Locally signed emails are permanently rejected due to faulty S/MIME signatures

Problem

Incoming, 8-bit encoded emails signed locally via S/MIME are converted by NoSpamProxy into 7-bit encoded emails and then rejected by the receiving email server due to a faulty certificate.

Analysis

The RFC 5751 stipulates that all signed MIME elements (MIME parts) of an email must have a 7-bit encoding:

If a multipart/signed entity is ever to be transmitted over the standard Internet SMTP infrastructure or other transport that is constrained to 7-bit text, it MUST have transfer encoding applied so that it is represented as 7-bit text. MIME entities that are 7-bit data already need no transfer encoding. Entities such as 8-bit text and binary data can be encoded with quoted-printable or base-64 transfer encoding.

To ensure full compliance with RFC 5751, NoSpamProxy converts the 8-bit encoding of the email into a 7-bit encoding.

However, since the signing has already been done locally and not by NoSpamProxy, the conversion changes the hash value of the email and thus invalidates the signature. Accordingly, NoSpamProxy from version 13.2.20258.1435 onwards permanently rejects the email.

This scenario only occurs if the option "Remove attached signatures from emails signed using S/MIME (recommended)" has been deactivated in the NoSpamProxy rule set and the email client sends 8-bit encoded emails at the same time.

Workarounds

Workaround 1: Activate opaque signing

Microsoft Outlook

Configure your email programme to use the opaque signing method when applying the signature. With this method, the signature and the message are combined in a single binary file so that the signature remains intact when the email is modified by email gateways.

  1. Open Microsoft Outlook.
  2. Go to File > Options > Trust Center > Trust Center Settings > Email Security.
  3. Remove the tick from Send signed messages as plain text.
  4. Click OK.

By deactivating this option, you have activated opaque signing.

Microsoft 365/Outlook on the Web, Exchange Server 2013, Exchange Server 2016, Exchange Server 2019, Exchange Online

You can also configure Opaque signing via PowerShell:

Set-SmimeConfig -OWAClearSign $false

Further information on configuration via PowerShell can be found here.

WARNING: Receiving email clients that do not support S/MIME cannot process emails signed via opaque signing.

Workaround 2: Remove local signatures

Configure NoSpamProxy to remove locally applied signatures.

WARNING: Corresponding emails can be delivered in this way, but lose their S/MIME signature.

  1. Go to Configuration > Rules.
  2. Open the corresponding rule for inbound emails.
  3. Go to the tab Actions, open the action S/MIME and PGP verification and decryption and go to the tab Verification options.
  4. Uncheck Remove attached signatures from emails signed using S/MIME (recommended).
  5. Click Save and close.