FAQ
Hello, we have installed "Mailman, the GNU Mailing List Manager" version
2.1.5
If we send a digital signed e-mail *with attachment* to a list we obtain
the following message:

Digital Signature Is Not Valid
This message includes a digital signature, but the signature is
invalid.
The signature does not match the message content correctly. The message
appears to have been altered after the sender signed it. You should not
trust the validity of this message until you verify its contents with
the sender.

Without attachment, digital sign is OK.

In the past we have had the same problem even send simply digital signed
e-mail (without attachment), but in the past mailman was used to add a
message footer in all e-mail.
We have modifed mailman so now it not add the message footer anymore.
Now we still have this problem only when we send digital signed e-mail
*with attachment*.

Thanks.

Marco De Rossi

Search Discussions

  • Brad Knowles at Aug 2, 2007 at 9:47 pm

    On 8/2/07, Marco De Rossi wrote:

    We have modifed mailman so now it not add the message footer anymore.
    Now we still have this problem only when we send digital signed e-mail
    *with attachment*.
    I can see two likely possibilities:

    1. The digital signature is being done against the whole message,
    headers included. When the message passes through Mailman, some
    headers end up getting changed or added, and the signature is no
    longer valid.

    2. Mailman is still stripping or changing some of the attachment
    MIME types or filenames, which causes the signature to be invalidated.

    Problem is, cryptographic signatures on messages are extremely
    fragile. If even the slightest thing is changed, the signature is
    likely to be broken. If you make the signature process more robust,
    then you increase the possibility that an attacker could slip
    something through that would still appear to be correct, but where
    they've actually secretly modified something.

    Try turning off all filtering, HTML conversion, etc... within
    Mailman. See if that "fixes" the signature problem. If so, then you
    have to decide which is more important -- the signature on some
    messages or the probability that some malware could get through the
    system and sent out to all recipients of the list, because you'd
    turned off the filtering.

    Unfortunately, this is a binary decision. There is no option to
    leave signed messages unfiltered and to apply the filtering rules
    only to unsigned messages. Even if there were such a method, the
    attackers could get through by simply forging fake signatures that
    look valid.

    --
    Brad Knowles <brad at shub-internet.org>, Consultant & Author
    LinkedIn Profile: <http://tinyurl.com/y8kpxu>
    Slides from Invited Talks: <http://tinyurl.com/tj6q4>

    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
  • Marco De Rossi at Aug 30, 2007 at 10:43 am
    I tried to turn off all "Content Filtering" but it didn't fixed the
    signature problem.
    Some other suggestion?

    Thanks, Marco De Rossi

    On Thu, 2 Aug 2007, Brad Knowles wrote:
    On 8/2/07, Marco De Rossi wrote:

    We have modifed mailman so now it not add the message footer anymore.
    Now we still have this problem only when we send digital signed e-mail
    *with attachment*.
    I can see two likely possibilities:

    1. The digital signature is being done against the whole message,
    headers included. When the message passes through Mailman, some
    headers end up getting changed or added, and the signature is no
    longer valid.

    2. Mailman is still stripping or changing some of the attachment
    MIME types or filenames, which causes the signature to be invalidated.

    Problem is, cryptographic signatures on messages are extremely
    fragile. If even the slightest thing is changed, the signature is
    likely to be broken. If you make the signature process more robust,
    then you increase the possibility that an attacker could slip
    something through that would still appear to be correct, but where
    they've actually secretly modified something.

    Try turning off all filtering, HTML conversion, etc... within
    Mailman. See if that "fixes" the signature problem. If so, then you
    have to decide which is more important -- the signature on some
    messages or the probability that some malware could get through the
    system and sent out to all recipients of the list, because you'd
    turned off the filtering.

    Unfortunately, this is a binary decision. There is no option to
    leave signed messages unfiltered and to apply the filtering rules
    only to unsigned messages. Even if there were such a method, the
    attackers could get through by simply forging fake signatures that
    look valid.

    --
    Brad Knowles <brad at shub-internet.org>, Consultant & Author
    LinkedIn Profile: <http://tinyurl.com/y8kpxu>
    Slides from Invited Talks: <http://tinyurl.com/tj6q4>

    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
  • Mark Sapiro at Aug 30, 2007 at 2:44 pm

    Marco De Rossi wrote:
    I tried to turn off all "Content Filtering" but it didn't fixed the
    signature problem.
    Some other suggestion?

    Thanks, Marco De Rossi

    On Thu, 2 Aug 2007, Brad Knowles wrote:
    On 8/2/07, Marco De Rossi wrote:

    We have modifed mailman so now it not add the message footer anymore.
    Now we still have this problem only when we send digital signed e-mail
    *with attachment*.

    What kind of signature are you using? Are you using PGP/MIME to sign
    the message with attachment? Mailman doesn't normally break these
    signatures.

    Can you look at the raw messages to and from Mailman and identify what
    changes cause the signature to break? This information will help us
    suggest a solution.

    --
    Mark Sapiro <msapiro at value.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Marco De Rossi at Aug 30, 2007 at 3:03 pm
    We use X.509 certificate.
    Could I send to the list a little attachment to see if problem is present
    with mailman-users mailing list too?

    Thanks, Marco De Rossi

    On Thu, 30 Aug 2007, Mark Sapiro wrote:

    Marco De Rossi wrote:
    I tried to turn off all "Content Filtering" but it didn't fixed the
    signature problem.
    Some other suggestion?

    Thanks, Marco De Rossi

    On Thu, 2 Aug 2007, Brad Knowles wrote:
    On 8/2/07, Marco De Rossi wrote:

    We have modifed mailman so now it not add the message footer anymore.
    Now we still have this problem only when we send digital signed e-mail
    *with attachment*.

    What kind of signature are you using? Are you using PGP/MIME to sign
    the message with attachment? Mailman doesn't normally break these
    signatures.

    Can you look at the raw messages to and from Mailman and identify what
    changes cause the signature to break? This information will help us
    suggest a solution.

    --
    Mark Sapiro <msapiro at value.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Marco De Rossi at Aug 30, 2007 at 3:24 pm
    Test

    Marco De Rossi

    Marco De Rossi wrote:
    We use X.509 certificate.
    Could I send to the list a little attachment to see if problem is present
    with mailman-users mailing list too?

    Thanks, Marco De Rossi


    On Thu, 30 Aug 2007, Mark Sapiro wrote:


    Marco De Rossi wrote:


    I tried to turn off all "Content Filtering" but it didn't fixed the
    signature problem.
    Some other suggestion?

    Thanks, Marco De Rossi


    On Thu, 2 Aug 2007, Brad Knowles wrote:


    On 8/2/07, Marco De Rossi wrote:


    We have modifed mailman so now it not add the message footer anymore.
    Now we still have this problem only when we send digital signed e-mail
    *with attachment*.
    What kind of signature are you using? Are you using PGP/MIME to sign
    the message with attachment? Mailman doesn't normally break these
    signatures.

    Can you look at the raw messages to and from Mailman and identify what
    changes cause the signature to break? This information will help us
    suggest a solution.

    --
    Mark Sapiro <msapiro at value.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Mark Sapiro at Aug 31, 2007 at 1:17 am

    Marco De Rossi wrote:
    Marco De Rossi wrote:
    We use X.509 certificate.
    Could I send to the list a little attachment to see if problem is present
    with mailman-users mailing list too?

    The message you sent has a PKCS7 (RFC 2315) signature. Of course, the
    signature was broken by the mailman-users list because content
    filtering removed one of the signed parts.

    For the specific issue of your lists, here's what I think, but I'm not
    at all knowledgable about PKCS7, so I'm not sure.

    I skimmed over RFC 2315 and also looked at the message structure. The
    original message has

    Content-Type: multipart/signed;
    protocol="application/x-pkcs7-signature"; micalg=sha1;

    The content consists of a

    Content-Type: multipart/mixed;

    part and a

    Content-Type: application/x-pkcs7-signature; name="smime.p7s"

    part. The multipart/mixed part consists of a text/plain part and an
    image/gif part.

    Such a message structure with a Open PGP/MIME signature rather than a
    PKCS7 signature can pass through a Mailman list without breaking the
    signature as long as the list does no content filtering and doesn't
    add any list header or footer. Depending on the client verifying the
    signature, even the addition of a list header or footer may not break
    the signature (actually, the signature doesn't break, but clients may
    refuse to recognize the message as signed if the multipart/signed
    content is not the top level of the message).

    In your case, I would expect the message could also pass through a
    Mailman list with no content filtering and no added list header or
    footer without breaking the signature, and in fact you said it does if
    the message originates from a Linux system.

    So the question is, what is different about the Windows system that
    results in Mailman's breaking the signature.

    I see the following in RFC 2315 section 9 step 1.

    1. For each signer, a message digest is computed on
    the content with a signer-specific message-digest
    algorithm. (If two signers employ the same message-digest
    algorithm, then the message digest need be computed for
    only one of them.) If the signer is authenticating any
    information other than the content (see Section 9.2), the
    message digest of the content and the other information are
    digested with the signer's message digest algorithm, and
    the result becomes the "message digest."

    This says to me that the "message digest" which is signed can
    optionally include some message headers which may be altered by
    Mailman - e.g., perhaps a Subject: which has a prefix added - thus,
    breaking the signature.

    Or, possibly the Windows client is doing some unorthodox treatment of
    trailing whitespace in the message content, but this seems unlikely if
    the signatures normally validate.

    Thus, you could try making the list's subject_prefix empty and see if
    that helps, or better still, if you can set the Windows clients to
    sign only the content and not any headers, try that.

    --
    Mark Sapiro <msapiro at value.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Marco De Rossi at Aug 30, 2007 at 2:47 pm
    If it could be helpful: it seems happen only sending e-mail from a Windows
    XP operating system (sending e-mail from a linux OS the digital signature
    is OK).

    Thanks, Marco De Rossi

    On Thu, 30 Aug 2007, Marco De Rossi wrote:

    I tried to turn off all "Content Filtering" but it didn't fixed the
    signature problem.
    Some other suggestion?

    Thanks, Marco De Rossi

    On Thu, 2 Aug 2007, Brad Knowles wrote:
    On 8/2/07, Marco De Rossi wrote:

    We have modifed mailman so now it not add the message footer anymore.
    Now we still have this problem only when we send digital signed e-mail
    *with attachment*.
    I can see two likely possibilities:

    1. The digital signature is being done against the whole message,
    headers included. When the message passes through Mailman, some
    headers end up getting changed or added, and the signature is no
    longer valid.

    2. Mailman is still stripping or changing some of the attachment
    MIME types or filenames, which causes the signature to be invalidated.

    Problem is, cryptographic signatures on messages are extremely
    fragile. If even the slightest thing is changed, the signature is
    likely to be broken. If you make the signature process more robust,
    then you increase the possibility that an attacker could slip
    something through that would still appear to be correct, but where
    they've actually secretly modified something.

    Try turning off all filtering, HTML conversion, etc... within
    Mailman. See if that "fixes" the signature problem. If so, then you
    have to decide which is more important -- the signature on some
    messages or the probability that some malware could get through the
    system and sent out to all recipients of the list, because you'd
    turned off the filtering.

    Unfortunately, this is a binary decision. There is no option to
    leave signed messages unfiltered and to apply the filtering rules
    only to unsigned messages. Even if there were such a method, the
    attackers could get through by simply forging fake signatures that
    look valid.

    --
    Brad Knowles <brad at shub-internet.org>, Consultant & Author
    LinkedIn Profile: <http://tinyurl.com/y8kpxu>
    Slides from Invited Talks: <http://tinyurl.com/tj6q4>

    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
  • Mark Sapiro at Aug 30, 2007 at 3:04 pm

    Marco De Rossi wrote:
    If it could be helpful: it seems happen only sending e-mail from a Windows
    XP operating system (sending e-mail from a linux OS the digital signature
    is OK).

    What (broken?) mail client on Windows and what kind of signature? See
    my other reply at
    <http://mail.python.org/pipermail/mailman-users/2007-August/058183.html>.

    --
    Mark Sapiro <msapiro at value.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan
  • Marco De Rossi at Aug 30, 2007 at 3:10 pm
    I used Netscape Mail v7.2 and Mozilla Thunderbird v2.0.0.6 with X.509
    Certificate.

    Marco De Rossi

    On Thu, 30 Aug 2007, Mark Sapiro wrote:

    Marco De Rossi wrote:
    If it could be helpful: it seems happen only sending e-mail from a Windows
    XP operating system (sending e-mail from a linux OS the digital signature
    is OK).

    What (broken?) mail client on Windows and what kind of signature? See
    my other reply at
    <http://mail.python.org/pipermail/mailman-users/2007-August/058183.html>.

    --
    Mark Sapiro <msapiro at value.net> The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupmailman-users @
categoriespython
postedAug 2, '07 at 2:17p
activeAug 31, '07 at 1:17a
posts10
users3
websitelist.org

People

Translate

site design / logo © 2022 Grokbase