Verify an email in an application from another application

Question

I'm sending an email with an attachment from one server to another server and I would like to find a good way to verify that this email really comes from that server.

The applications are in PHP. I can't verify the origin with for example the IP (server in an Intranet). Could I use a hash in subject or in the body of the email.

Answer 1

Generating a hash alone is not enough. What you need is asymmetric cryptography. The first step to implementing this would be to generate a public/private key pair. This is easily accomplished using openssl.

openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout > public.key

In the message sending script :

• Generate a hash from the attachment.
• Use the private key to generate a signature from the hash.
• Add the signature to the email as a custom header.

For example:

<?php
  $hash = hash_file("md5", "path/to/your.file");
  $key = openssl_pkey_get_private("file://path/to/your/private.key");

  openssl_sign($hash, $signature, $key);
  openssl_free_key($key);

  // build your message and attach the file

  $headers['X-Signature'] = base64_encode($signature);  
  mail($to, $subject, $message, $headers);
?>

In the message reading script :

• Parse the email file (which is beyond the scope of this question, there are other answers explaining how)
• Use the public key to check the validity of the signature.

Something like this:

<?php
  require_once('email-parser.php');
  $msg = parse_email_file("path/to/your/message.eml");
  
  $signature = base64_decode($msg['headers']['X-Signature']);
  $hash = md5($msg['attachment']);
  
  $key = openssl_pkey_get_public("file://path/to/your/public.key");
  $verified = openssl_verify($hash, $signature, $key);
  openssl_free_key($key);
  
  if ($verified) {
    // DO STUFF
  } else {
    // PANIC!!!
  }
?>