All Incoming SMIME Signed Messages Showing as No Trust

Hello,

OS and RT4 Info:

Debian GNU/Linux 7 (wheezy)

Apache/2.2.22 (Debian)

PHP 5.5.26-1~dotdeb+7.4

Request Tracker 4.2.11

I am attempting to configure S/MIME support in my RT4 instance, and I have
every piece working other than the verification of signatures on incoming
email. Signing outbound emails is working perfectly, and signatures are
processed on incoming mail as well. However, all signatures are being shown
as untrusted, with a message such as this: “SMIME: The signature is good,
signed by “Zoey Schutt” , trust is none”.

Similarly, the keys and certificates I have loaded to sign outgoing messages
are showing as issued by blank, such as this one:

SMIME key ‘“Zoey Schutt” webmaster@braincoral.io (issued by )’

Fingerprint:

76c140826f39d9d66ae4dc40328c0f23c177d0ca

Created:

Mon Jul 06 2015

Expire:

Thu Jul 06 2017

User:

“Zoey Schutt” webmaster@braincoral.io

All of the keys I have been using to test this are valid and certified by
StartCom Class 2. My configuration is as such:

Set(@MailPlugins, ‘Auth::MailFrom’, ‘Auth::Crypt’);

Set(%SMIME,

Enable => 1,

OpenSSL => 'openssl',

Keyring => q{var/data/smime},

CAPath => '/opt/rt4/var/data/smime-roots',

AcceptUntrustedCAs => 1,

Passphrase => {

    'webmaster@braincoral.io' => 'REMOVED',

    'support@braincoral.io' => 'REMOVED',

    '' => 'fallback',

    },

);

Set(%Crypt,

Incoming                  => ['SMIME', 'GnuPG'],

Outgoing                  => 'SMIME',



RejectOnUnencrypted       => 0,

RejectOnMissingPrivateKey => 1,

RejectOnBadData           => 1,



AllowEncryptDataInDB      => 0,



Dashboards => {

    Encrypt => 0,

    Sign    => 0,

},

);

I have attached a list of the contents of var/data/smime-roots to a text
file on this email. The contents are just a copy of the /etc/ssl/certs
directory of my server, with c_rehash run on it. I have tried the
configuration with a trailing slash and without on CAPath, and neither have
worked.

Any assistance would be greatly appreciated!

Regards,

Zoey Schutt

Braincoral Technology

SMIME-Roots.txt (19.3 KB)

OS and RT4 Info:

Debian GNU/Linux 7 (wheezy)
Apache/2.2.22 (Debian)
PHP 5.5.26-1~dotdeb+7.4
Request Tracker 4.2.11

As a note, RT is written in Perl, not PHP. The other useful version to
know is the version of openssl, which you can find by running:

openssl version

I am attempting to configure S/MIME support in my RT4 instance, and I
have every piece working other than the verification of signatures on
incoming email.

What software is generating your certificates, and sending the incoming
mail? I suspect your certificates are weird in a way that is throwing
openssl off.

Can you send me a simple S/MIME signed message and your CA’s PEM file,
off-list, so I can inspect it?

  • Alex

Thank you for the reply! I’ll send you the signed email from my other email
address, as I don’t have my personal certificate on the computer I am
currently using. It’s issued by the same CA as my other ones.

All of my SSL certificates are from StartSSL, Class 2 Verified. Then I just
ran the X.506 binary through openssl and converted them to PEM files. Those
are outgoing of course, my incoming emails that I have been using to test so
far are sent via Outlook 2013.

I will send you the CA’s PEM file and a signed message from my other address
as well, off-list.

Extra Version Info:

OpenSSL 1.0.1e 11 Feb 2013
perl 5, version 14, subversion 2 (v5.14.2) built for
x86_64-linux-gnu-thread-multi

Regards,

Zoey Schutt

Of Alex VandiverSent: Friday, July 24, 2015 2:20 AM
To: rt-users@lists.bestpractical.com
Subject: Re: [rt-users] All Incoming SMIME Signed Messages Showing as No
Trust

OS and RT4 Info:

Debian GNU/Linux 7 (wheezy)
Apache/2.2.22 (Debian)
PHP 5.5.26-1~dotdeb+7.4
Request Tracker 4.2.11

As a note, RT is written in Perl, not PHP. The other useful version to know
is the version of openssl, which you can find by running:

openssl version

I am attempting to configure S/MIME support in my RT4 instance, and I
have every piece working other than the verification of signatures on
incoming email.

What software is generating your certificates, and sending the incoming
mail? I suspect your certificates are weird in a way that is throwing
openssl off.

Can you send me a simple S/MIME signed message and your CA’s PEM file,
off-list, so I can inspect it?

  • Alex