Why sign your email directly on the MTA (here we will talk about Postfix MTA) ? I don’t find a simple webmail client for my email server that include a S/MIME and/or PGP functionality to sign/encrypt outgoing messages.
So I found and change a little bit a script that get the outgoing message on the MTA and sign them with OpenSSL. The steps are:
– A running Postfix server
– Create the user account that will run the signing script and lock the account to prevent logging in:
useradd -M pfsigner
usermod -L pfsigner
– Create the folder /var/spool/signing. This folder will be used to store temporary message header and content
– chmod 700 /var/spool/signing
– chown pfsigner:pfsigner /var/spool/signing
– Edit your /etc/postfix/master.cf . We will add a new TCP port for the smtpd. This port will be used on your mail/webmail client SMTP configuration. Add these lines:
2525 inet n - - - - smtpd
-o content_filter=sign:dummy
sign unix - n n - 10 pipe
flags=Rq user=pfsigner null_sender=
argv=/usr/local/bin/sign.sh -f ${sender} -- ${recipient}
– request your certificate using the procedure here and export the certificate+private key to a pfx file
– convert your pfx file to pem (use your email name in the pem filename as shown below). If your email is youremail@yourdomain.com, use the following command:
openssl pkcs12 -in yourcert.pfx -out youremail@yourdomain.com.pem -nodes
– create the folder certs
mkdir -p /usr/local/src/smtp-signer/certs
– copy the certificate to the certs folder created above
– create the script file /usr/local/bin/sign.sh :
#!/bin/sh
# SMTP Signer - POSIX Shell Implementation (using sed)
USERNAME="pfsigner"
SIGN_DIR="/var/spool/sign"
CERT_DIR="/usr/local/src/smtp-signer/certs"
SENDMAIL="/usr/sbin/sendmail -G -i"
OPENSSL="/usr/bin/openssl"
CERT_FILE="${CERT_DIR}/$2.pem"
E_TEMPFAIL=75
cd ${SIGN_DIR} || {
printf "${SIGN_DIR} does not exist"
exit ${E_TEMPFAIL}
}
# TRAP DEFINITION
# Number SIG Meaning
# 0 0 On exit from shell
# 1 SIGHUP Clean tidyup
# 2 SIGINT Interrupt
# 3 SIGQUIT Quit
# 6 SIGABRT Abort
# 9 SIGKILL Die Now (cannot be trap'ped)
# 14 SIGALRM Alarm Clock
# 15 SIGTERM Terminate
trap "rm -f in.$$ body.$$ body2.$$ header1.$$ header2.$$ header.$$ signed.$$" 0 1 2 3 15
# Get the outgoing message : header and body
cat >in.$$
# get the header and store it in the file header.$$
sed '/^$/q' <in.$$ >header1.$$
sed '$d' <header1.$$ >header.$$
# find the line that begin with Content-type in the header text
CONTENT_TYPE=`sed -n '/Content-Type:/p' <header1.$$`
printf "\n" >body.$$
sed '1,/^$/ d' <in.$$ >>body.$$
# You can uncomment the following both lines if you want to troubleshoot and see the content of the header and message body in the log file user.log
# logger -f header.$$
# logger -f body.$$
# If a certificate exist and the email is not already signed, sign it with openssl
if [[ -f "${CERT_FILE}" ]] && [[ $CONTENT_TYPE != *"signed"* ]]; then
# Sign mail and relay
MSG="Signed mail from $2"
CONTENT_TYPE_BODY=`sed -n '/Content-Type/,+1p' header.$$`
printf "${CONTENT_TYPE_BODY}\n" > body2.$$
cat body.$$ >>body2.$$
sed '/Content-Type/,+1 d' <header.$$ >header2.$$
# Sign the message body with OpenSSL
${OPENSSL} smime -sign -signer ${CERT_FILE} -in body2.$$ -out signed.$$
sed '/Content-Type/,+1 d' <header.$$ >header2.$$
# Concaetnante header and the signed message and send it using sendmail tool
cat header2.$$ signed.$$ | ${SENDMAIL} "$@"
else
# Relay without signing
MSG="Unsigned mail from $2 because message already signed"
cat in.$$ | ${SENDMAIL} "$@"
fi
STATUS=$?
if [ "${STATUS}" -eq 0 ]; then
LOG_LEVEL="notice"
else
LOG_LEVEL="err"
fi
logger -p "mail.${LOG_LEVEL}" -t "sign.sh" "${MSG}"
exit ${STATUS}
You can now configure your favorite email client and do not forget to specify port TCP 2525 for the SMTP settings to send your signed emails.
My Powershell script categories
- Active Directory
- Cluster
- Database
- Exchange
- Files and folders
- Hardware
- Network
- Operating System
- PKI
- SCCM
- Service and process
- Tips
- VMWare
Thanks for the excellent script.
Only bug I found: when you add a .JPG to the email (attached file), the signed message doesn’t validate anymore . For example, Outlook 2007 complains about “corrupted message”, or something like this.
regards, JS
Thank you for your comment. I will try to solve this issue. I will keep you informed.
Nico
I have tested successfully that case :
– I send message from webmail client (Rainloop) configured on my custom postfix. Image attached
– I receive successfully the message + attachment on outlook (version 2016 for me)
Probably a problem with the method you have chosen to send your message with attachment…
Hi Nicolas
(en fait, tu parles francais ? )
Merci d’avoir pris du temps pour ce problème. L’envoi des messages avec fichiers attachés fonctionne correctement, et je reçois aussi le message ainsi que le fichier joint, mais il y a un problème au niveau de la signature. Outlook 2007 m’indique que le message a été altéré, et donc le chiffrement ne correspond pas.
J’utilise ton script sur mon postfix personnel, webmail roundcube. La méthode d’attachement du fichier est standard.
Peut-etre que Outlook 2007 est bugué au niveau de la vérification de la signature, et que le bug a été résolu sous 2016 ? Ca me semble très improbable, car d’autres messages signés avec attachement sont correctement validés.
Il n’y a pas de probleme avec l’en-tete ? Je peux t’envoyer les fichiers temporaires (body, header, header1… ) qui sont créés, si besoin
Merci, Julien
Thanks for the excellent script.
Only bug I found: when you add a .JPG to the email (attached file), the signed message doesn’t validate anymore . For example, Outlook 2007 complains about “corrupted message”, or something like this.
regards, JS
Thank you for your comment. I will try to solve this issue. I will keep you informed.
Nico
I have tested successfully that case :
– I send message from webmail client (Rainloop) configured on my custom postfix. Image attached
– I receive successfully the message + attachment on outlook (version 2016 for me)
Probably a problem with the method you have chosen to send your message with attachment…
Hi Nicolas
(en fait, tu parles francais ? )
Merci d’avoir pris du temps pour ce problème. L’envoi des messages avec fichiers attachés fonctionne correctement, et je reçois aussi le message ainsi que le fichier joint, mais il y a un problème au niveau de la signature. Outlook 2007 m’indique que le message a été altéré, et donc le chiffrement ne correspond pas.
J’utilise ton script sur mon postfix personnel, webmail roundcube. La méthode d’attachement du fichier est standard.
Peut-etre que Outlook 2007 est bugué au niveau de la vérification de la signature, et que le bug a été résolu sous 2016 ? Ca me semble très improbable, car d’autres messages signés avec attachement sont correctement validés.
Il n’y a pas de probleme avec l’en-tete ? Je peux t’envoyer les fichiers temporaires (body, header, header1… ) qui sont créés, si besoin
Merci, Julien
Hi,
I can confirm that your script is working correctly with rainloop, but it’s not the case with roundcube.
Regards, Julien
Hello Julien,
Oui je parle bien francais 🙂 Thank you for your feedback… I don’t have a lot of time to test the script with Roundcube… but I will keep you informed when it will be done !
Nico
Hi,
I can confirm that your script is working correctly with rainloop, but it’s not the case with roundcube.
Regards, Julien
1) Your sign.sh has wrong SIGN_DIR? Is it /var/spool/signing?
2). Maybe private key and certificate should not combine together and with different file permissions:
PRIV_KEY_FILE=”${CERT_DIR}/$2-private-nopass.pem”
then
${OPENSSL} smime -sign -signer ${CERT_FILE} -inkey ${PRIV_KEY_FILE} -in body2.$$ -out signed.$$
1) Your sign.sh has wrong SIGN_DIR? Is it /var/spool/signing?
2). Maybe private key and certificate should not combine together and with different file permissions:
PRIV_KEY_FILE=”${CERT_DIR}/$2-private-nopass.pem”
then
${OPENSSL} smime -sign -signer ${CERT_FILE} -inkey ${PRIV_KEY_FILE} -in body2.$$ -out signed.$$