Digitally sign your email on the MTA side

Digitally sign your email on the MTA side

Why sign your email directly on the MTA (here we will talk about Postfix MTA) ? I don’t find a simple webmail client for my email server that include a S/MIME and/or PGP functionality to sign/encrypt outgoing messages.

So I found and change a little bit a script that get the outgoing message on the MTA and sign them with OpenSSL. The steps are:
– A running Postfix server
– Create the user account that will run the signing script and lock the account to prevent logging in:
useradd -M pfsigner
usermod -L pfsigner
– Create the folder /var/spool/signing. This folder will be used to store temporary message header and content
chmod 700 /var/spool/signing
chown pfsigner:pfsigner /var/spool/signing
– Edit your /etc/postfix/master.cf . We will add a new TCP port for the smtpd. This port will be used on your mail/webmail client SMTP configuration. Add these lines:

– request your certificate using the procedure here and export the certificate+private key to a pfx file
– convert your pfx file to pem (use your email name in the pem filename as shown below). If your email is youremail@yourdomain.com, use the following command:
openssl pkcs12 -in yourcert.pfx -out youremail@yourdomain.com.pem -nodes

– create the folder certs
mkdir -p /usr/local/src/smtp-signer/certs

– copy the certificate to the certs folder created above
– create the script file /usr/local/bin/sign.sh :

You can now configure your favorite email client and do not forget to specify port TCP 2525 for the SMTP settings to send your signed emails.

<>

My Powershell script categories

7 thoughts on “Digitally sign your email on the MTA side

  • June 15, 2016 at 16:17
    Permalink

    Thanks for the excellent script.
    Only bug I found: when you add a .JPG to the email (attached file), the signed message doesn’t validate anymore . For example, Outlook 2007 complains about “corrupted message”, or something like this.
    regards, JS

    Reply
    • June 15, 2016 at 20:38
      Permalink

      Thank you for your comment. I will try to solve this issue. I will keep you informed.
      Nico

      Reply
    • June 16, 2016 at 17:12
      Permalink

      I have tested successfully that case :
      – I send message from webmail client (Rainloop) configured on my custom postfix. Image attached
      – I receive successfully the message + attachment on outlook (version 2016 for me)

      Probably a problem with the method you have chosen to send your message with attachment…

      Reply
      • June 17, 2016 at 09:09
        Permalink

        Hi Nicolas
        (en fait, tu parles francais ? )
        Merci d’avoir pris du temps pour ce problème. L’envoi des messages avec fichiers attachés fonctionne correctement, et je reçois aussi le message ainsi que le fichier joint, mais il y a un problème au niveau de la signature. Outlook 2007 m’indique que le message a été altéré, et donc le chiffrement ne correspond pas.
        J’utilise ton script sur mon postfix personnel, webmail roundcube. La méthode d’attachement du fichier est standard.
        Peut-etre que Outlook 2007 est bugué au niveau de la vérification de la signature, et que le bug a été résolu sous 2016 ? Ca me semble très improbable, car d’autres messages signés avec attachement sont correctement validés.
        Il n’y a pas de probleme avec l’en-tete ? Je peux t’envoyer les fichiers temporaires (body, header, header1… ) qui sont créés, si besoin
        Merci, Julien

        Reply
  • June 22, 2016 at 07:41
    Permalink

    Hi,
    I can confirm that your script is working correctly with rainloop, but it’s not the case with roundcube.
    Regards, Julien

    Reply
    • June 22, 2016 at 12:09
      Permalink

      Hello Julien,

      Oui je parle bien francais 🙂 Thank you for your feedback… I don’t have a lot of time to test the script with Roundcube… but I will keep you informed when it will be done !

      Nico

      Reply
  • September 28, 2018 at 13:41
    Permalink

    1) Your sign.sh has wrong SIGN_DIR? Is it /var/spool/signing?
    2). Maybe private key and certificate should not combine together and with different file permissions:
    PRIV_KEY_FILE=”${CERT_DIR}/$2-private-nopass.pem”
    then
    ${OPENSSL} smime -sign -signer ${CERT_FILE} -inkey ${PRIV_KEY_FILE} -in body2.$$ -out signed.$$

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Social Media Auto Publish Powered By : XYZScripts.com
%d bloggers like this: