You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by Soren Hilmer <so...@tietoenator.com> on 2004/02/12 12:40:28 UTC
Re: S/MIME (was [PROPOSAL] Release Plan)
> >
> > Vincenzo: S/MIME code?
>
> This mailet (server side signing) is properly working, and just needs to be
> javadoc enhanced and some ho-to documentation. But as I found a problem
> with Outlook Express
<snip>
> because it considers as a tampering the fact of
> having the signature not coming from the sender,
<snip>
Which it actually should according to the S/MIME standard (RFC-2632):
Sending agents SHOULD make the address in the From or Sender header
in a mail message match an Internet mail address in the signer's
certificate. Receiving agents MUST check that the address in the From
or Sender header of a mail message matches an Internet mail address
in the signer's certificate, if mail addresses are present in the
certificate. A receiving agent SHOULD provide some explicit alternate
processing of the message if this comparison fails, which may be to
display a message that shows the recipient the addresses in the
certificate or other certificate details.
--Søren
--
Søren Hilmer, M.Sc.
R&D manager Phone: +45 70 27 64 00
TietoEnator IT+ A/S Fax: +45 70 27 64 40
Ved Lunden 12 Direct: +45 87 46 64 57
DK-8230 Åbyhøj Email: soren.hilmer <at> tietoenator.com
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: S/MIME (was [PROPOSAL] Release Plan)
Posted by Soren Hilmer <so...@tietoenator.com>.
Ahh, that makes sense then, ofcourse you could change the From header.
Now, a client replying to the mail will probably do it to the trusted-server
(unless you modify the reply-to header) but that is really often what you
want, because otherwise the client cannot find the right certificate and thus
not make an encrypted reply.
Now the final issue is how to forward the mail to the right recipient from the
server, which is a bit of a challenge ;-)
--Søren
On Thursday 12 February 2004 13:02, Vincenzo Gianferrari Pini wrote:
> > > > Vincenzo: S/MIME code?
> > >
> > > This mailet (server side signing) is properly working, and just needs
> > > to be javadoc enhanced and some ho-to documentation. But as I found a
> > > problem with Outlook Express
> >
> > <snip>
> >
> > > because it considers as a tampering the fact of
> > > having the signature not coming from the sender,
> >
> > <snip>
> > Which it actually should according to the S/MIME standard (RFC-2632):
> >
> > Sending agents SHOULD make the address in the From or Sender header
> > in a mail message match an Internet mail address in the signer's
> > certificate. Receiving agents MUST check that the address in the From
> > or Sender header of a mail message matches an Internet mail address
> > in the signer's certificate, if mail addresses are present in the
> > certificate. A receiving agent SHOULD provide some explicit alternate
> > processing of the message if this comparison fails, which may be to
> > display a message that shows the recipient the addresses in the
> > certificate or other certificate details.
>
> I wasn't precise:
>
> a) the unsigned message comes with a
> From: xxx@yyy.com
> header;
>
> b) the mailet adds a
> Sender: "Trusted Server" <tr...@yyy.com>
> header and
>
> c) the mailet signs as
> trusted-server@yyy.com
>
> Obviously it is all parameterized.
>
> This was done on purpose to comply with RFC-2632 (the Sender header is the
> same as the Internet mail address in the signer's certificate), but Outlook
> Express ignores the Sender header and checks only the From header.
>
> Vincenzo
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
> For additional commands, e-mail: server-dev-help@james.apache.org
--
Søren Hilmer, M.Sc.
R&D manager Phone: +45 70 27 64 00
TietoEnator IT+ A/S Fax: +45 70 27 64 40
Ved Lunden 12 Direct: +45 87 46 64 57
DK-8230 Åbyhøj Email: soren.hilmer <at> tietoenator.com
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
RE: S/MIME (was [PROPOSAL] Release Plan)
Posted by Vincenzo Gianferrari Pini <vi...@praxis.it>.
>
> > >
> > > Vincenzo: S/MIME code?
> >
> > This mailet (server side signing) is properly working, and just needs to be
> > javadoc enhanced and some ho-to documentation. But as I found a problem
> > with Outlook Express
> <snip>
> > because it considers as a tampering the fact of
> > having the signature not coming from the sender,
>
> <snip>
> Which it actually should according to the S/MIME standard (RFC-2632):
>
> Sending agents SHOULD make the address in the From or Sender header
> in a mail message match an Internet mail address in the signer's
> certificate. Receiving agents MUST check that the address in the From
> or Sender header of a mail message matches an Internet mail address
> in the signer's certificate, if mail addresses are present in the
> certificate. A receiving agent SHOULD provide some explicit alternate
> processing of the message if this comparison fails, which may be to
> display a message that shows the recipient the addresses in the
> certificate or other certificate details.
>
I wasn't precise:
a) the unsigned message comes with a
From: xxx@yyy.com
header;
b) the mailet adds a
Sender: "Trusted Server" <tr...@yyy.com>
header and
c) the mailet signs as
trusted-server@yyy.com
Obviously it is all parameterized.
This was done on purpose to comply with RFC-2632 (the Sender header is the same as the Internet mail address in the signer's certificate), but Outlook Express ignores the Sender header and checks only the From header.
Vincenzo
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org