EmailStore Digital Signature is intended to provide a proof that a message has not been modified in Email Store since it was stored. Digital Signature is a binary data that is calculated from email data and stored along with the email. Calculation is based on private / public key cryptography so that nobody can fake a signature provided that private key remains undisclosed. But everyone can ensure that data has not been changed provide that public key is available.
Requirements: MPP 4.7.0 or higher, MySQL server and OpenSSL tools for public/private key generation
To create all tables, including new "message_signature" table use:
To create only new "message_signature" table use:
To enable this feature, one should make sure "message_signature" table exists besides required archival tables, generate a new public/private DSA key pair using OpenSSL tools and add "archival_signer" option to group having arhival enabled.
Generate DSA PrivatePublic Key Pair
Though generation of DSA privatepublic key pair is not a part of MPP functionality here you may find an example of how to generate public/private key pair. Private key is needed for DSA Engine defined in MPP. Public key is needed for application (Qreview) that would verify a signature.
1. Generate DSA parameters param_4096.pem file for 4096 bit key:
openssl dsaparam -out param_4096.pem 4096
2. Generate private key file prv_archive_4096.pem from DSA parameter:
openssl gendsa -out prv_archive_4096.pem param_4096.pem
3. Generate public key file pub_archive_4096.pem from private key file:
openssl dsa -in prv_archive_4096.pem -pubout -out pub_archive_4096.pem
Files prv_archive_4096.pem and pub_archive_4096.pem could be copied in /usr/local/MPP.
Define DSA Engine
Administrator defines an instance of DSA Engine in mppd.conf.xml file under <mppd><engines> node with node name <dsa>. ID of an instance of the engine is defined with id attribute of the node.
<mppd> .... <engines> <dsa id=”my_dsa_engine_id”> <key_id>0</key_id> <private_key_file> <path>/usr/local/MPP/prv_archive_4096.pem</path> <format>pem</format> </private_key_file> </dsa> </engines> ... <groups> <group id="arhival_group> .... <archive>mysql://USER:PASS@HOST:DB</archive> <archive_signer>my_dsa_engine_id</archive_signer> </groups> </mppd>
To verify message signature, use Qreview (http://host:20000):
Login as admin and go to Setup->Module Config where the following variables should be set:
signature_verification_enabled 1 signature_public_key_path /usr/local/MPP/pub_archive_4096.pem
When visiting Archive link now, you should notice a "green tick" near the Subject of each message. Click on the tick to verify the message.
Note: Qreview requires Crypt::OpenSSL::DSA Perl module installed to get message verification working correctly. Please check the following articles:
MPP GUI install on RH / CentOS / Fedora Core Linux MPP GUI install on Debian/Ubuntu