Digital Signature and Encryption of email communication

Gaetan · January 21, 2026, 1:09pm

Hello,

I’m new to RT. I have some Linux experience but mostly surface-level. I have just installed an instance on a Debian server and I have configured it to use one of our email adresses using this tutorial: RT 4.2 Installation with incoming and outgoing email support on Ubuntu 12.04 - Request Tracker Wiki

I have had a bit of trouble wrapping my head around postfix but RT can now send and receive emails. My next step is that all communications must be encrypted and digitally signed. I have a certificate in a .p12 file delivered by an official authority for my email address. My question is, how do I implement that? It might be more linked to postfix/fetchmail than RT, but I’m not entirely sure.

Thank you!

knation · January 21, 2026, 1:14pm

SMIME docs can be found here:

AI came up with these steps that look pretty close to me!

Extract your certificate and key from the .p12 file:

# Extract the certificate
openssl pkcs12 -in your_cert.p12 -clcerts -nokeys -out cert.pem

# Extract the private key
openssl pkcs12 -in your_cert.p12 -nocerts -nodes -out key.pem

Configure RT’s S/MIME settings in RT_SiteConfig.pm:

Set(%SMIME,
    Enable => 1,
    OpenSSL => '/usr/bin/openssl',
    Keyring => '/opt/rt6/var/data/smime/keyring',
    CAPath => '/opt/rt6/var/data/smime/ca',
);

Set(%GnuPG,
    Enable => 0,  # Disable if using S/MIME
);

Import your certificate into RT:

# Create the keyring directory if it doesn't exist
mkdir -p /opt/rt6/var/data/smime/keyring

# Import your certificate
cat cert.pem key.pem > /opt/rt6/var/data/smime/keyring/your-email@domain.com

Set proper permissions:

chown -R www-data:www-data /opt/rt5/var/data/smime
chmod 0700 /opt/rt5/var/data/smime/keyring
chmod 0600 /opt/rt5/var/data/smime/keyring/*

Then you should be able to see key options in the queue or user config pages!

Gaetan · January 22, 2026, 2:26pm

I’ve also tried to change the keyring file so that it holds the public and private key instead but I have the same issue

Gaetan · January 22, 2026, 2:26pm

Thanks. It did get me closer after some tweaking, however I still don’t get any SMIME keys to choose from in the queue administration (It shows “Couldn’t get SMIME keys information”).

Here is my config:

I have the certificate in the ca folder and the support@mydomain.com.pem key in the keyring folder

knation · January 22, 2026, 2:26pm

What do you see in the RT logs?

Gaetan · January 23, 2026, 10:41am

Nothing specifically related to that apparently. I have the level set to debug. What exactly should come in the keyring file? The documentation is not explicit and I haven’t found a satisfying answer online.

Right now my keyring file contains the contents of openssl pkcs12 -in mycert.p12 -out out.pem (i.e chain + private key) plus the public key

I extracted the CA with this command:

openssl pkcs12 -in mycert.p12 -cacerts -nokeys -out ca.pem

FYI Here’s how my smime folder looks like (I’ve given read rights to everyone just to make sure that’s not the issue):

rubberduck · January 23, 2026, 4:30pm

Hi.
Is it for your personal email address or for the email address RT is using?
It must fit to the address RT uses.

Certifikates sometimes are really pain. Maybe it is an option to use postfix to encrypt and sign on sending.

Regards A.

Gaetan · January 26, 2026, 7:43am

It is the email address I use for RT, I have a certificate for that. And the keyring file is named myemail@mydomain.com.pem as per the documentation.

Gaetan · January 29, 2026, 7:16am

Well I fixed the problem, it seems like I had to point to the ca certificate directly and not just the folder (which the documentation says should work).