Mailspect Documentation
Creating Digital Signatures for Archive Signing


EmailStore Digital Signature is intended to provide a proof that a message has not been modified in Email Store since it was stored. Digital Signature is a binary data that is calculated from email data and stored along with the email. Calculation is based on private / ­public key cryptography so that nobody can fake a signature provided that private key remains undisclosed. But everyone can ensure that data has not been changed provide that public key is available.

Requirements: MPP 4.7.0 or higher, MySQL server and OpenSSL tools for public/private key generation

To create all tables, including new "message_signature" table use:

To create only new "message_signature" table use:

To enable this feature, one should make sure "message_signature" table exists besides required archival tables, generate a new public/private DSA key pair using OpenSSL tools and add "archival_signer" option to group having arhival enabled.

Generate DSA Private­Public Key Pair

Though generation of DSA private­public key pair is not a part of MPP functionality here you may find an example of how to generate public/private key pair. Private key is needed for DSA Engine defined in MPP. Public key is needed for application (Qreview) that would verify a signature.

1. Generate DSA parameters param_4096.pem file for 4096 ­bit key:

openssl dsaparam ­-out param_4096.pem 4096

2. Generate private key file prv_archive_4096.pem from DSA parameter:

openssl gendsa ­-out prv_archive_4096.pem param_4096.pem

3. Generate public key file pub_archive_4096.pem from private key file:

openssl dsa ­-in prv_archive_4096.pem -­pubout ­-out pub_archive_4096.pem

Files prv_archive_4096.pem and pub_archive_4096.pem could be copied in /usr/local/MPP.

Define DSA Engine

Administrator defines an instance of DSA Engine in mppd.conf.xml file under <mppd><engines> node with node name <dsa>. ID of an instance of the engine is defined with id attribute of the node.


   <dsa id=”my_dsa_engine_id”> 
 <group id="arhival_group>

Message Verification

To verify message signature, use Qreview (http://host:20000):

Login as admin and go to Setup->Module Config where the following variables should be set:

signature_verification_enabled          1
signature_public_key_path                 /usr/local/MPP/pub_archive_4096.pem

When visiting Archive link now, you should notice a "green tick" near the Subject of each message. Click on the tick to verify the message.

Note: Qreview requires Crypt::OpenSSL::DSA Perl module installed to get message verification working correctly. Please check the following articles:

MPP GUI install on RH / CentOS / Fedora Core Linux
MPP GUI install on Debian/Ubuntu