Just to show the mismatch, here a screenshot

sogo-spoofed-signed-valid-details.png (44,720 bytes)   

sogo-spoofed-signed-valid-details.png (44,720 bytes)   

The viewer is fixed; a proper message is displayed if the certificate doesn't match the sender address.

The fix looks for the email address in the CN attribute. This is wrong. The email address is either in the SubjectAltName (nowadays the prefered place) or in the emailAddress attribute. In many S/MIME certificates the CN field is either missing or contains the name of the certificate holder.

From https://datatracker.ietf.org/doc/html/rfc8550#section-3
Receiving agents MUST recognize
both ASCII and internationalized email addresses in the
subjectAltName extension. Receiving agents MUST recognize email
addresses in the distinguished name field in the PKCS 0000009 [RFC2985]
emailAddress attribute:

Can you share the JSON payload of the server response when viewing a signed message? I would like to see the content of .parts.certificates.

Here we go...

{
	"certificates": [
		{
			"issuer": [
				[
					"countryName",
					"DE"
				],
				[
					"organizationName",
					"Deutsche Post AG"
				],
				[
					"commonName",
					"DPDHL User CA I5"
				]
			],
			"subject": [
				[
					"commonName",
					"noreply, DHL, BN"
				],
				[
					"emailAddress",
					"noreply@dhl.de"
				]
			]
		}
	]
}

{
	"certificates": [
		{
			"issuer": [
				[
					"countryName",
					"GB"
				],
				[
					"stateOrProvinceName",
					"Greater Manchester"
				],
				[
					"localityName",
					"Salford"
				],
				[
					"organizationName",
					"COMODO CA Limited"
				],
				[
					"commonName",
					"COMODO RSA Client Authentication and Secure Email CA"
				]
			],
			"subject": [
				[
					"emailAddress",
					"XX@XXXX.de"
				]
			]
		}
	]
}

I'm closing the issue, but SubjectAltName could actually store multiple email addresses. We're not handling this case for now. I would need the JSON payload of such a certificate to properly add support.

I created a S/MIME certificate with 2 alternate addresses for a test user.
Then i created 3 Identities.
2 with those 2 alternate addresses and one with an invalid address.
See attach signed emails send from that test user to herself.

Subjects specify which is which.

Thanks for the testmails. I can confirm that the email address check works as expected with the commit of 2021-11-22 (which is not part of SOGo 5.3.0 but should be included in the nightly builds): Only the third one fails the address check. The address test of the other two mails succeeded.

For the first mail I got a "Message has been modified". Turned out that the umlauts got mangled. Corrected them manually and the mail got verified ok.

The second part of the ticket (sign only if the certificate's mail addresses match the selected identity) has not been addressed yet.

Signing a message using an address that is not part of the certificate will now fail.