RT issues dealing with combination S/MIME + OpenPGP signed messages

Sorry if this is an overly long post, but I’ll try to make sure it includes all pertinent details and is as clear as possible.

Right now, we have RT (5.0.0) in operation, and configured to use only PGP encryption support (disabling the S/MIME support completely).

Our issue is that when any user sends a message that is both PGP and S/MIME signed, RT doesn’t recognize these messages as being signed or secured at all, not by PGP or otherwise.

I’ve attached a screenshot of such a ticket, and I’d be happy to include the full headers, but, likely of interest is the lack of headers (when switching to full header mode) that indicate RT recognizing the message as secured. Also, both signatures are saved to the ticket as attachments, which is not the normal behavior.

If I send a signed message, using only PGP (not S/MIME+PGP), then all works as expected. I see the X-RT-Gnupg-Status header populated, and “X-RT-Privacy” set appropriately. The signatures do not appear as attachments, and the message itself is appropriately tagged with: “Gpg: The signature is good, signed by Jeffrey H. Johnson jeff@gridfinity.com, trust level is unknown”.

Also, is there a way to remove the S/MIME signature attachment from all the tickets it appears on? Even better, is there a way to just prevent RT from saving the S/MIME signature at all, stripping it at the time the message is received?

I know I can strip the S/MIME parts externally with some procmail/maildrop magic, before the mail gets to RT, but I’d prefer a clean and proper solution within RT itself.

I also believe the case of RT not recognizing the message as signed when it is in fact dual-signed is to likely be a bone-fide bug in RT that should be fixed, rather than something to be worked around.

We are using RT 5.0.0, with the following relevant configuration:

Set( %Crypt,
‘Incoming’ => [‘GnuPG’],
‘Outgoing’ => ‘GnuPG’,
‘AllowEncryptDataInDB’ => 0,
‘RejectOnBadData’ => 1,
‘RejectOnMissingPrivateKey’ => 1,
Set( %SMIME,
‘Enable’ => 0,
Set( %GnuPG,
‘Enable’ => 1,
‘OutgoingMessagesFormat’ => ‘RFC’,
Set( %GnuPGOptions,
‘homedir’ => ‘/opt/rt5/var/data/gpg’,
‘passphrase’ => ‘[redacted]’,
‘no-permission-warning’ => undef,
‘include-key-block’ => undef,
‘auto-key-retrieve’ => undef,
#‘trust-model’ => ‘always’,
‘auto-key-import’ => undef,
‘auto-key-retrieve’ => undef,
‘auto-key-locate’ => ‘clear,nodefault,cert,pka,dane,wkd,keyserver,ldap,local’,

I’d be happy to provide additional details, if that would help.

Thank you for nearly 25 years of RT!

  • Jeff