close
Mailspect Documentation
Creating Digital Signatures for Archive Signing

Introduction

EmailStore Digital Signature is intended to provide a proof that a message has not been modified in Email Store since it was stored. Digital Signature is a binary data that is calculated from email data and stored along with the email. Calculation is based on private / ­public key cryptography so that nobody can fake a signature provided that private key remains undisclosed. But everyone can ensure that data has not been changed provide that public key is available.

Requirements: MPP 4.7.0 or higher, MySQL server and OpenSSL tools for public/private key generation

To create all tables, including new "message_signature" table use: 

ftp://ftp.messagepartners.com/pub/mpp4/sql/mpp-mysql.sql

To create only new "message_signature" table use: 

ftp://ftp.messagepartners.com/pub/mpp4/sql/migrate_4_7_0.sql

To enable this feature, one should make sure "message_signature" table exists besides required archival tables, generate a new public/private DSA key pair using OpenSSL tools and add "archival_signer" option to group having arhival enabled.

Generate DSA Private­Public Key Pair

Though generation of DSA private­public key pair is not a part of MPP functionality here you may find an example of how to generate public/private key pair. Private key is needed for DSA Engine defined in MPP. Public key is needed for application (Qreview) that would verify a signature.

1. Generate DSA parameters param_4096.pem file for 4096 ­bit key: 

openssl dsaparam ­-out param_4096.pem 4096

2. Generate private key file prv_archive_4096.pem from DSA parameter: 

openssl gendsa ­-out prv_archive_4096.pem param_4096.pem

3. Generate public key file pub_archive_4096.pem from private key file: 

openssl dsa ­-in prv_archive_4096.pem -­pubout ­-out pub_archive_4096.pem

Files prv_archive_4096.pem and pub_archive_4096.pem could be copied in /usr/local/MPP.

Define DSA Engine

Administrator defines an instance of DSA Engine in mppd.conf.xml file under <mppd><engines> node with node name <dsa>. ID of an instance of the engine is defined with id attribute of the node.

Example: 

<mppd>
 ....
 <engines>
   <dsa id=”my_dsa_engine_id”> 
   <key_id>0</key_id>
    <private_key_file>
      <path>/usr/local/MPP/prv_archive_4096.pem</path>
      <format>pem</format>
    </private_key_file>
   </dsa>
 </engines>
...
<groups>
 <group id="arhival_group>
   ....
   <archive>mysql://USER:PASS@HOST:DB</archive>
   <archive_signer>my_dsa_engine_id</archive_signer>
</groups>
</mppd>

Message Verification

To verify message signature, use Qreview (http://host:20000):


Login as admin and go to Setup->Module Config where the following variables should be set: 

signature_verification_enabled          1
signature_public_key_path                 /usr/local/MPP/pub_archive_4096.pem

When visiting Archive link now, you should notice a "green tick" near the Subject of each message. Click on the tick to verify the message.

Note: Qreview requires Crypt::OpenSSL::DSA Perl module installed to get message verification working correctly. Please check the following articles: 

MPP GUI install on RH / CentOS / Fedora Core Linux
MPP GUI install on Debian/Ubuntu
Retrieved from "http://wiki.mailspect.com/index.php?title=Creating_Digital_Signatures_for_Archive_Signing&oldid=1608"