I’ve been setting up S/MIME on my RT instance and I manage to send encrypted emails back and forth, however I have the issue that the emails that are sent from RT are empty. The ticket log shows that an email has been sent with a p7m attachement, which I assume must contain the encrypted body of the message, however when I receive the email in my mail client, it is empty, although correctly marked as S/MIME encrypted. I have the same behavior on both outlook and thunderbird with different email addresses.
We don’t use S/MIME with our RT, but as an idea, could you send an email to a local account on the RT server (assuming its Linux or similar) and then peep into the mailbox with a text based tool (less, more, etc) to see if the attachment is included with the email? That would at least let you check what RT was generating and your local mail transfer agent on the RT server.
I haven’t managed to send an encrypted email directly with postfix but I noticed that the authentication seems to fail in the email that I get, even without signing/encryption:
So I went through the ordeal of configuring postfix to authenticate using my SMTP server but I still have the issue of S/MIME emails being blank…
Here’s the source of the email I receive FYI. I have tried to compare it with a valid S/MIME encrypted email I got from another address and I haven’t really found anything obviously missing.
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <support-rt@example.com>
Delivered-To: myemail@example.com
Received: from mx3.pub.mailpod4-cph3.one.com ([10.27.27.13])
by mailstorage6.cst.mailpod4-cph3.one.com with LMTP
id IELcLxxfymmvkBwAmlrhgw
(envelope-from <support-rt@example.com>)
for <myemail@example.com>; Mon, 30 Mar 2026 11:31:40 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=custmx.one.com; s=20201015;
h=content-type:content-transfer-encoding:mime-version:date:subject:in-reply-to:
from:reply-to:message-id:references:to:x-halone-refid:x-halone-sa:from:
x-halone-sa:x-halone-refid;
bh=djrgnj6THyV33PhfWpsnZr12iDUgMnwh+fBKlHVH0Ys=;
b=vuKNl+YecXbeLJ0j1NunUg5KBRAZ6JtA5J2PoETfFVcBTKjatWBHyiTLhLV1zcwdh0PPoQBPv3I/W
tOf/yxXNALnY1cwaJdyJiFzrRjdzWPp7MZm/Y6AGtQlqbrhdHYaIbqUmbm9GYN6KdGey0q9RymKIjo
IZ7TIo5UOPbWENBKk5oGtD0WW5P8MVpnUiLAnrnZzExFTEbiv7/IiTHKeyZc1sfFP3APq2HHOUXqi3
bcqD1nZoDg+5G0BiXYj//2w3upO09Tml4npbrMuu1Btf0E5p65/IlrFqnttzLHD11ssiEgK9G+akVV
81jwFKG9sIjphkjqBdodeJtCjbSqQdA==
X-HalOne-SA: -1.2
X-HalOne-RefID: 155866::1774870300-E76274C2-B78A6D49/0/0
X-HalOne-Spam-Probability: 0
Authentication-Results: mx3.pub.mailpod4-cph3.one.com;
spf=pass smtp.mailfrom=example.com smtp.remote-ip=46.30.211.181;
dkim=pass header.d=example.com header.s=ed2 header.a=ed25519-sha256 header.b=pMloj1i+;
dmarc=pass header.from=example.com;
Received: from mailrelay-egress6.pub.mailoutpod2-cph3.one.com (mailrelay-egress6.pub.mailoutpod2-cph3.one.com [46.30.211.181])
by mx3.pub.mailpod4-cph3.one.com (Halon) with ESMTPS
id 054d29b0-2c2c-11f1-8fd3-ec0d9a6ed226;
Mon, 30 Mar 2026 11:31:40 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1774870300; x=1775475100;
d=example.com; s=rsa2;
h=content-type:content-transfer-encoding:mime-version:date:subject:in-reply-to:
from:reply-to:message-id:references:to:from;
bh=djrgnj6THyV33PhfWpsnZr12iDUgMnwh+fBKlHVH0Ys=;
b=gOO/jWBTdjovfUeIWjr8I5/mpz3v+Szyau02zhTBtQvBOfUFr8Ag+TOb271RUQX9ZopTtO3DSuL5Q
Libgi6CZXXNLI33+0EYrqd/Xfa6mEr9oo9Zi5o2uAtw4ucWNZ2gSjD8F8GSPY4kChiqsjVlcYIo5Tp
RW0xCkStbhMuS7Egyuzg/HIXJdKy51saK8Y59wnlwdYLUMEW32IefcgwzmxsISNbi8Z/E+8KndAAfV
SpC+k/Rezki//q6ZRWrZTBLLE+LomhGkJxG3ABQNJkeSCO89lNWVDEKxxfVQ303buyGVW4Ghy4d3AF
HhFxM3bw38JPW+nnT9YBA0qhxkz+QEg==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; t=1774870300; x=1775475100;
d=example.com; s=ed2;
h=content-type:content-transfer-encoding:mime-version:date:subject:in-reply-to:
from:reply-to:message-id:references:to:from;
bh=djrgnj6THyV33PhfWpsnZr12iDUgMnwh+fBKlHVH0Ys=;
b=pMloj1i+MC7Uq73pySGV5RA5piva/7+W8GrsxoF3F7pldY1H7mTN7U2ty8RE8hWher2EAayhWHC1+
ds/BEIBDg==
X-HalOne-ID: 054d29b0-2c2c-11f1-8fd3-ec0d9a6ed226
Received: from myhostname (unknown [213.174.81.82])
by mailrelay1.pub.mailoutpod2-cph3.one.com (Halon) with ESMTPSA
id 04aa5673-2c2c-11f1-9c01-89f85b40716f;
Mon, 30 Mar 2026 11:31:40 +0000 (UTC)
Received: by myhostname (Postfix, from userid 33)
id 1B7E937ECCC; Mon, 30 Mar 2026 13:31:40 +0200 (CEST)
X-RT-Loop-Prevention: example.com
To: myemail@example.com
References: <RT-Ticket-11@example.com> <b85e5786-c8af-41e2-b48f-7df062366b60@example.com>
X-Managed-BY: RT 6.0.2 (http://www.bestpractical.com/rt/)
X-RT-Ticket: example.com #11
Message-ID: <rt-6.0.2-1598886-1774870299-973.11-5-0@example.com>
Reply-To: support-rt@example.com
From: "Enoch Root via RT" <support-rt@example.com>
X-RT-Originator: root@localhost
In-Reply-To: <b85e5786-c8af-41e2-b48f-7df062366b60@example.com>
Subject: [example.com #11] brand new problem
Precedence: bulk
Date: Mon, 30 Mar 2026 13:31:40 +0200
MIME-Version: 1.0
Content-Disposition: attachment; filename="smime.p7m"
Content-Transfer-Encoding: base64
Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data;
name="smime.p7m"
MIICYgYJKoZIhvcNAQcDoIICUzCCAk8CAQAxggIKMIICBgIBADBuMFYxLTArBgNVBAMMJERlbiBE
YW5za2UgU3RhdCBPQ0VTIHVkc3RlZGVuZGUtQ0EgMTEYMBYGA1UECgwPRGVuIERhbnNrZSBTdGF0
MQswCQYDVQQGEwJESwIUd/t6u0rQY5TOthpV60iSCECwMMcwDQYJKoZIhvcNAQEBBQAEggGAfzAM
lYgUFJQFo3km/c/MWCAIDUw5fCtkubOe/L+TL982WXe0pLtTQZ/OS/CsK6a/dxFqZb5pmGJKmtYn
9BgJ5yyPKM1YVkYirSBmr2iSa15Cv47z0UfSZLzDugUG2lE6OzFBAKJpLGizzR0hhPSTyMIv2IyB
9L09R4wIKN+fsnMAwIfjbxguD3KylTvHtuaDK2XJxBXQHQ2XrPhbGkk/0fLJPUjGJZjYnSVLuGk7
rqIolJ4qycft2QYHtBwlQXYlsJtdAb6zMp0bIkC0MFD2FCYP+vsv0HUu0lRkpx6ou0vitm9lHBWk
/ohmvqYZ3wsPOYsRI3Xe7PBdOP3rpZarKIrmEbfVt1ADB+rGw72dw6i4W6UFvgJOeooiuG6FiH6H
CYHRaZA7ddqAfsMKBrfeBiWHEgZxa+0+8SzR3u9HuQrvIDiXitMrESdd+xfPGxfg7t9GnrWgJCxK
Qx2JWERkBhbiOyHFPWtdEf2rGRDEKYSVZUrrzq7deuYg+7+tRQbGMDwGCSqGSIb3DQEHATAdBglg
hkgBZQMEAQIEEKdog4IqfUU4UDoMM1jgyNqAEJYfz0gJ3pAej6rb2cZdkqA=
Ok I noticed in the logs that there is an error: [1598886] [Mon Mar 30 11:31:40 2026] [debug]: openssl stderr: Could not read signing key from /opt/rt6/var/data/smime/support-rt@mydomain.com.pem 40C74834737F0000:error:1608010C:STORE routines:ossl_store_handle_load_result:unsupported:../crypto/store/store_result.c:151: 40C74834737F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:124: 40C74834737F0000:error:11800074:PKCS12 routines:PKCS12_pbe_crypt_ex:pkcs12 cipherfinal error:../crypto/pkcs12/p12_decr.c:86:maybe wrong password (/opt/rt6/sbin/../lib/RT/Crypt/SMIME.pm:451)
It should be the right password in the RT_SiteConfig.pm… What exactly needs to be configured in the keyring pem file?
Does the user that the web server is running as have read access to that directory and file? If you have something like SELinux running also check its audit logs in case its stepping in and stopping access.
Yes the rights were correct. I did re-generate the pem file from my s12 certificate with this command (and changed the passphrase in RT_SiteConfig.pm) and it worked: openssl pkcs12 -in SupportRT.p12 -out support-rt@example.com.pem
