S/mime

Hi,

I try to enable s/mime signing for mails. I followed:

https://bestpractical.com/docs/rt/4.2/RT/Crypt/SMIME.html

Key and certificate get detected and displayed by the queue. I want all
messages to be signed. When I enable “Sign all auto-generated mail.”
auto-generated mails get signed and the destroyed by duplicating all
newlines. This leads to an invalid signed message.

Since I’ve enabled s/mime no answers get sent out any more by e-mail.
Auto generated mails are sent. What causes this?

I’ve only setup a key/certificate for the queue, not for agents as only
the queue address will/should be used for external communication.

Perhaps some one can help.

TIA
Matthias

MHC SoftWare GmbH
Fichtera 17
96274 Itzgrund/Germany

voice: +49-(0)9533-92006-0
fax: +49-(0)9533-92006-6
e-mail: info@mhcsoftware.de

HR Coburg: B2242
Geschäftsführer: Matthias Henze

Key and certificate get detected and displayed by the queue. I want all
messages to be signed. When I enable “Sign all auto-generated mail.”
auto-generated mails get signed and the destroyed by duplicating all
newlines. This leads to an invalid signed message.

Interesting – what version of openssl are you using, and are you using
HTML templates? If so, does the malformed signature persist if you
switch to text templates, via ./etc/upgrade/switch-templates-to text ?

Since I’ve enabled s/mime no answers get sent out any more by e-mail.
Auto generated mails are sent. What causes this?

What do you mean by “no answers get sent out any more”? What do RT’s
error logs say?

  • Alex

Key and certificate get detected and displayed by the queue. I want all
messages to be signed. When I enable “Sign all auto-generated mail.”
auto-generated mails get signed and the destroyed by duplicating all
newlines. This leads to an invalid signed message.

Interesting – what version of openssl are you using,

root@rt:~# dpkg -l | grep openssl
ii openssl 1.0.1e-2+deb7u11 amd64

and are you using HTML templates?

No

If so, does the malformed signature persist if you
switch to text templates, via ./etc/upgrade/switch-templates-to text ?

Since I’ve enabled s/mime no answers get sent out any more by e-mail.
Auto generated mails are sent. What causes this?

What do you mean by “no answers get sent out any more”? What do RT’s
error logs say?

When I create a answer for a ticket no mails get sent.

I will send logs and example mails to your personal address.

MHC SoftWare GmbH
Fichtera 17
96274 Itzgrund/Germany

voice: +49-(0)9533-92006-0
fax: +49-(0)9533-92006-6
e-mail: info@mhcsoftware.de

HR Coburg: B2242
Gesch�ftsf�hrer: Matthias Henze

Am 28.07.2014 um 18:15 schrieb Alex Vandiver:

Since I’ve enabled s/mime no answers get sent out any more by e-mail.
Auto generated mails are sent. What causes this?

What do you mean by “no answers get sent out any more”? What do RT’s
error logs say?

When I create a answer for a ticket no mails get sent.

Wrong, I’ve fixed a problem in the configuration and now answers get
sent AND they are signet correctly when and ONLY when it does NOT
contain newlines. If the answer contains newlines (by typing or by a
signature) all newlines get duplicated after signing and so it breaks
the signature.

MHC SoftWare GmbH
Fichtera 17
96274 Itzgrund/Germany

voice: +49-(0)9533-92006-0
fax: +49-(0)9533-92006-6
e-mail: info@mhcsoftware.de

HR Coburg: B2242
Gesch�ftsf�hrer: Matthias Henze

Am 28.07.2014 um 18:15 schrieb Alex Vandiver:

Key and certificate get detected and displayed by the queue. I want all
messages to be signed. When I enable “Sign all auto-generated mail.”
auto-generated mails get signed and the destroyed by duplicating all
newlines. This leads to an invalid signed message.

Interesting – what version of openssl are you using,

root@rt:~# dpkg -l | grep openssl
ii openssl 1.0.1e-2+deb7u11 amd64

and are you using HTML templates?

No

What version of MIME::Parser? You can check by running
perl -MMIME::Parser\ 99

Needless to say, local tests don’t show doubled newlines, so determining
a way to replicate this for us would be quite useful.

It might be instructive to run RT’s test suite and see if that passes
for you. You’ll need to re-run configure with --enable-developer, which
will add some additional perl dependencies for ‘make testdeps’ to
install. You’ll then be able to run RT’s tests:

$ prove -wl t/{crypt,mail,web}/smime/*.t
t/crypt/smime/attachments-in-db.t ..... ok
t/crypt/smime/bad-recipients.t ........ ok
t/crypt/smime/status-string.t ......... ok
t/mail/smime/incoming.t ............... ok
t/mail/smime/other-signed.t ........... ok
t/mail/smime/outgoing.t ............... ok
t/mail/smime/realmail.t ............... ok
t/mail/smime/reject_on_unencrypted.t .. ok
t/web/smime/outgoing.t ................ ok
All tests successful.
Files=9, Tests=720, 214 wallclock secs ( 0.40 usr  0.06 sys +
155.68 cusr 11.91 csys = 168.05 CPU)
Result: PASS
  • Alex

What version of MIME::Parser? You can check by running
perl -MMIME::Parser\ 99

root@rt:~# perl -MMIME::Parser\ 99
MIME::Parser version 99 required–this is only version 5.505.
BEGIN failed–compilation aborted.

Needless to say, local tests don’t show doubled newlines, so determining
a way to replicate this for us would be quite useful.

It might be instructive to run RT’s test suite and see if that passes
for you. You’ll need to re-run configure with --enable-developer, which

did this:

root@rt:/tmp/rt-4.2.6# ./configure --with-web-user=www-data
–with-web-group=www-data --enable-graphviz --enable-gd --enable-smime
–with-db-dba=postgres --with-db-type=Pg --enable-developer

will add some additional perl dependencies for ‘make testdeps’ to
install.


All dependencies have been found.

You’ll then be able to run RT’s tests:

$ prove -wl t/{crypt,mail,web}/smime/*.t
t/crypt/smime/attachments-in-db.t ..... ok
t/crypt/smime/bad-recipients.t ........ ok
t/crypt/smime/status-string.t ......... ok
t/mail/smime/incoming.t ............... ok
t/mail/smime/other-signed.t ........... ok
t/mail/smime/outgoing.t ............... ok
t/mail/smime/realmail.t ............... ok
t/mail/smime/reject_on_unencrypted.t .. ok
t/web/smime/outgoing.t ................ ok
All tests successful.
Files=9, Tests=720, 214 wallclock secs ( 0.40 usr  0.06 sys +
155.68 cusr 11.91 csys = 168.05 CPU)
Result: PASS

Did not work - first try:

Bailout called. Further testing stopped: RT_DBA_USER and
RT_DBA_PASSWORD environment variables need to be set in order to run
‘make test’

Then I set the two variables by export and got:

t/crypt/smime/attachments-in-db.t … Connect Failed FATAL: Datenbank

rt4test<< existiert nicht
at /tmp/rt-4.2.6/lib/RT/Test.pm line 643.
BEGIN failed–compilation aborted at t/crypt/smime/attachments-in-db.t
line 4.
t/crypt/smime/attachments-in-db.t … 1/?

and several pages other errors …

MHC SoftWare GmbH
Fichtera 17
96274 Itzgrund/Germany

voice: +49-(0)9533-92006-0
fax: +49-(0)9533-92006-6
e-mail: info@mhcsoftware.de

HR Coburg: B2242
Gesch�ftsf�hrer: Matthias Henze

Am 28.07.2014 um 22:57 schrieb Alex Vandiver:

What version of MIME::Parser? You can check by running
perl -MMIME::Parser\ 99

root@rt:~# perl -MMIME::Parser\ 99
MIME::Parser version 99 required–this is only version 5.505.
BEGIN failed–compilation aborted.

Hm, OK. Unfortunately, nothing particularly telling there.

Bailout called. Further testing stopped: RT_DBA_USER and
RT_DBA_PASSWORD environment variables need to be set in order to run
‘make test’

Then I set the two variables by export and got:

Those two should be set to the username and password of a user which has
the right to create and drop databases. The errors you show imply that
it failed to create the database.

  • Alex

Am 28.07.2014 um 22:57 schrieb Alex Vandiver:

What version of MIME::Parser? You can check by running
perl -MMIME::Parser\ 99

root@rt:~# perl -MMIME::Parser\ 99
MIME::Parser version 99 required–this is only version 5.505.
BEGIN failed–compilation aborted.

Hm, OK. Unfortunately, nothing particularly telling there.

Bailout called. Further testing stopped: RT_DBA_USER and
RT_DBA_PASSWORD environment variables need to be set in order to run
‘make test’

Then I set the two variables by export and got:

Those two should be set to the username and password of a user which has
the right to create and drop databases. The errors you show imply that
it failed to create the database.

OK, I see … here are the results:

root@rt:/tmp/rt-4.2.6# prove -wl t/{crypt,mail,web}/smime/*.t
t/crypt/smime/attachments-in-db.t … ok
t/crypt/smime/bad-recipients.t … ok
t/crypt/smime/status-string.t … ok
t/mail/smime/incoming.t … ok
t/mail/smime/other-signed.t … ok
t/mail/smime/outgoing.t … ok
t/mail/smime/realmail.t … ok
t/mail/smime/reject_on_unencrypted.t … ok
t/web/smime/outgoing.t … ok
All tests successful.
Files=9, Tests=720, 254 wallclock secs ( 0.37 usr 0.10 sys + 145.24
cusr 32.12 csys = 177.83 CPU)
Result: PASS

MHC SoftWare GmbH
Fichtera 17
96274 Itzgrund/Germany

voice: +49-(0)9533-92006-0
fax: +49-(0)9533-92006-6
e-mail: info@mhcsoftware.de

HR Coburg: B2242
Gesch�ftsf�hrer: Matthias Henze

OK, I see … here are the results:
[snip]

All tests passed, meaning that whatever problem you’re having does not
affect our tests, which include sending mail via S/MIME. As such, it is
not a fundamental problem with S/MIME in your environment, but rather
with the data involved. At this point, we’d need a test email (possibly
as well as keys/certs) that triggers the behavior you’re seeing, as that
seems to be the only common piece of the problems you’re having.

  • Alex

OK, I see … here are the results:
[snip]

All tests passed, meaning that whatever problem you’re having does not
affect our tests, which include sending mail via S/MIME. As such, it is
not a fundamental problem with S/MIME in your environment, but rather
with the data involved. At this point, we’d need a test email (possibly
as well as keys/certs) that triggers the behavior you’re seeing, as that
seems to be the only common piece of the problems you’re having.

So what should I do next ?

MHC SoftWare GmbH
Fichtera 17
96274 Itzgrund/Germany

voice: +49-(0)9533-92006-0
fax: +49-(0)9533-92006-6
e-mail: info@mhcsoftware.de

HR Coburg: B2242
Gesch�ftsf�hrer: Matthias Henze

Am 30.07.2014 um 17:07 schrieb Alex Vandiver:

All tests passed, meaning that whatever problem you’re having does not
affect our tests, which include sending mail via S/MIME. As such, it is
not a fundamental problem with S/MIME in your environment, but rather
with the data involved. At this point, we’d need a test email (possibly
as well as keys/certs) that triggers the behavior you’re seeing, as that
seems to be the only common piece of the problems you’re having.

So what should I do next ?

Provide a test email (along with relevant keys/certs as necessary) that
trigger the behavior you’re seeing.

  • Alex