S/Mime with Postfix?
in [Postfix]
|
Prev: Block BCC
Next: multiple domains - status=bounced (cannot access mailbox /var/mail/domainfor user domain. cannot open file: Permission denied)
From: "Paul Hutchings" on 16 Oct 2009 13:36 After a little guidance on what those of you using Postfix as a gateway are using for doing s/mime email encryption? I did some digging and it seems you can get certificates that authenticate a company for s/mime rather than needing to authenticate each individual using a cert on their MUA. Of course Postfix can't do this, but I'm hoping I can get some suggestions on what can, and (importantly) what integrates easily with Postfix? Thanks, Paul -- MIRA Ltd Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. Registered in England and Wales No. 402570 VAT Registration GB 114 5409 96 The contents of this e-mail are confidential and are solely for the use of the intended recipient. If you receive this e-mail in error, please delete it and notify us either by e-mail, telephone or fax. You should not copy, forward or otherwise disclose the content of the e-mail as this is prohibited.
From: Victor Duchovni on 16 Oct 2009 14:08 On Fri, Oct 16, 2009 at 06:36:59PM +0100, Paul Hutchings wrote: > After a little guidance on what those of you using Postfix as a gateway > are using for doing s/mime email encryption? S/MIME is in theory an MUA issue, MTAs just move the mail. This said, if an end-to-end approach is not for you (as it is for most users), and you want gateway to gateway security, by far the most widely adopted is TLS, but this naturally protects only the first hop, and works one direction at a time, so it is difficult for a recipient to audit sender policy. A number of vendors offer gateway-to-gateway S/MIME support in the form of border email security "appliances". I am not in a position to endorse or specifically recommend any of these, but a *partial* list (sorted from shortest to longest URL) should help you to search in the right direction: - http://www.pgp.com/products/universal_server/index.html - http://www.entrust.com/email-security/messaging-server/index.htm - http://www.tumbleweed.com/products/mailgate/secure_messenger.html - http://www.ironport.com/resources/datasheet_ironport_encryption.html - http://www.mcafee.com/us/enterprise/products/email_and_web_security/email/email_gateway.html > I did some digging and it seems you can get certificates that > authenticate a company for s/mime rather than needing to authenticate > each individual using a cert on their MUA. The type of certificates required or supported by the various gateways is product dependent. Note that for S/MIME it is not enough to be able to authenticate a certificate when it is presented, one actually needs to have the relevant public keys on hand to initiate encryption, and given lack of the mythical global X.500 directory in which such certs are published securely, keys are deployed manually, at which point signatures by a trusted third party are less important (but some products will still want these). Some of the certificates will be "proxy certificates", and various other product-specific characteristics will arise, but there is little that one can generally say beyond "follow the vendor's" directions. I am not aware of any open-source S/MIME gateway, if someone has a pointer to something reasonably well-designed/robust, perhaps they will step forward with a suitable pointer. -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:majordomo(a)postfix.org?body=unsubscribe%20postfix-users> If my response solves your problem, the best way to thank me is to not send an "it worked, thanks" follow-up. If you must respond, please put "It worked, thanks" in the "Subject" so I can delete these quickly.
From: "martijn.list" on 18 Oct 2009 07:30
You can try Djigzo (http://www.djigzo.com/). It's an open source email encryption gateway with support for S/MIME and PDF encryption (with support for random generated passwords via SMS gateway). You can install it on your own system (.tar and .deb files available) or you can use the provided VMware virtual appliance. By default it uses Postfix for the delivery of email and it's therefore easy to integrate with your existing Postfix solution (for example combine it with an existing virus scanner). More information available on www.djigzo.com Martijn Brinkers Paul Hutchings wrote: > After a little guidance on what those of you using Postfix as a gateway > are using for doing s/mime email encryption? > > I did some digging and it seems you can get certificates that > authenticate a company for s/mime rather than needing to authenticate > each individual using a cert on their MUA. > > Of course Postfix can't do this, but I'm hoping I can get some > suggestions on what can, and (importantly) what integrates easily with > Postfix? > > Thanks, > Paul > > ------------------------------------------------------------------------ > > *MIRA Ltd* > Watling Street, Nuneaton, Warwickshire, CV10 0TU, England. > Registered in England and Wales No. 402570 > VAT Registration GB 114 5409 96 > > The contents of this e-mail are confidential and are solely for the use > of the intended recipient. > If you receive this e-mail in error, please delete it and notify us > either by e-mail, telephone or fax. > You should not copy, forward or otherwise disclose the content of the > e-mail as this is prohibited. > -- Djigzo open source email encryption |