We're currently using Mailman as a mailing list manager. Mailman modifies the content of mail messages. The problem is that some of our users are sending digitally signed messages and the modification makes the signature break. I've seen this behavior with Apple Mail, Outlook, and Thunderbird.
The problem seems to be this: S/MIME signed messages are implemented with a Content-Type: multipart/signed;
MIME Content-Type. Mailman wraps this inside a Content-Type: multipart/mixed
MIME Content-Type. None of the mail readers look inside the outer mixed
for the inner signed
.
We won't be able to get the clients fixed. Is there anyway to modify Mailman so that it doesn't have this behavior?
Mailman is probably configured to add a header or footer to every message. Check the
msg-header
andmsg-footer
parameters, which can be accessed on the [Non-digest options] page.It's also important to ensure that
pass_mime_types
includesapplication/pkcs7-signature
as one of the permitted types in the [Content filtering] section.When Mailman is configured to add a header or footer, it modifies the message by creating a new MIME part and concatenating it with the root part from the original message. The reasoning for this behaviour is explained more fully on the Mailman wiki (wiki.list.org).
Although the original signed message is still intact, it seems that most mail clients only interpret the SMIME signature correctly if multipart/signed is the root MIME part. As a test, I removed the extra MIME parts inserted by mailman from one of my test messages and resent it, and the signature was correctly validated by my mail client.
The problem is not the lack of "smartness" of email clients.
Rather, this is a security problem. See Bug 578295 - S/MIME Signature not shown/verified in nested MIME-Message
Quote:
It is thus correct for an email client to show no or an invalid signature to a partially signed multipart message.