Known Limitations
Please note that we've decided to move our support portal to help.savignano.net to to further improve the services for our customers.
The updated version of this page can be found at https://help.savignano.net/snotify-email-encryption/known-limitations
This page lists all known limitations that are currently unresolved. For a list of resolved limitations, please see Resolved Issues.
- 1 General Limitations
- 2 Marginal Limitations
- 2.1 Alias not found in S/MIME keystore
- 2.2 LDAP: Unprocessed Continuation Reference(s)
- 2.3 Duplicate email addresses
- 2.4 Invites in encrypted emails not visible in MS Outlook
- 2.5 PGP: GnuPG keybox format
- 2.6 PGP: AEAD encrypted emails cannot be decrypted
- 2.7 PGP: No indicators added for one-pass signatures
- 3 Third-party App Limitations
- 4 Other Third-party Limitations
General Limitations
Limitations that might affect normal usage of S/Notify in Jira or Confluence
There are currently no known limitations in this category.
Marginal Limitations
Limitations that occur only under very specific circumstances
Alias not found in S/MIME keystore
Preconditions
you use S/MIME encryption
you want to decrypt incoming mail or sign outgoing mail (or both)
in Server Key Management, you have configured a PKCS#12 keystore (file suffix pfx or p12)
Description
The issue appears only under rare circumstances which we haven’t been able to reproduce on our end. Please contact us to provide any input if you happen to be affected by this issue.
In these circumstances, if you run Verify Settings, an error displays saying that the private key with alias <some alias> was not found in the keystore.
Resolution
We are currently collecting more information to find out why this happens and how to fix it programmatically. Until then, please apply the work-around described below.
Work-around
The keystore can be fixed using the Java keytool utility like so:
keytool -importkeystore -srckeystore original_keystore.pfx -destkeystore fixed_keystore.p12 -deststoretype pkcs12
This causes the keytool utility to read the original keystore and create a copy that has the internal issues fixed. Configure S/Notify to use this fixed copy.
LDAP: Unprocessed Continuation Reference(s)
Preconditions
you use Active Directory
you have multiple catalogs connected in your Active Directory setup
Description
Under the above circumstances, the retrieval of S/MIME certificates from the Active Directory may fail with an error message saying: Unprocessed Continuation Reference(s).
This means that Active Directory has returned additional directories to look at (a so-called referral), but the client did not follow it. With referral chasing enabled in Active Directory, the client could go from domain to domain in the Active Directory tree trying to satisfy the request if the query cannot be satisfied by the initial domain. This method can be extremely time-consuming, which is why S/Notify does not perform referral chasing, but Active Directory does not accept that and throws an error when the client does not follow the referral.
Resolution
S/Notify should ignore the referral error. However, this is being prepared for the next release.
If, however, it is required to follow referrals in order to search the whole Active Directory, it is recommended to use Active Directory's Global Catalog instead, which is much faster. To connect to the Global Catalog, in the LDAP connection setup, replace 389 by port 3268, or port 686 by 3269, respectively.
Work-around
Use Active Directory's Global Catalog. To connect to the Global Catalog, in the LDAP connection setup, replace 389 by port 3268, or port 686 by 3269, respectively.
Duplicate email addresses
Preconditions
you have two or more users sharing the same email address
and user uploads are allowed
Description
If, in your Jira or Confluence, multiple users share the same email address, S/Notify cannot determine which of these users the email is actually meant for. Usually, this doesn't matter, because all these users would have to share the same S/MIME certificate or PGP key anyway, as these are bound to the email address.
As a consequence, if S/Notify is to use an S/MIME certificate or PGP key uploaded to the user profile, the upload should be made to the user profiles of all users with that email address. When uploading different S/MIME certificates or PGP keys to users that share the same email address, it is undetermined which of them will be used to encrypt an email.
Note that this is not a problem if S/Notify is configured to get S/MIME certificates and PGP keys from a key store or key server rather than from the user profile.
Resolution
In the unlikely case that different users with the same email address have uploaded different S/MIME certificates or PGP keys, it is impossible to determine which of them is the desired one for a specific email. Therefore, this specific issue cannot be resolved completely by the app.
However, S/Notify displays a warning in the user profile if there is another active user using that email address.
Work-around
Different users having the same email address should not have different S/MIME certificates or PGP keys uploaded to their user profile.
Invites in encrypted emails not visible in MS Outlook
Preconditions
outbound email encrypted with S/MIME
outgoing mail contains an ics file attachment for an invite
recipient views message in Microsoft Outlook client
Description
Note that this issue is not specific to S/Notify, but it occurs with any invite in an encrypted email viewed in Microsoft Outlook.
If an encrypted message contains an invite, the invite cannot be seen in a Microsoft Outlook client. If the message is not encrypted, the invite works as expected.
This is a long-standing problem in the Microsoft Outlook client. Outlook tries to recognize invites in order to present a dialog to accept or deny them. However, to do so, Outlook relies on a message header with Content-Type: text/calendar, but when a message is encrypted, this message header is inside the encrypted part. Obviously, Outlook does not decrypt the message when checking for that header, but later nonetheless hides the corresponding ics file attachment. As a result, neither the dialog nor the attachment can be seen, and the invite seems to have disappeared.
Resolution
There is no working solution. Microsoft needs to fix this, but hasn’t yet.
Work-around
As the only existing work-around, Microsoft always sends invites unencrypted.
You can configure S/Notify to send emails unencrypted when they include ics attachments. Refer to Advanced Settings | Key skipEncryptionRegex for the relevant setting and reach out to our service desk if you run into this problem.
PGP: GnuPG keybox format
Preconditions
you use GnuPG 2.1 or newer which stores its PGP keyring in the new keybox format
you want to use the same GnuPG keystore file with S/Notify
Description
Under the above circumstances, S/Notify accepts the keystore file, but cannot read any keys from the keystore.
When you hit Verify Settings, it returns: IOException - invalid armor.
Resolution
S/Notify does not currently support the new keybox format. However, it is being prepared for the next feature release.
Work-around
Either configure GnuPG to use the old keystore format, or export the keys in ASCII-armored or (old) GPG binary format.
PGP: AEAD encrypted emails cannot be decrypted
Preconditions
inbound email encrypted with PGP
the email is encrypted using the new AEAD method
Description
Decryptions fails. The log file shows an error unknown packet type 20.
GnuPG 2.3 generates keys with an AEAD algorithm, and GnuPG 2.3 by default uses this algorithm to encrypt. However, to date, while AEAD is proposed to become part of the OpenPGP standard, it has not been approved yet (see OpenPGP Message Format Draft rfc4880bis-10). To the best of our knowledge, it is not yet broadly supported. Applications based on GnuPG usually still use GnuPG 2.2 under the hood.
Resolution
We are working to include AEAD support in the next feature release of S/Notify.
Work-around
In GnuPG 2.3, the --rfc4880
or --openpgp
flag must be used so it conforms to the PGP standard.
PGP: No indicators added for one-pass signatures
Preconditions
inbound email encrypted with PGP
the email is encrypted with a one-pass signature (packet tag 4 according to RFC 4880, the Flowcrypt GMail extension is known to use this)
S/Notify is configured to “add indicators” to issues from incoming mails
Description
The message is decrypted, but the signature symbol is not added.
Resolution
We are planning to improve one-pass signature support in a future release of S/Notify.
Work-around
Use conventional detached signatures.
Third-party App Limitations
Limitations that might occur in combination with other apps
Note that S/Notify is designed in a way that allows for maximum compatibility with other apps sending or receiving emails. Although we cannot guarantee compatibility with any app out there, we will always do our best to provide you with a solution, should you run into any issues. Apps that use the standard mail functionality of Jira or Confluence should always work without problems.
Jira Email This Issue
The app Jira Email This Issue (also known as: JETI) significantly extends Jira’s mail functionality.
S/Notify Email Encryption works seemlessly with the Classic Mail Handler in Jira Email This Issue
If Jira Email This Issue is used with its own custom built-in mail handler of this app, a patch is required to make it work with S/Notify Email Encryption (see description under Work-around)
As of Email This Issue 9.2.0-GA, support for Classic Mail Handlers has been dropped. For details, please refer to the release notes of Email This Issue.
Incoming mail with JETI Next Gen Mail Handler
Precondition
Jira Email This Issue app is configured to receive emails over its own built-in Next Gen Mail Handler
Description
S/Notify is not being invoked by the Next Gen mail handler. As a result
incoming mail cannot be decrypted
signature attachments cannot be removed
indicators cannot be added
Resolution
We have proposed a solution to the vendor of Email This Issue to make S/Notify and JETI Next Gen Mail Handlers compatible with each other. Customers interested in the integration are encouraged to upvote the feature request for Email This Issue here and/or to contact META-INF, the vendor of Email This Issue to ask for their current progress status.
Work-around
There is a work-around using a simple patch in Email This Issue. In order to enable Email This Issue to use the email decryption handlers in S/Notify, create a text file named javamail.providers
with the following contents:
protocol=imap; type=store; class=net.savignano.snotify.jira.mailer.imap.SnotifyImapStore; vendor=savignano software solutions, http://www.savignano.net;
protocol=imaps; type=store; class=net.savignano.snotify.jira.mailer.imap.SnotifyImapsStore; vendor=savignano software solutions, http://www.savignano.net;
protocol=pop3; type=store; class=net.savignano.snotify.jira.mailer.pop3.SnotifyPop3Store; vendor=savignano software solutions, http://www.savignano.net;
protocol=pop3s; type=store; class=net.savignano.snotify.jira.mailer.pop3.SnotifyPop3sStore; vendor=savignano software solutions, http://www.savignano.net;
or just download the file from https://download.savignano.net/snotify/jira/releases/patch/javamail.providers
Install S/Notify if not done so already (minimum version 3.6.1). Now you can apply the patch:
download the Email This Issue app to your computer
open the jar file using a ZIP utility (all jars are archives in zip format)
add the mail providers file to the archive under
META-INF/javamail.providers
save and close the jar file
You have now successfully applied the patch.
Next, go to Jira administration > Manage apps, then click Upload app and select the patched jar file.
Now you can use Email This Issue to receive encrypted email and get it automatically decrypted by S/Notify.
There’s a little downside to this solution: if you ever choose to uninstall S/Notify, you will have to remember to remove the patch in Email This Issue at the same time.
Incoming encrypted mail
Precondition
Send Email To Page app is installed in Confluence to process incoming emails
Users send encrypted emails
Description
Incoming email won’t get decrypted because in Confluence, there is usually no support for incoming email, so S/Notify for Confluence does not include the functionality.
Resolution
While S/Notify could process incoming email with Send Email To Page, to date, we haven’t seen any requests.
Customers interested in the integration are encouraged to let us know!
Work-around
There’s no way currently. Please contact our service desk for available options.
Other Third-party Limitations
Microsoft Outlook Issues
Invalid signatures
Precondition
Signed-only emails sent from an Outlook client are recognized as invalid and possibly tampered with
Description
The signature of signed-only (not encrypted) emails sent from a Microsoft Outlook client are shown as invalid.
This is caused by an incorrect implementation of the SMTP protocol in Outlook. A full stop character at column 1 of a message text line has a special meaning in SMTP. It is interpreted and removed by the SMTP server when the client delivers the email. Because of this, RFC 5321: Simple Mail Transfer Protocol requires hat the client adds an extra full stop character in this case. However, Outlook fails to do so, which leads to the receiving client rightly complaining about an invalid signature due to the email being modified during transport.
Resolution
Microsoft needs to fix the SMTP implementation in Outlook.
Work-around
The use of opaque signatures seems to avoid the SMTP issue. However, the latest Outlook does not seem to provide an option to use opaque signatures.
There’s no way for the receiving email client to implement a work-around.
Microsoft Exchange Issues
Invalid signatures
Precondition
Signed-only emails sent through an Exchange server are recognized as invalid and possibly tampered with
Description
The signature of signed-only (not encrypted) emails sent through a Microsoft Exchange server are shown as invalid.
This is caused by Exchange reformatting emails, which leads to the receiving client rightly complaining about an invalid signature due to the email being modified during transport.
Resolution
Microsoft Exchange should not reformat emails at all, but at least not signed emails.
Work-around
The use of opaque signatures prevents the issue. However, the latest Outlook does not seem to provide an option to use opaque signatures.
There’s no way for the receiving email client to implement a work-around.