SOGo, Nethserver and E-Mail certificates

NethServer Version: 7.5
Module: sogo and / or email

Hi,

recently I obtained an email certificate for myname@mydomain.tld from Comodo as well as from SwissSign. I installed on of those certificates on SOGo and my Apple IPhone.

The result are disillusioning:

  • Using disclaimer feautre is of course not possible anymore … of cause … the E-Mail is changed … I should have known better :slight_smile:
  • But even without disclaimer, E-Mail is not validated at the recipient. I do not know why:
    I recieved another e-mail from a SwissSign Co-Worer (signed) at it was validated on SOGo. Consequently I think that the certification path is somehow available. Additionally I checked / installed the certification pathes IE Container and Firefox browser.

Maybe I am wrong, but I thougtht up to now that the validation is always done on the recipient side and is independed from the senders installation (as long as the sender uses a valid certifcate)

Does anybody has an Idea where else I might install CA certificates …?

TIA
Thorsten

Did not know it was even possible to digital-sign your e-mail with a pgp/gpg key in SOGo.

Cannot find any documentation on this and in SOGo’s mail-list and bug-tracker there are only topics SOGo does about problems with verifying. We apparently no not have because its compiled with openSSL libs (totally unintentional though :grinning: )

actually did not find any hint it is possible…

Wikipedia has a nice picture of signing / verifying process:

I think he’s talking about S/MIME signing/encryption, as PGP wouldn’t involve a certificate from anywhere else (or a “certificate” at all, for that matter). Comodo does issue S/MIME certificates, though I’m not sure how much good they are.

yes, was probably on the wrong path here…

You, your thoughts are right. We are talking about S/MIME certificates. As a SOGo user you can set up via

Prefernces -> E-Mail -> IMAP Accounts -> Select Pencisl of Account (here mydomain.tld) -> Security Tab

found out some more:

In installed the same S/MIME certificate (SwissSign or Commodo) within Thunderbird and SOGo. From thunderbird the mail reaches the recipient with “a green, valid signature”

From SOGo the mail reaches the recipient with “a red, invalid signature”.
The recipients client (Outlook) reports that the mail has been alterated. My Initial supposition was that rspamd does alter the mail, but if so, the same problem would occur with TB.
Moreover: If I look at outgoing mail box (SOGo = TB as both are based on IMAP), I found the also a difference:
TB sent mail is signed, SOGo sent mail could not verified. I think, that the interlinked certificates in the path are not available within SOGo / Nethserver. Is ther any option to install - or better to obtain - thrusted Root CA certificates ?

TIA
Thorsten

Sorry do not have experience with it so cant help you :disappointed_relieved:

found some info in the SOGo docs:
https://sogo.nu/files/docs/SOGoInstallationGuide.html#_smime_support_in_sogo

Reading it seems to be mandatory to uplaod your cert in PKCS #12 format. It is not clear if the full chain off trust is mandatory in this certificate. You could try to bundle it.

From personal experience I can recommend Xca to store, bundle and convert certificates. It’s up to you if you trust this tool !