使用 postfix 自動簽署外寄郵件 (S/MIME)

tag-icon tag-icon postfix smime
使用 postfix 自動簽署外寄郵件 (S/MIME)

我想用 postfix 自動簽署外寄郵件。我找到了一個腳本並將其整合到 postfix 中。它的工作原理與預期基本一致,但它有兩個錯誤,我希望你能幫我修復這些錯誤。

/home/xxx/sign.sh

#!/bin/bash
WORKDIR="/tmp"
SENDMAIL="/usr/sbin/sendmail -G -i"
EX_UNAVAILABLE=69
SENDER="$2"; RECIPIENT="$4"

MESSAGEFILE="$WORKDIR/message.$$"
trap "rm -f $MESSAGEFILE; rm -f $MESSAGEFILE.signed" 0 1 2 3 15
umask 077
cat > $MESSAGEFILE || { echo Cannot save mail to file; exit $EX_UNAVAILABLE;}
SUBJECT=$(reformail -x "Subject:" < $MESSAGEFILE)
openssl smime -sign -in $MESSAGEFILE -out $MESSAGEFILE.signed -from $SENDER -to $RECIPIENT -subject "$SUBJECT" -signer /home/xxx/sign.crt -inkey /home/xxx/sign_key.crt -text || { echo Problem signing message; exit $EX_UNAVAILABLE; }
$SENDMAIL "$@" < $MESSAGEFILE.signed
exit $?

這是 postfix 的實作:

smtp      inet  n       -       -       -       -       smtpd
  -o content_filter=spamassassin
  -o content_filter=meinfilter:dummy

meinfilter      unix    -       n       n       -       2       pipe
  flags=Rq user=xxx null_sender=
  argv=/home/xxx/sign.sh -f ${sender} -- ${recipient}

這些錯誤是

  • 主題行始終為空,這是由於缺少軟體依賴項造成的
  • 傳遞的訊息的標頭加倍(在正常標頭和訊息中)

這裡是原始電子郵件標題和正文。您可以注意到下面的雙標題

To: xxx
From: xxx
Subject: Testsubject
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha-256"; boundary="----2466B05A8CF1ACF5CD6D9B7B8AE72747"

This is an S/MIME signed message

------2466B05A8CF1ACF5CD6D9B7B8AE72747
Content-Type: text/plain

Return-Path: <xxx>
Received: from [127.0.0.1] (xxx [xxx])
    by xxx (Postfix) with ESMTPSA id xxx
    for <xxx>; Fri, 13 Sep 2013 02:49:22 +0000 (UTC)
Message-ID: <xxx>
Date: Fri, 13 Sep 2013 04:49:21 +0200
From: xxx
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: xxx
Subject: Testsubject
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit

Testmessage

------2466B05A8CF1ACF5CD6D9B7B8AE72747
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"

LONGTEXTLONGTEXTWITHPUBLICKEYLONGTEXTLONGTEXTWITHPUBLICKEY
LONGTEXTLONGTEXTWITHPUBLICKEYLONGTEXTLONGTEXTWITHPUBLICKEY
LONGTEXTLONGTEXTWITHPUBLICKEYLONGTEXTLONGTEXTWITHPUBLICKEY
...
LONGTEXTLONGTEXTWITHPUBLICKEYLONGTEXTLONGTEXTWITHPUBLICKEY
LONGTEXTLONGTEXTWITHPUBLICKEYLONGTEXTLONGTEXTWITHPUBLICKEY
LONGTEXTLONGTEXTWITHPUBLICKEYLONGTEXTLONGTEXTWITHPUBLICKEY

這兩個問題這個問題要怎麼解決呢?

答案1

如果您不希望將純文字標頭新增至簽章電子郵件中,請-text從 sign.sh 腳本中的 openssl 指令中刪除該選項。就像聲明的那樣這裡

-文字 this option adds plain text (text/plain) MIME headers to the supplied message if encrypting or signing. If decrypting or verifying it strips off text headers: if the decrypted or verified message is not of MIME type text/plain then an error occurs.

要僅簽署外發電子郵件,我認為您需要做的是啟用提交端口 (587) 或 smtps (465)master.cf並僅將其移至-o content_filter=meinfilter:dummy該端口

#submission
submission inet n - n - - smtpd
-o content_filter=meinfilter:dummy

這意味著只有在該連接埠上提交的郵件(通常與 TLS 和身份驗證相關)才會由您的腳本進行簽署。您可能還想確保僅允許經過驗證的 TLS 加密連線透過您的伺服器進行中繼。

相關內容