Mailets and Matchers Reference

Matchers

Mailets

Matchers

IsSMIMEEncrypted

Checks if a mail is smime encrypted.

IsSMIMESigned

checks if a mail is smime signed.

IsX509CertificateSubject

Checks if the subject of a X509Certificate contains the supplied string. The certificate is read from the specified mail attribute.

If the specified attribute contains more than one certificate the matcher matches if at least one of the certificates contains the given string.

Configuration string:

  • mailAttribute;string

Mailets

SMIMECheckSignature

Verifies the s/mime signature of a message. The s/mime signing ensure that the private key owner is the real sender of the message. To be checked by this mailet the s/mime signature must contain the actual signature, the signer's certificate and optionally a set of certificate that can be used to create a chain of trust that starts from the signer's certificate and leads to a known trusted certificate.

This check is composed by two steps: firstly it's ensured that the signature is valid, then it's checked if a chain of trust starting from the signer certificate and that leads to a trusted certificate can be created. The first check verifies that the the message has not been modified after the signature was put and that the signer's certificate was valid at the time of the signing. The latter should ensure that the signer is who he declare to be.

The results of the checks perfomed by this mailet are wrote as a mail attribute which default name is org.apache.james.SMIMECheckSignature (it can be changed using the mailet parameter mailAttribute). After the check this attribute will contain a list of SMIMESignerInfo object, one for each message's signer. These objects contain the signer's certificate and the trust path.

Optionally, specifying the parameter strip, the signature of the message can be stripped after the check. The message will become a standard message without an attached s/mime signature.

The configuration parameter of this mailet are summerized below. The firsts defines the location, the format and the password of the keystore containing the certificates that are considered trusted. Note: only the trusted certificate entries are read, the key ones are not.

  • keyStoreType (default: jks): Certificate store format . "jks" is the standard java certificate store format, but pkcs12 is also quite common and compatible with standard email clients like Outlook Express and Thunderbird.
  • keyStoreFileName (default: JAVA_HOME/jre/lib/security/cacert): Certificate store path.
  • keyStorePassword (default: ""): Certificate store password.
Other parameters configure the behavior of the mailet:
  • strip (default: false): Defines if the s/mime signature of the message have to be stripped after the check or not. Possible values are true and false.
  • mailAttribute (default: org.apache.james.SMIMECheckSignature): specifies in which attribute the check results will be written.
  • onlyTrusted (default: true): Usually a message signature to be considered by this mailet as authentic must be valid and trusted. Setting this mailet parameter to "false" the last condition is relaxed and also "untrusted" signature are considered will be considered as authentic.

SMIMEDecrypt

This mailet decrypts a s/mime encrypted message. It takes as input an encrypted message and it tries to dechiper it using the key specified in its configuration. If the decryption is successful the mail will be changed and it will contain the decrypted message. The mail attribute org.apache.james.SMIMEDecrypt will contain the public certificate of the key used in the process. The configuration parameters of this mailet are summarized below. The firsts define the keystore where the key that will be used to decrypt messages is saved.
  • keyStoreType (default: system dependent): defines the type of the store. Usually jks, pkcs12 or pkcs7
  • keyStoreFileName (mandatory): private key store path.
  • keyStorePassword (default: ""): private key store password
The other parameters define which private key have to be used. (if the store contains more than one key).
  • keyAlias: private key alias.
  • keyPass: private key password

SMIMESign

Mailet Info: SMIME Signature Mailet

Puts a server-side SMIME signature on a message. It is a concrete subclass of {@link Sign}, with very few modifications to it, to specialize for SMIME.

Handles the following init parameters (will comment only the differences from {@link AbstractSign}):

  • <debug>.
  • <keyStoreFileName>.
  • <keyStorePassword>.
  • <keyAlias>.
  • <keyAliasPassword>.
  • <keyStoreType>.
  • <postmasterSigns>. The default is true.
  • <rebuildFrom>. The default is true.
  • <signerName>.
  • <explanationText>. There is a default explanation string template in English, displaying also all the headers of the original message (see {@link #getExplanationText}).

Sign

Mailet Info: Signature Mailet

Puts a server-side signature on a message. It is a concrete subclass of {@link AbstractSign}, with very few modifications to it.

A text file with an explanation text is attached to the original message, and the resulting message with all its attachments is signed. The resulting appearence of the message is almost unchanged: only an extra attachment and the signature are added.

The kind of signuture depends on the value of the <keyHolderClass> init parameter.

Handles the following init parameters (will comment only the differences from {@link AbstractSign}):

  • <keyHolderClass>: Sets the class of the KeyHolder object that will handle the cryptography functions, for example org.apache.james.security.SMIMEKeyHolder for SMIME.
  • <debug>.
  • <keyStoreFileName>.
  • <keyStorePassword>.
  • <keyAlias>.
  • <keyAliasPassword>.
  • <keyStoreType>.
  • <postmasterSigns>. The default is true.
  • <rebuildFrom>. The default is true.
  • <signerName>.
  • <explanationText>. There is a default explanation string template in English, displaying also all the headers of the original message (see {@link #getExplanationText}).