Uploaded image for project: 'Gateway'
  1. Gateway
  2. GATEWAY-88

Djigzo gateway does handle multipart/alternative in a incorrect way



    • Type: Bug
    • Status: Done
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Environment:



      Here it is. You see that the "Testar PGP-kryptering" is the decrypted plaintext.
      Ill add a JIRA ticket and just copy and paste this mail into the JIRA ticket.

      I think the easiest would be to just check if the mail is multipart/alternative, then if the mail was processed (decrypted or signature-verified), then it just strips out everything except for the part it decrypted or verified, and adds that part as a text/plain instead. However, its important to keep attachments as-is, so it should just apply to content that is declared as multipart/alternative.

      ----Ursprungligt meddelande----
      From: Martijn Brinkers
      Sent: Tuesday, March 10, 2015 1:15 PM
      To: users@lists.djigzo.com
      Subject: Re: [Djigzo users] Strip HTML if mail was decrypted, or decrypt HTML containing PGP/INLINE?

      On 03/10/2015 12:39 PM, Sebastian Nielsen wrote:
      > See attached EML.

      Can you send me the EML directly (off list). It looks like the maillist
      list server stripped of some contents.

      > The problem is that when a user uses a webmail service or such, along
      > with a PGP addon, the message is being packaged (by the webmail
      > service) in a multipart/alternative with a HTML and PLAIN part.
      > Only the plain part are decrypted, even when I have checked the box
      > inside web interface that it should convert HTML to plain.

      The option "Convert HTML to plain" is only for outgoing PGP email. If
      you sent an email with HTML, the HTML will then be converted into text
      only before the message will be PGP/INLINEd. This is not required when
      using PGP/MIME.

      > When the email is then opened in a mail client, the HTML part, which
      > is “still encrypted” is shown. Is it possible to either: Decrypt all
      > parts, including the HTML part -or- Strip out the HTML part – but
      > ONLY if the mail was encrypted or signed, so the client only show the
      > text/plain part.

      The problem with PGP/INLINE is that there is no standard for HTML.
      Enigmail for example disables HTML by default when using PGP/INLINE even
      though they have support for HTML with PGP/INLINE. If you want to fully
      support HTML with PGP, the best approach would be to use PGP/MIME.
      Unfortunately not all PGP clients support PGP/MIME
      That said, it would be nice if the CipherMail gateway has better support
      for HTML mail (it supports HTML with the non standard encoding used with
      PGP universal).

      Can you add a JIRA request entry for this?


      Kind regards,

      Martijn Brinkers

      CipherMail email encryption

      Open source email encryption gateway with support for S/MIME, OpenPGP
      and PDF messaging.


      Twitter: http://twitter.com/CipherMail
      Users mailing list

      Here is a copy of the mail that was incorrectly parsed:
      Return-Path: <nielsen.sebastian@gmail.com>
      X-Original-To: sebastian@sebbe.eu
      Delivered-To: sebastian@sebbe.eu
      Received: from server-desktop (localhost [])
      by dns2.sebbe.eu (Postfix) with ESMTP id 64F294C0535
      for <sebastian@sebbe.eu>; Tue, 10 Mar 2015 12:17:07 +0100 (CET)
      Received: from mail-pa0-x234.google.com (mail-pa0-x234.google.com [IPv6:2607:f8b0:400e:c03::234])
      (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
      (No client certificate requested)
      by dns1.sebbe.eu (Postfix) with ESMTPS id 070464C0535
      for <sebastian@sebbe.eu>; Tue, 10 Mar 2015 12:17:05 +0100 (CET)
      Authentication-Results: unknown-host; dkim=pass
      reason="2048-bit key; unprotected key"
      header.d=gmail.com header.i=@gmail.com header.b=cfzct3+F;
      dkim-adsp=pass; dkim-atps=neutral
      Received: by paceu11 with SMTP id eu11so1067279pac.1
      for <sebastian@sebbe.eu>; Tue, 10 Mar 2015 04:17:03 -0700 (PDT)
      DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
      d=gmail.com; s=20120113;
      MIME-Version: 1.0
      X-Received: by with SMTP id kq3mr65210578pdb.85.1425986223739;
      Tue, 10 Mar 2015 04:17:03 -0700 (PDT)
      Received: by with HTTP; Tue, 10 Mar 2015 04:17:03 -0700 (PDT)
      Date: Tue, 10 Mar 2015 12:17:03 +0100
      Message-ID: <CAAUzo2sOSCNBBX5irtKP6RAxmdBytQdVNOfxXpjJ+81mAkozMw@mail.gmail.com>
      Subject: test [Decrypted] [Mixed]
      From: Sebastian Nielsen <nielsen.sebastian@gmail.com>
      To: Sebastian Nielsen <sebastian@sebbe.eu>
      Content-Type: multipart/alternative; boundary=001a11c317ec521b570510ed4a02
      X-SPF-Signature: pass (gmail.com ... _spf.google.com: Sender is authorized to use 'nielsen.sebastian@gmail.com' in 'mfrom' identity (mechanism 'include:_netblocks2.google.com' matched)) receiver=server-desktop; identity=mailfrom; envelope-from="nielsen.sebastian@gmail.com"; client-ip="2607:f8b0:400e:c03::234"
      X-Djigzo-Info-PGP-Encoding: PGP/INLINE
      X-Djigzo-Info-PGP-Encrypted: True
      X-Djigzo-Info-PGP-Encryption-Algorithm: AES-128
      X-Djigzo-Info-PGP-Mixed-Content: True

      Content-Type: text/plain; charset=UTF-8
      Content-Transfer-Encoding: 7bit

      Testar PGP-kryptering

      Content-Type: text/html; charset=UTF-8
      Content-Transfer-Encoding: quoted-printable

      <div dir=3D"ltr"><p>----BEGIN PGP MESSAGE----<br>Version: haneWIN Javascr=
      iptPG v2.0</p><p>hQEMA7fkxO45c/CrAQgAun7tZWOMpbEb+W5Ay+NKu9cobDI6YlRo82Cgbz=
      uJfPwTFnfp3<br>4JdBLDC+DZ96UmBl<br>=3DV3te<br>----END PGP MESSAGE----</p>=



      The above message shows up as encrypted in the mail client. The best action here would be, if a mail to a internal user is signed and/or encrypted, the best would be to strip the whole multipart/alternative, and replace it with a text/plain containing the decrypted content, and/or the message content of a signature that was verified. Yes, it would strip content "outside" the PGP ASCII armour, but that would be better than having the mail show up as encrypted.




            • Assignee:
              martijn_brinkers Martijn Brinkers
              sebastian Sebastian Nielsen
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created: