Can I configure mailman so that it won't break S/MIME digital signatures?
We're currently using Mailman as a mailing list manager. Mailman modifies the content of mail messages. The problem is that some of our users are sending digitally signed messages and the modification makes the signature break. I've seen this behavior with Apple Mail, Outlook, and Thunderbird.
The problem seems to be this: S/MIME signed messages are implemented with a Content-Type: multipart/signed;
MIME Content-Type. Mailman wraps this inside a Content-Type: multipart/mixed
MIME Content-Type. None of the mail readers look inside the outer mixed
for the inner signed
.
We won't be able to get the clients fixed. Is there anyway to modify Mailman so that it doesn't have this behavior?
Mailman is probably configured to add a header or footer to every message. Check the msg-header
and msg-footer
parameters, which can be accessed on the [Non-digest options] page.
It's also important to ensure that pass_mime_types
includes application/pkcs7-signature
as one of the permitted types in the [Content filtering] section.
When Mailman is configured to add a header or footer, it modifies the message by creating a new MIME part and concatenating it with the root part from the original message. The reasoning for this behaviour is explained more fully on the Mailman wiki (wiki.list.org).
Although the original signed message is still intact, it seems that most mail clients only interpret the SMIME signature correctly if multipart/signed is the root MIME part. As a test, I removed the extra MIME parts inserted by mailman from one of my test messages and resent it, and the signature was correctly validated by my mail client.
The problem is not the lack of "smartness" of email clients.
Rather, this is a security problem. See Bug 578295 - S/MIME Signature not shown/verified in nested MIME-Message
Quote:
A message isn't signed if it's only partially signed. Particularly in the context of Thunderbird, if we claimed a message was signed if only part of it was signed, an attacker could attach signed contents to a message that never get displayed and give the appearance in the UI of a signed message.
It is thus correct for an email client to show no or an invalid signature to a partially signed multipart message.