Posta Elettronica Certificata (Certified E-Mail)

Q. What is OpenPec?

A. OpenPEC is an OpenSource project aimed at realizing a "Posta Elettronica Certificata" system following the guidelines and the technical regulations specified by the "Centro Tecnico per la Rete Unitaria della Pubblica Amministrazione". Every Public Administration defined in the Italian Decreto Legge 29/93 (Amministrazioni Centrali, Enti Locali, Istituti scolastici e universitari, ecc) has to review its IT systems before 1/01/2004 in order to manage the “Protocollo Informatico”. OpenPEC aims to be a completely OpenSource system, compatible with the issued technical specifications and certificated by the Technical Center for RUPA.

Q. Is OpenPEC free for commercial and/or personal use?

A. Yes. OpenPEC is distributed under the General Public Licence (GPL) by the Free Software Foundation (FSF). Therefore, you may freely copy, modify and distribute the software upon the licence terms. For any further information, read the COPYING file shipped with the program

Q. Where can I find more informations about OpenPEC?

A. - On line documents:
http://www.openpec.org/documents.shtml

- Mailing lists:
http://www.openpec.org/mlists.shtml
PLEASE: Before writing on any listm read this FAQ and the available documentation. Also, search the list archives: maybe somebody else already made the same question. In this way it'll be easier focus on problems which are still without a solution.

- The source OpenPEC distribution contains a directory:
/opec/doc
where you can find further documentation.

Q. Where can I find OpenPEC?

A. You can download the installation package from
http://sourceforge.net/project/showfiles.php?group_id=87668

For CVS sources follow this procedure:
cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/openpec login
(when you are prompt for password, simply press enter)

cvs -d:pserver:anonymous@cvs.sourceforge.net:/cvsroot/openpec co -P .

path: [PATH D'INST]\opec\src\

Q. Which operative systems does OpenPEC work on?

A. It should work on every operative system where OpenSSL 0.9.7d is installed (there is a bug in the SMIME verify for the earlier versions).
However it has been tested on the following distributions:
- Redhat Linux 7.3 (read OpenSSL note lower)
- Mandrake Linux 9.1
- Fedora Core 1

* Update OpenSSL version to 0.9.7d

Q. Do I need to install a LDAP server locally?

A. In order to work, OpenPec needs to fetch the index for "Posta Certificata" managed by CNIPA.
Nevertheless, this index states that every service supplier has to implement a local index-copy.
For the installation and configuration of OpenLdap, see the document INSTALL.ldap shipped with the distribution.
For consultind the CNIPA Posta Certificata index, there are two ways:
- using the LDAP protocol, with apposite query from systems and application available on RUPA and/or the Internet, whith the following parameters:
URI: indicepa.gov.it, port 389 (LDAP standard), base DN c=it;
- using WEB interface for every user of accredited PA and/or present on RUPA and for any other user from the Internet, at the following address:
http://indicepa.gov.it/

Q. From the moment that I installed OpenPec, is my system certified?

A. No. OpenPec is only an enabling element.
OpenPec is a plug-in module for a existing email system (MTA), at the moment through the SMTP/LMTP protocol and its target is to make possible the certification of the system where it is installed.

Q. When a patch or a new release is out, the certification is still valid? Is there a point of the code evolution under which the certification is still valid (e.g. if a patch or a new release solves a bug not introducing any important new feature)?

A. Generally it is difficult to find a defined boundary line (in terms of code modifications) under which the certification is mantained, so, in general, for every patch/release you will need a new certification. Obvioulsy it's not strict without intelligence: since the certification process is aimed to the systems interoperability, if the patch contains modifications like text changes for an acknowledgement of receipt, you don't need to be certificated again.

Q. How do I install OpenSSL 0.9.7d on Fedora Core 1?

A. Since there aren't 0.9.7d rpms for Fedora Core 1, we'll use Turbolinux ones, after following these steps:
- creation of a new perl symlink:
ln -s `which perl` /bin/perl5

- creation of needed libraries symlinks:
ln -s /usr/lib/libcrypto.so /usr/lib/libcrypto.so.4
ln -s /usr/lib/libssl.so /usr/lib/libssl.so.4

now you can install 0.9.7d:
rpm -Uvh --nodeps --force openssl-0.9.7d.rpm openssl-devel-0.9.7d.rpm

you can download rpm packages from www.rpmfind.net

Q. Which certificates do I need for a PEC infrastructure?

A. You need two kind of certificates:

. one or more certificates for TLS connections (IMAPS, POPS, SMTPS e HTTPS)
. an x509 certificate (S/MIME) for every PEC domain

For TLS connections a 40bit criptography certificate (the ones commonly used for e-commerce) is enough.

For signing emails you need an x509 certificate, generally used by single users to sign outgoing emails (Digital Certificates for individuals)

Q. In this case, the x509 certificate doesn't refer to an individual, but a server: are there resulting significances?

A. No, what you need is a class 1 x509 certificate (where it is verified only the existance of the email address that is specified in the "Allegato Tecnico" as posta-certificata@): in the contract subscription instead of the individual it will be specified the PEC service supplier (for example a company).

Q. Requesting only one certificate for TLS connections are we forced to implement every service in only one server?

A. In general, for balanced architectures, it is used only one certificate for load balancer's host+domain, which is copied into every balanced server;
from a legal point of view you'll need to buy the certificate and a number of licences equal to the balanced servers.

For HTTPS, you need virtualhost configuration on balanced webservers, so that the client's browser will always get the same host+domain.

For SMTPS-IMAPS-POPS you only need host+domain of the certificate to be the same of the MUA one, so you don't have alias problems, whatever server you installed the certificate on.

Q. How do you manage BCC addresses?

A. When a mail with BCC addresses gets to the check-in poin, it will be simply discarded, since it doesn't accomplish the "Controlli formali sui messaggi in ingresso" (Cap 6.3.1 of the "Allegato Tecnico").
BCC addresses on the email client are only part of the SMTP envelop, but not of the message header (otherwise the addressees could see them) so this creates a discrepancy between envelop and header which would run against CNIPA rules.