Initial situation:

The SEPPmail Secure E-Mail Gateway is configured in such a way that S/MIME signatures of incoming emails are checked.

 

Question:

What are the reasons for classifying a signature as invalid?

 

Answer:

The verification of an S/MIME email signature checks the following:

 

1.Does the certificate with which the signature has been carried out originate from a trustworthy CA?
To be able to verify this, the signature chain must be known, i.e.
 

a.the root CA certificate of the issuing CA must be listed in the menu X.509 Root Certificates and have the Trust state trusted.

 

b.If applicable, the necessary intermediate certificate must be known.
According to RFC, these intermediate certificates must also be added when signing. If this is not the case, however, the chain can still be completed, provided that the intermediate certificates are also listed under X.509 Root Certificates (indented).
 

2.Does the applicant for the certificate (CN, common name) or an alternative applicant (RFC822-Name=) correspond to the sender of the email (From header, potentially also from the Sender header, see also Key Used With The Microsoft Delegation Rule)?

 

3.Has the email been changed after signing?
Possible reasons are:

 

a.Intentionally by a third party

 

b.By the attachment of e.g. a disclaimer after signing

 

c.Unintended re-encoding by an intermediate email server

 

 

(see note in Mail Processing Ruleset generator Signing Incoming e-mails Add this text to message subject if S/MIME signature check succeeds Note, and/or Signature: Different Test Results.