S/MIME and Sympa Mailing Lists Manager Using Signature and Encryption with a Mailing List Manager
Total Page:16
File Type:pdf, Size:1020Kb
S/MIMEand Sympa mailing lists manager Using signature and encryption with a mailing list manager Serge Aumont and Olivier Salaün ComitØ RØseaux des UniversitØs [email protected] http://www.sympa.org Keywords: Signature, Encryption, S/MIME, Mailing list A few original features Abstract: Sympa is a modern mailing list manager that include many Using internal RDBMS features such as a complete web interface, associated groupware tools, Firt goal is to support large services with high performances and scal- fine tuning for access control etc. Current Sympa version provides also ability relying on RDBMS 3MySQL, PostgreSQL, Oracle, Sybase sup- original secure way based on S/MIME: digital signature and messages ported ). Sympa has been tested with 300.000 subscribers in a single distribution process using encryption. In addition Sympa`s web interface list on a medium server 3bi PII 550mhz with 512 Mega RAM) and can use HTTPS authentication based on user X509 certificates. This pa- some users already have real usage with more than 100.000 subscri- per describes how Sympa uses S/MIMEand HTTPS standards for secure bers using MySQL. The database allows high performances. It also group messaging. resolves data acces conflict between Sympa`s mail and web interface that share the same datas. Preface The web interface is a portal for all lists : WWSympa is the name given to Sympa`s web interface. It is a direc- The development was initiated in 1997. The goal was to replace a tory of lists provided by Sympa. Non-authenticated users can access previous mailing lists server ªTULPª, initiated in 1992 to organize public information but they can also login to access to their private the Bitnet services migration and was used essentially by French uni- list environment. If identified they can access public list but also some versities. Since April 97, Sympa development provided by the French private lists depending on their privileges. After authentication ad- academic network team 3CRU) and distributed under Gnu Public Li- vanced functions are accessible on the web interface. cence. All administration task can be performed from the web interface : list creation, configuration and closing, messages moderation, subscri- Now Sympa includes a lot of sophisticated features and is widely bers and bounces management . used around the world. On Febrary 2001, we known about 1.500 domains using Sympa : Universities, ISP, administrations, government Shared document repository departments, associations, private companies, ... The web interface includes groupware features such as html archives with chronological and thread sorting , search form and message de- letion 3we think that any message sender or list owner as the write Sympa description to remove his message from archives). In addition, each list owner can create a document repository and define who can upload docu- Yet another mailing lists server... ments in it, who can browse this repository. This control can be based on the list of subscribers. The Open source community provide many mailing lists servers 3http://listes.cru.fr/sympa/robots.php3 ) . Why developing one Advance MIMEfeatures more mailing lists server ? Any mailing list manager can distribute MIME messages. Sympa also We believe that mailing lists are a major service that needs a per- use MIME : fect adaptation to each application domain. Sympa is the only soft- ·in message command parsing ; commands in multipart message are ware that provides the following characteristics : recognized bounces process ; almost all error report are structured in multi- 1. Full compliance to RFCs including MIME in any aspect of the ser- · part message vice web archives, digest respect original MIME structure. 2. Internationalization : Sympa is available with the it, de, fr, us, fi, · Ouput of commands can use an y mime structure. Example : you es, cn langages 3 pl and se are under waiting ). · can define a welcome message including some images, html etc 3. Enhanced customisation possibilities 4. Good performances Dynamic subscribers definition 5. Easy to manage for list master. Example : dynamic lists directory. 6. Integrated user and admin web interface All mailing list manager provide subscription and unsubscription to define the subscribers population. But it is now extremely important Easy extensions of features 3object oriented code). to be able to define list subscriber using their properties . Usage ex- 64 IT and Networking Computing Security S/MIME and Sympa mailing lists manager Using signature and encryption with a mailing list manager ample: definition of a list of students for some educational unit using The scenario concept the scholarship database. Sympa allows subscriber definition using dy- For each list, the configuration file defines a scenario for each opera- namic external access to LDAP directories or some SQL databases. tion that can be performed. Scenarios are applied for a particular op- No further management of subscription and unsubscription is re- eration to answer questions such as ¹Is this user allowed to subscribe quired . to this list ?ª, ¹May this list be listed by anyone ?ª, ¹is this user trusted to create a new list ?ª. A scenario consists in rules, evaluated from the first to the last. S/MIMEfeatures and needs for mailing Rule structure : ¬condition ¬auth method - ¬action lists example : is_subscriber [listname],[sender]) smtp,smime - Is user authentication based on From: header field still reasonable ? reject Mailing lists are nowadays an important media. It is not acceptable that somebody can spoof mailing list editor email to distribute false The condition is related to the context 3the incoming message, the information. Now almost all administration operations require secure user, the list etc). The authentication method depends on access authentication, both on the mail and web interface. method to the requested service. The action describe what sympa must do if both condition and authentication method match the cur- S/MIME features in use for person-to-person mail are also needed rent context. Current version of Sympa uses 3 different authentica- for group mail : tion method : ·Signature : distributing S/MIME signed messages in a mailing list is ·smtp : if authentication is based on the From: header field fairly easy. Be awarer that adding a message footer or decode and ·md5 : applied when a ticket confirmation key generated using re-encode a message will probably break the signature. Most mail- MD5 finger print or a password sent by email has been given by ing lists servers can distribute signed messages, though they ignore the requestor the signature. The authentication is always based on the From: or ·mime : if authentication is based on X509 user certificate 3S/MIME based on some password technique. Password authentication is signature or HTTPS user authentication) not user friendly and provides a low security level. Note that many lists servers reject all multipart command message, therefore multi- scenario/example part/signed messages are rejected. ·Encryption : a nice mailing lists server should distribute message as The following scenario is used for a public list with message submis- received. This include encryption of message if received encrypted sion restrictions 3applied to control if an incoming message can be for the list. Encryption is completely impossible with any mailing distributed, rejected or forwarded to the list editor). This scenario lists server. rejects incoming message from subscribers of list spammer and mes- sage with multipart/alternative content-type. It submits messages with attachement to the list editor and requires at least md5 authen- Sympa's objectives with S/MIME tication from non subscribers. is_subscriber spammer,[sender]) smtp,smime - re- ject,quiet We have set 4 main objectives for Sympa secure services : match[header-Content-type],/multipart\/ 1. Sympa must be able to recognize S/MIME signature for any op- alternative/) smtp - reject eration 3subscribe, distribute message, archive access, ...). Sympa match[header-Content-type],/multipart/) provides a way to define the expected authentication level for smtp,smime - editorkey each operation for each list. Sophisticated authentication techno- !is_subscriber [listname],[sender]) smtp - request_auth logie should be required for some sensible operations on a list !is_subscriber [listname],[sender]) md5,smime - though basic method is in use for most operations. do_it 2. S/MIME authentication must not be bypassed via the web inter- true) smtp,smime - do_it face. Authentication based on HTTPS user certificate in the web interface must be required automatically if S/MIME authentica- Authentication method in scenario. tion is required on the mail robot interface. Scenarios are used both for messages and for web access. md5 3. The distribution process should accept encrypted message for a authentication method is applied when user replies by email to a con- list. firmation request. The same when user is logged using a password 4. Certificates and private keys minimum management via Sympa received by email. to allow S/MIME and HTTPS usage right now. S/MIME signature and HTTPS user authentication are both based on user X509 certificate, the smime authentication method is applied for both cases. Using HTTPS with user authentication, the ªloginª and ªlogoutª actions are hidden. No cookie is sent to carry user Sympa S/MIMEsignature integration authentication.. HTTPS can be used without user certificate ; only one benefit