How to use openssl smine sign the email body only

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

How to use openssl smine sign the email body only

anyegongjue
Hi there,

I created a script to use "openssl smine" to sign emails in Postfix.

The script is running the command below.

openssl smime -sign -signer /etc/letsencrypt/live/mail.xxx.xxx/cert.pem
-inkey /etc/letsencrypt/live/mail.xxx.xxx/privkey.pem -in $MESSAGEFILE -out
$OUTFILE || { echo Problem signing message; exit $EX_UNAVAILABLE; }

The $MESSAGEFILE is email content and $OUTFILE stores the output signed
email file. The script is running without any problem and email can be sent
to mail box. But the problem is smine signed the whole email included the
existing headers.

So is there a way to let smine only sign the email body?

Here is the email signed by smine.

*Received: from mail.xxx.xxx (unknown [xxx.xxx.xxx.xxx])
        by mx21 (Coremail) with SMTP id R8CowACXTp+M2CZdostiCQ--.63511S3;
        Thu, 11 Jul 2019 14:34:56 +0800 (CST)
Received: from mail.xxx.xxx (localhost [127.0.0.1])
        by mail.xxx.xxx (Postfix) with ESMTP id A0C2AC149A0
        for <[hidden email]>; Thu, 11 Jul 2019 16:34:48 +1000 (AEST)
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg="sha-256"; boundary="----B0D2B6501759DF22E6B9827580C1C8D1"
X-CM-TRANSID:R8CowACXTp+M2CZdostiCQ--.63511S3
Message-Id:<[hidden email]>
Authentication-Results: mx21; spf=pass smtp.mail=[hidden email]
        soft.com.au;
X-Coremail-Antispam: 1Uf129KBjvJXoWxWr47KFW7ArW5JF4UurW8Crg_yoW5Ar1kpF
        W2g3sFkr1kZF1Iyas7ArW8WrySvrn8Kr48Gw1DK3yUAws8uryjkF1rtw4UKa9rGFWxX3yY
        ga1jqasruFZ0qrJanT9S1TB71UUUUUDqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
        9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07jmc_fUUUUU=
Date: Thu, 11 Jul 2019 14:35:04 +0800 (CST)
From: [hidden email]

This is an S/MIME signed message

------B0D2B6501759DF22E6B9827580C1C8D1*
Received: from localhost (localhost [127.0.0.1])
        by mail.xxx.xxx (Postfix) with ESMTP
        for <[hidden email]>; Thu, 11 Jul 2019 16:34:48 +1000 (AEST)
X-Virus-Scanned: amavisd-new at xxx.xxx
Received: from mail.xxx.xxx ([127.0.0.1])
        by localhost (mail.xxx.xxx [127.0.0.1]) (amavisd-new, port 10024)
        with LMTP id HpBOnD__tFYe for <[hidden email]>;
        Thu, 11 Jul 2019 16:34:47 +1000 (AEST)
Received: from XXXMail (unknown [52.65.226.31])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        (Authenticated sender: [hidden email])
        by mail.xxx.xxx (Postfix) with ESMTPSA id 2A4DBC149A2
        for <[hidden email]>; Thu, 11 Jul 2019 16:34:47 +1000 (AEST)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.xxx.xxx 2A4DBC149A2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=xxx.xxx;
        s=default; t=1562826887;
        bh=zEHSRite2Oj6+gkb5XLOEibTqoyx4wfkxFvtHbrgboU=;
        h=Date:To:From:Reply-To:Subject:List-Unsubscribe:List-Owner:From;
        b=Zo7Rkn89Oe8ekeFfgvtJa/KHdIyI1NeZzyL7XQ8g7c4VIWTVOJC813l44rwAUje08
         XSnf9HLzrJy4I4suANkrmXNIF6w/UEZ/S1+qoydQE2kmlDql3p9hWDN4t4roGcCrrB
         wDgdcY4vgvld1kjh6a/sggmr4BiKG4LY0g5OfeqjxX22g1anWCY5fBB6LHrJrmR48V
         N2eQE+CRJED2ZHjC+rhf83aD4h81jt6OhVNwuIMR2nlMBBdcegibfqCw6lMd3eZrLE
         iGgHZ6dX/TrU/TZP7rC0B9IvXKcGbfIrw1KZ71McSiVw5U+JtZqa77YT9PErWj5KnS
         t+J4FVB37jpMA==
Received: from localhost [127.0.0.1] by  with HTTP; Thu, 11 Jul 2019
16:34:47 +1000
Date: Thu, 11 Jul 2019 16:34:47 +1000
To: Kerry Fly <[hidden email]>
From: [hidden email]
Reply-To: [hidden email]
Subject: New T-shirt arrived
Message-ID: <ORDt9z28HeX7Kjig9mfHqz3QrAshMFkHNSeHdTELDY@XXXMail>
X-Mailer: XXXMailer
X-MessageID: ABsLBhQBCAA
X-ListMember: [hidden email]
Precedence: bulk
List-Unsubscribe:
<http://xxx.xxx/email_marketing/email_marketing_subscribers/unsubsc
 ribe/ABsLBhQBCAA>
List-Owner: <mailto:[hidden email]>
Error-To: [hidden email]
Bounces-To: [hidden email]
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="b1_ORDt9z28HeX7Kjig9mfHqz3QrAshMFkHNSeHdTELDY"

This is a multi-part message in MIME format.
--b1_ORDt9z28HeX7Kjig9mfHqz3QrAshMFkHNSeHdTELDY
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

View in browser
ConfigurationSession configuration is stored in=C2=A0Configur=
e=C2=A0under the top level=C2=A0Session=C2=A0key, and a number of options a=
re available:Session.cookie=C2=A0- Change the name of the session cookie.Se=
ssion.timeout=C2=A0- The number of=C2=A0minutes=C2=A0before CakePHP=
=E2=80=99s session handler expires the session. ...
For more information about and how to integrate it inside your applications=
MADE BY ARTUR ARSENIEVClick here to unsubscribe.
--b1_ORDt9z28HeX7Kjig9mfHqz3QrAshMFkHNSeHdTELDY
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

=09=09=09=09=09=09<!DOCTYPE html PUBLIC &quot;-//W3C//DTD HTML 4.01
Transitional=
//EN&quot; &quot;http://www.w3.org/TR/html4/loose.dtd&quot;>
=09=09=09=09=09=09<html xmlns=3D"http://www.w3.org/1999/xhtml" xmlns:v=3D"u=
rn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-microsoft-com:office:o=
ffice">
=09=09=09=09=09=09=09<head>
=09=09=09=09=09=09=09=09
=09=09=09=09=09=09=09=09<meta http-equiv=3D"Content-Type" content=3D"text/h=
tml; charset=3DUTF-8" />
=09=09=09=09=09=09=09=09<meta name=3D"viewport" content=3D"width=3Ddevice-w=
idth, initial-scale=3D1" />
=09=09=09=09=09=09=09=09<meta http-equiv=3D"X-UA-Compatible" content=3D"IE=
=3Dedge" />
=09=09=09=09=09=09=09=09<meta name=3D"format-detection" content=3D"telephon=
e=3Dno" />
=09=09=09=09=09=09=09=09<meta name=3D"format-detection" content=3D"date=3Dn=
o" />
=09=09=09=09=09=09=09=09<meta name=3D"format-detection" content=3D"address=
=3Dno" />
=09=09=09=09=09=09=09=09<meta name=3D"format-detection" content=3D"email=3D=
no" />

=09=09=09=09=09=09=09=09
=09=09=09=09=09=09=09</head>
=09=09=09=09=09=09=09<body marginwidth=3D&quot;0&quot;
marginheight=3D&quot;0&quot; style=3D&quot;ma=
rgin-top: 0; margin-bottom: 0; padding-top: 0; padding-bottom: 0; width: 10=
0%; -webkit-text-size-adjust: 100%; -ms-text-size-adjust: 100%;&quot;
offset=3D&quot;=
0&quot; topmargin=3D&quot;0&quot; leftmargin=3D&quot;0&quot;>

...</body></html>

--b1_ORDt9z28HeX7Kjig9mfHqz3QrAshMFkHNSeHdTELDY--


------B0D2B6501759DF22E6B9827580C1C8D1
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIIIFAYJKoZIhvcNAQcCoIIIBTCCCAECAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggVmMIIFYjCCBEqgAwIBAgISA2D+gfTao7ImMR5FeJceYRQOMA0G
CSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNy
...
DXxa77+7AlgOHRJnW0wnk4kUCKTkH74vD8s0TpPsrc7qKZlHLjQO/tkoa/Ea1ogD
kzryl95Vwls=

*------B0D2B6501759DF22E6B9827580C1C8D1--*



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Reply | Threaded
Open this post in threaded view
|

Re: How to use openssl smine sign the email body only

anyegongjue
Maybe I posted too many stuff. What my problem is "openssl smime" command
signed everything fed to it. For example, I wanted to sign the following
email body.

/*Hi there,

This is an test email.*
/
And after signed, the email became something like below,

/Received: from localhost [127.0.0.1] by  with HTTP; Thu, 11 Jul 2019
16:24:33 +1000
Date: Thu, 11 Jul 2019 16:24:33 +1000
To: Kerry Fly <[hidden email]>
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg="sha-256"; boundary="----5D53D58F876671D7CA85A8CD28305ABB"

This is an S/MIME signed message

------5D53D58F876671D7CA85A8CD28305ABB

*Hi there,

This is an test email.*

------5D53D58F876671D7CA85A8CD28305ABB
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIIIFAYJKoZIhvcNAQcCoIIIBTCCCAECAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggVmMIIFYjCCBEqgAwIBAgISA2D+gfTao7ImMR5FeJceYRQOMA0G
...
Y/5+MrMjklc=

------5D53D58F876671D7CA85A8CD28305ABB--/


And if I pass the email content with some headers, smime will wrap the
header inside, too. Like below


/Received: from localhost [127.0.0.1] by  with HTTP; Thu, 11 Jul 2019
16:24:33 +1000
Date: Thu, 11 Jul 2019 16:24:33 +1000
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg="sha-256"; boundary="----5D53D58F876671D7CA85A8CD28305ABB"

This is an S/MIME signed message

------5D53D58F876671D7CA85A8CD28305ABB

*Received: from localhost [127.0.0.1] by  with HTTP; Thu, 11 Jul 2019
16:24:33 +1000
Date: Thu, 11 Jul 2019 16:24:33 +1000
To: Kerry Fly <[hidden email]>
From: [hidden email]
Reply-To: [hidden email]
Subject: New T-shirt arrived
Message-ID: <[hidden email]>
X-Mailer: xxx.com
X-MessageID: ABsLBhQBCA4
X-ListMember: [hidden email]
Precedence: bulk
List-Unsubscribe:
<http://xxx.com/email_marketing/email_marketing_subscribers/unsubsc
 ribe/ABsLBhQBCA4>
List-Owner: <mailto:[hidden email]>
Error-To: [hidden email]
Bounces-To: [hidden email]

Hi there,

This is an test email.*

------5D53D58F876671D7CA85A8CD28305ABB
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

MIIIFAYJKoZIhvcNAQcCoIIIBTCCCAECAQExDzANBglghkgBZQMEAgEFADALBgkq
hkiG9w0BBwGgggVmMIIFYjCCBEqgAwIBAgISA2D+gfTao7ImMR5FeJceYRQOMA0G
...
Y/5+MrMjklc=

------5D53D58F876671D7CA85A8CD28305ABB--/


Then the header inside smime cannot be seen by receiver, like gmail. And  in
this way, I cannot send emails.

So my question is that is there a way to use "openssl smime" to sign some
email with headers?

Thank you in advance.



--
Sent from: http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html
Reply | Threaded
Open this post in threaded view
|

Re: How to use openssl smine sign the email body only

Salz, Rich
>    Maybe I posted too many stuff. What my problem is "openssl smime" command
    signed everything fed to it. For example, I wanted to sign the following
    email body.
 
Yes, it signs whatever you give it.  You will have to feed it just the message body and set the headers yourself.