail server apply the digital signature before the message gets relayed?
On 11/01/07 15:23, Tom Slycke wrote:
> We have a process that generates invoices and automatically emails
> then to our clients. We are being required to apply a digital
> signature to the messages.
Ok...
> Our process relays the message thru a sendmail server. Can I have the
> sendmail server apply the digital signature before the message gets
> relayed?
With stock Sendmail no. You would be better off writing a small program
that will digitally sigh the messages and have it pass the signed
messages to Sendmail.
You would go from this process flow:
+--------------+ +----------+
--->---+ Your Process +--->---+ Sendmail +--->
+--------------+ +----------+
To this process flow:
+--------------+ +------+ +----------+
--->---+ Your Process +--->---+ Shim +--->---+ Sendmail +--->
+--------------+ +------+ +----------+
Where the 'Shim' would take your clear text message from 'Your Process'.
'Shim' would then digitally sign the message and hand the signed
message off to 'Sendmail'. 'Sendmail' would then deliver the (now)
signed message like normal.
Grant. . . .
P.S. Might I suggest that you add the "Auto-Submitted:" header with a
value of "auto-generated" to your out going messages.
Tom Slycke unleashed the infinite monkeys on 01/11/2007 20:23 producing:
> We have a process that generates invoices and automatically emails then to
> our clients. We are being required to apply a digital signature to the
> messages.
>
> Our process relays the message thru a sendmail server. Can I have the
> sendmail server apply the digital signature before the message gets relayed?
What type of digital signature? If any standard signature will do you
may want to look at DKIM, for which there's a milter (effectively a
sendmail plugin).
--
Rob MacGregor (BOFH)
Rule 37: "There is no 'overkill'. There is only 'open fire'
and 'I need to reload.'"
On 11/01/07 16:13, Rob MacGregor wrote:
> What type of digital signature? If any standard signature will do
> you may want to look at DKIM, for which there's a milter (effectively
> a sendmail plugin).
From what little experience I have had with secured email (I use the
term loosely) I'm betting that the OP is referring to S/MIME or PGP
signed messages so that recipients can verify the authenticity. Based
on the fact that S/MIME is much more prevalent and integrated in to MUAs
I'm betting that S/MIME is what will be used.
Grant. . . .
Grant Taylor wrote:
> > What type of digital signature? If any standard signature will do
> > you may want to look at DKIM, for which there's a milter (effectively
> > a sendmail plugin).
> From what little experience I have had with secured email (I use the
> term loosely) I'm betting that the OP is referring to S/MIME or PGP
> signed messages so that recipients can verify the authenticity. Based
> on the fact that S/MIME is much more prevalent and integrated in to MUAs
> I'm betting that S/MIME is what will be used.
And "openssl smime -sign" outputs a message in S/MIME format ready for
submission which can be very convenient.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
On 11/1/2007 10:29 PM, Victor Sudakov wrote:
> And "openssl smime -sign" outputs a message in S/MIME format ready
> for submission which can be very convenient.
Do you run this with or with out headers? Or does OpenSSL compensate
for that as well?
Grant. . . .
Grant Taylor wrote:
> > And "openssl smime -sign" outputs a message in S/MIME format ready
> > for submission which can be very convenient.
> Do you run this with or with out headers? Or does OpenSSL compensate
> for that as well?
It places the body of the message into one MIME part and the signature
into the other part.
You can add more headers to the resulting multipart message with
formail if desired.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49@fidonet http://vas.tomsk.ru/
I must admint that I am sendmail illiterate. I grew up in the Windows world,
I did supported Exchange for awhile, and have been pushed into the Linux
environment. ( square peg .. round hole ??? )
Can this be scripted to process messages relayed thru the sendmail server?
"Victor Sudakov"
news:fge7is$1r3t$1@relay.tomsk.ru...
> Grant Taylor wrote:
>> > And "openssl smime -sign" outputs a message in S/MIME format ready
>> > for submission which can be very convenient.
>
>> Do you run this with or with out headers? Or does OpenSSL compensate
>> for that as well?
>
> It places the body of the message into one MIME part and the signature
> into the other part.
>
> You can add more headers to the resulting multipart message with
> formail if desired.
>
> --
> Victor Sudakov, VAS4-RIPE, VAS47-RIPN
> 2:5005/49@fidonet http://vas.tomsk.ru/
On 11/02/07 08:21, Tom Slycke wrote:
> I must admint that I am sendmail illiterate. I grew up in the Windows
> world, I did supported Exchange for awhile, and have been pushed
> into the Linux environment. ( square peg .. round hole ??? )
Three words: I am sorry!
> Can this be scripted to process messages relayed thru the sendmail
> server?
Absolutely.
I would suggest that you find / write the ""shim that I was referring to
("openssl smime -sign" per Victor) and be able to run it manually. Once
you have the ""shim working, you can create a new Mailer in side of
Sendmail that will run pipe the mail through the ""shim and re-inject
the message in to Sendmail. You would then need to use a Mailertable
entry to define which messages needed to be digitally signed or write a
rule that would alter the mailer for messages based on contents (which
is beyond me but can be done).
This will work, and is how many things are done with Sendmail. The main
disadvantage of this method (if it even qualifies as that) is that the
message and its SMTP envelope terminate at the above Sendmail instance
which is then delivered to the ""shim mailer. The ""shim mailer will
then take the message out of the end of the SMTP stream, process it, and
finally re-introduce the new signed message as a new SMTP stream. It
would be more ideal if it would be possible to pass the message all the
way through as one single SMTP stream with the body being altered mid
process. I'm sure that some aspiring MIMEDefang coder could probably
make this happen as a milter or someone else could write something that
would speak SMTP and receive the message, digitally sign it, and pass it
on to the next server for delivery. As it is, this is what it will look
like.
+------+ +----------+ +----------+ +------+
| SMTP +--->---+ Sendmail | | Sendmail +--->---+ SMTP |
+------+ +-----+----+ +----+-----+ +------+
| |
| +------+ |
+---+ Shim +---+
+------+
The top line is SMTP traffic and the bottom line is STDIN / STDOUT traffic.
+------+ +----------+ +------+ +----------+ +------+
| SMTP +-->--+ Sendmail +-->--+ Shim +-->--+ Sendmail +-->--+ SMTP |
+------+ +----------+ +------+ +----------+ +------+
All the traffic here is SMTP. Normally you may not think that SMTP
verses STDIN / STDOUT traffic is that big of a deal. However if you use
some of the more advanced features of ESMTP, i.e. DSNs and associated
features, they can be preserved through the SMTP shim where as they will
very likely be lost through the STDIN / STDOUT shim.
Ok, I'm going to get off my soap box now.
Grant. . . .