RSS Feed

‘work’ Category

  1. Exim 4.83

    August 6, 2014 by Daniel

    We use Exim extensively at the University of Manchester, I suppose it’s historical reasons, a lot of distributions don’t include it as the default MTA any more.

    We’re now for the most part on a combination of redhat and exim, exim isn’t included in the usual repositories for redhat anymore and the ones that have it are quite out of date.

    For Exim 4.82 I proposed that we ought to have our own repository and start building Exim for ourselves since the versions we had were getting more and more out of date. So it’s much easier now to update our servers with more up to date versions of Exim.

    One of the trickier parts of the build was the dependency on opendmarc-tools which in turn requires some Perl modules: Zlib, Bzip2. It turns out that the version of perl-IO-Compress I’d put into the repository had some issues as some of the Perl modules have been moved around. I managed to find a newer version that fixed the depsolve problems I was having.

     

    LDAP

    One way we use exim is to send authenticated mail from users that are not using the main Exchange system. Exim 4.83 is a bit more strict about encrypted connections and one thing that broke was querying the LDAP servers to authenticate users.

    I had to put a line in like:

    ldap_require_cert = allow

    To get it working again.


  2. S/MIME

    November 2, 2012 by Daniel

    I’ve been discovering lots about sending emails with digital signatures in the past couple of days and for lack of a better place I’ll write some things up here.

    Certificates
    You can get a free certificate from Comodo (and probably other places). It lasts a year so you will need to get a new one after that. If you try to get a new one before the old one has expired you need to revoke the original one.

    Outlook
    Outlook’s support for S/MIME signing is quite good and works without hassle. You install the certificate with the Import/Export button in Trust Center -> Email Security. There’s an option there to Publish to GAL. It says it did it, but I’m not sure how to verify the fact. If you’ve done it right then you get a little ribbon in the icon for messages you’ve sent (and of course encrypted messages are displayed, unencrypted!)
    You can select whether you want to sign or encrypt by default or per message (Create a new message and click Options, it’s there in Permission whether to sign or encrypt). To Encrypt, as usual you need to have been sent a message by the person you are sending to with a digital signature.

    iOS Signing
    iOS Mail supports S/MIME albeit a little strangely but it does work which is the main thing. The best way to get the certificate onto the device is attach the .p12 file in an email to yourself. There’s lots of ways to export the certificate, easiest is probably find your certificates from your web browser settings.
    You need to turn on S/MIME in the account under Advanced and select Sign and Encrypt according to your preferences. Then it will let you select the certificate you just installed. There’s no way to change these settings on a per email basis so I’ve left Signing on and intend to use Encryption when necesseary.
    iOS does some odd checking to see whether it is able to Encrypt a message. If it’s an Exchange account it will check the GAL first with no fall back if it’s not there, which is an issue for GMail accounts set up through Exchange. I’ve swapped mine from Exchange to the standard Gmail connector. So S/MIME works but push email no longer will. I will see what I prefer on that one – I hope it’s something Apple and Google fix between them although I suspect it probably won’t get fixed due to the GMail solution being a nonstandard Exchange install (I suspect).

    If all is set up correctly signed emails have a little tick next to the sender with a little lock if it’s encrypted.

    OWA
    Outlook Web Access does support it, but only on Internet Explorer 7 or 8. Which is a little disappointing if you use OWA when you’re not using something that is IE7/8. You probably need to have your certificates with you too so sending signed email on the move is probably best done from your mobile.

    It’s a good idea to keep your certificates somewhere safe too, otherwise if something happens and they got deleted then you will be unable to read encrypted mail anymore.

    I did also set up DKIM signing for my domain using Google Apps for your Domain but it’s kind of trivial to write up, just involves pasting in an SPF record in DNS that get’s generated for you.

    Some useful links:

    Despite both of these pages decribing iOS5, iOS6 is much the same process.