Merge branch 'i25764-sign-email'

PR #1591

config_defaults_inc.php

@@ -756,6 +756,54 @@
  */
 $g_email_dkim_identity = 'noreply@example.com';
 
+/**
+ * Enable S/MIME signature.
+ *
+ * @global integer $g_email_smime_enable
+ */
+$g_email_smime_enable = OFF;
+
+/**
+ * Path to the S/MIME certificate.
+ *
+ * The file must contain a PEM-encoded certificate.
+ *
+ * @global string $g_email_smime_cert_file
+ */
+$g_email_smime_cert_file = '';
+
+/**
+ * Path to the S/MIME private key file.
+ *
+ * The file must contain a PEM-encoded private key matching the S/MIME certificate.
+ *
+ * @see $g_email_smime_cert_file
+ *
+ * @global string $g_email_smime_key_file
+ */
+$g_email_smime_key_file = '';
+
+/**
+ * Password for the S/MIME private key.
+ *
+ * Leave blank if the private key is not protected by a passphrase.
+ * @see $g_email_smime_key_file
+ *
+ * @global string $g_email_smime_key_password
+ */
+$g_email_smime_key_password = '';
+
+/**
+ * Optional path to S/MIME extra certificates.
+ *
+ * The file must contain one (or more) PEM-encoded certificates, which will be
+ * included in the signature to help the recipient verify the certificate
+ * specified in {@see $g_email_smime_cert_file} ("CA Chain").
+ *
+ * @global string $g_email_smime_extracerts_file
+ */
+$g_email_smime_extracerts_file = '';
+
 /**
  * It is recommended to use a cronjob or a scheduler task to send emails. The
  * cronjob should typically run every 5 minutes.  If no cronjob is used,then
@@ -4326,7 +4374,9 @@
 	'impersonate_user_threshold', 'email_retry_in_days', 'neato_tool', 'dot_tool',
 	'ldap_server', 'ldap_root_dn', 'ldap_organization', 'ldap_protocol_version',
 	'ldap_network_timeout', 'ldap_follow_referrals', 'ldap_bind_dn', 'ldap_bind_passwd',
-	'ldap_uid_field', 'ldap_realname_field', 'use_ldap_realname', 'use_ldap_email'
+	'ldap_uid_field', 'ldap_realname_field', 'use_ldap_realname', 'use_ldap_email',
+	'email_smime_enable', 'email_smime_cert_file', 'email_smime_key_file',
+	'email_smime_key_password', 'email_smime_extracerts_file',
 );
 
 /**

core/email_api.php

@@ -1335,6 +1335,16 @@ function email_send( EmailData $p_email_data ) {
 			break;
 	}
 
+	# S/MIME signature
+	if( ON == config_get_global( 'email_smime_enable' ) ) {
+		$t_mail->sign(
+			config_get_global( 'email_smime_cert_file' ),
+			config_get_global( 'email_smime_key_file' ),
+			config_get_global( 'email_smime_key_password' ),
+			config_get_global( 'email_smime_extracerts_file' )
+		);
+	}
+
 	#apply DKIM settings
 	if( config_get( 'email_dkim_enable' ) ) {
 		$t_mail->DKIM_domain = config_get( 'email_dkim_domain' );

docbook/Admin_Guide/en-US/config/email.xml

@@ -554,4 +554,105 @@ $g_notify_flags['new'] = array(
 			</listitem>
 		</itemizedlist>
 	</para>
+
+	<section id="admin.config.email.smime">
+		<title>S/MIME signature</title>
+
+		<para>This sections describes the necessary settings to enable
+			<ulink url="https://en.wikipedia.org/wiki/S/MIME">S/MIME</ulink>
+			signature for outgoing MantisBT e-mails.
+		</para>
+
+		<variablelist>
+			<varlistentry>
+				<term>$g_email_smime_enable</term>
+				<listitem>
+					<para>Enables S/MIME signature.
+					</para>
+					<para>Defaults to OFF.</para>
+				</listitem>
+			</varlistentry>
+			<varlistentry>
+				<term>$g_email_smime_cert_file</term>
+				<listitem>
+					<para>Path to the S/MIME certificate.</para>
+					<para>The file must contain a
+						<ulink url="https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail">PEM-encoded</ulink>
+						certificate.
+					</para>
+				</listitem>
+			</varlistentry>
+			<varlistentry>
+				<term>$g_email_smime_key_file</term>
+				<listitem>
+					<para>Path to the S/MIME private key file.</para>
+					<para>The file must contain a PEM-encoded private key
+						matching the S/MIME certificate.
+					</para>
+				</listitem>
+			</varlistentry>
+			<varlistentry>
+				<term>$g_email_smime_key_password</term>
+				<listitem>
+					<para>Password for the S/MIME private key.</para>
+					<para>Leave blank if the private key is not protected
+						by a passphrase.
+					</para>
+				</listitem>
+			</varlistentry>
+			<varlistentry>
+				<term>$g_email_smime_extracerts_file</term>
+				<listitem>
+					<para>Optional path to S/MIME extra certificates.</para>
+					<para>The file must contain one (or more) PEM-encoded
+						certificates, which will be included in the signature to
+						help the recipient verify the certificate specified in
+						<emphasis>$g_email_smime_cert_file</emphasis>
+						("CA Chain").
+					</para>
+				</listitem>
+			</varlistentry>
+		</variablelist>
+
+		<note>
+			<para>MantisBT expects the S/MIME certificates and the private key
+				files to be in
+				<ulink url="https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail">PEM</ulink>
+				format.
+				If you have a <ulink url="https://en.wikipedia.org/wiki/PKCS_12">PKCS12</ulink>
+				encrypted certificate (typically with a .pfx or .p12 extension),
+				you may use the following <literal>openssl</literal> commands
+				to extract and convert the individual elements:
+			</para>
+			<itemizedlist>
+				<listitem>
+					<para>Certificate</para>
+					<programlisting>
+openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.crt
+</programlisting>
+				</listitem>
+				<listitem>
+					<para>Extra certificates ("CA chain")</para>
+					<programlisting>
+openssl pkcs12 -in cert.pfx -cacerts -nokeys -out ca-chain.crt
+</programlisting>
+				</listitem>
+				<listitem>
+					<para>Private key
+						(<literal>-passout</literal> specifies the private key's password)
+					</para>
+					<programlisting>
+openssl pkcs12 -in cert.pfx -nocerts -out cert.key -passout pass:
+</programlisting>
+				</listitem>
+			</itemizedlist>
+			<para>If the input file is protected, openssl will ask for the password;
+				alternatively, you can specify it on the command-line with the
+				<emphasis>-passin</emphasis> option, e.g.
+				<literal>-passin pass:PASSWORD</literal>
+			</para>
+		</note>
+
+	</section>
+
 </section>