Initial situation:
The authorisation for implementing cryptographic actions is to be checked during live operation. The query of authorisation is to be realised by querying an LDAP directory service.
Configuration suggestion
|
This type of implementation initiates an LDAP query when each individual email to be cryptographically processed is sent. Despite the caching of the connection by the SEPPmail Secure E-Mail Gateway, this may lead to significant performance issues under certain circumstances and/or to an overloading of the LDAP server. |
•Navigate to Mail Processing Ruleset generator Custom Commands Custom commands for outgoing emails BEFORE encryption:
•Activating the option and insertion of the following code into the input field below:
Line |
Code |
|---|---|
01 |
# Begin: Custom commands for outgoing e-mails BEFORE encryption |
02 |
log(1,'Begin: Custom commands for outgoing e-mails BEFORE encryption'); |
|
|
03 |
# Begin: check if user is allowed to to send cryptographic e-mails |
04 |
log(1,'Begin: check if user is allowed to to send cryptographic e-mails'); |
|
|
05 |
setvar('ldap_bind','ldaps://myldap1.local,ldaps://myldap2.local;CN=ldapquery,OU=ServiceAccounts,OU=user,DC=customer1,DC=local;password;OU=user,DC=customer1,DC=local;(mail=$header_from)'); |
06 |
if (ldap_compare('$ldap_bind','memberOF','Secure E-Mail')) { |
07 |
if(authenticated()) { |
08 |
setuserattr('accountOptions','16'); |
09 |
} else { |
10 |
log(1,'$from is member of SecureMail, creating user, generating keys'); |
11 |
ldap_read('$ldap_bind','displayName','displayName'); |
12 |
ldap_read('$ldap_bind','sAMAccountName','sAMAccountName'); |
13 |
createaccount('0','$sAMAccountName','$displayName'); |
14 |
createkeys('@CREATEGPGKEYS@'); |
15 |
} |
16 |
} else { |
17 |
if(authenticated()) { |
18 |
log(1,'$from is not longer member of SecureMail, revoking permission to encrypt and/or sign e-mails'); |
19 |
setuserattr('accountOptions','5'); |
20 |
} else { |
21 |
log(1,'$from is not member of SecureMail, user does not exist, nothing to do'); |
22 |
} |
|
|
23 |
## force domain encryption - if available - for unlicensed users |
24 |
## only needed if "Always use S/MIME or OpenPGP if user keys are available" is selected |
25 |
## and "User creation" is not set to "Manual user creation: Only process outgoing mails from users with an account" |
26 |
if (domain_smime_keys_avail()) { |
27 |
log(1,'found S/MIME domain certificate for recipient(s) $header_to; $header_cc - trying to encrypt mail'); |
28 |
if (encrypt_domain_smime()) { |
29 |
log(1,'S/MIME Domain Encryption successful for recipient(s) $header_to; $header_cc'); |
30 |
deliver(); |
31 |
} else { |
32 |
log(1,'S/MIME Domain Encryption FAILED for recipient(s) $header_to; header_cc - trying OpenPGP Domain Encryption'); |
33 |
} |
34 |
} else { |
35 |
log(1,'no S/MIME domain certificate found for recipient(s) $header_to; $header_cc - trying OpenPGP Domain Encryption'); |
36 |
} |
|
|
37 |
if (domain_pgp_keys_avail()) { |
38 |
log(1,'found OpenPGP public domain key for recipient(s) $header_to; $header_cc - trying to encrypt mail'); |
39 |
if (encrypt_domain_pgp_mime()) { |
40 |
log(1,'OpenPGP Domain Encryption successful for recipient(s) $header_to; $header_cc'); |
41 |
deliver(); |
42 |
} else { |
43 |
log(1,'pgp domain encryption FAILED - going on without any action'); |
44 |
} |
45 |
} else { |
46 |
log(1,'Recipient(s) $header_to; $header_cc have no valid public OpenPGP key'); |
47 |
} |
48 |
log(1,'No domain encryption possible for $header_to; $header_cc, sending plain'); |
49 |
deliver(); |
|
|
50 |
## end forcing domain encryption |
51 |
} |
|
|
52 |
log(1,'End: check if user is allowed to to send cryptographic e-mails'); |
53 |
# End: check if user is allowed to to send cryptographic e-mails |
|
|
54 |
log(1,'End: Custom commands for outgoing e-mails BEFORE encryption'); |
55 |
# End: Custom commands for outgoing e-mails BEFORE encryption |
Description
In this example, the static parameters for the following LDAP query are first written into the variable "ldap_bind" (line 05). Via an LDAP query (in this case AD), the affiliation of the sender to the authorised group is checked (line 06). If the sender is authorised, the system checks whether they already have an account on the SEPPmail Secure E-Mail Gateway (line 07). If an account exists, the rights for encrypting/signing are assigned to it and the GINA message according to the respective GINA domain settings is released (line 08). Otherwise, a log entry is created (line 10), the Windows user and the display name are read from the AD and each is provided as a variable (line 11/12). Now, a new user account is created for the sender (line 13). Here, the values read from the AD before will be used for the "User ID" and "Name". The newly created user is then provided with key material according to the setting in Mail Processing Ruleset generator Key generation (line 14).
If the sender has an account on the SEPPmail Secure E-Mail Gateway, but is no longer a member of the corresponding AD group (line 17), this is noted in the log (line 18) and the user’s rights for encryption/signing will be withdrawn (line 19) (to ensure that the key material is not removed from the appliance, the account is only deactivated, not deleted. By deactivating the user account, the used user licence is released again). The decryption of possibly still incoming emails would continue to work.
For senders who are neither in possession of a user account nor members of the authorising AD group, no action is required. This is entered in the log (line 21).
The commands delimited by the comment lines ## force domain encryption and ## end forcing domain encryption are only necessary if the option "Always use S/MIME or OpenPGP if user keys are available" of the section Mail Processing Ruleset generator Encryption/Decryption was activated and Mail Processing Ruleset generator User creation is not set to Do not create accounts (also disables custom commands for user creation) .
This guarantees for the described configuration case that the Domain encryption can be used even if a public domain key is available from the recipient but the sender is not in the group of persons authorised to encrypt.
This first checks whether a public S/MIME domain key of the target email domain(s) exists (line 26). If this is the case, this is logged (line 27) and the email is encrypted to the target domain with the corresponding key (line 28), documented in the log (line 29) and the email is delivered (line 30). If the S/MIME encryption fails, this is also logged (line 32), as if no S/MIME key of the recipient was present (line 35). For recipient domains for which no S/MIME key is known or the encryption has failed, it is now attempted to encrypt with a public OpenPGP domain key. Here, too, the system first checks whether a public OpenPGP domain key of the target email domain(s) exists (line 37). If this is the case, this is logged (line 38) and the email is encrypted to the target domain with the corresponding key (line 39), documented in the log (line 40) and the email is delivered (line 41). If the encryption fails, this is also logged (line 43), as if no OpenPGP key of the recipient was present (line 46).
Unless already delivered due to a successful domain encryption, it is sent without encryption (line 49), irrespective of any possibly existing control marks (see Controlling The Appliance). This behaviour may be adapted by a corresponding additional code, if required.
Used
commands
