Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Updated PHPDoc and added new configs in Admin Guide
Created a new 'S/MIME signature' section under Config / Email.

Issue #25764
  • Loading branch information
dregad committed Jan 8, 2021
1 parent 1bf2f04 commit 741d91f
Show file tree
Hide file tree
Showing 2 changed files with 106 additions and 4 deletions.
19 changes: 15 additions & 4 deletions config_defaults_inc.php
Expand Up @@ -757,14 +757,18 @@
$g_email_dkim_identity = 'noreply@example.com';

/**
* Path to mail certification file
* Path to the S/MIME certificate.
*
* The file must contain a PEM-encoded certificate.
*
* @global string $g_email_smime_cert_file
*/
$g_email_smime_cert_file = '';

/**
* Path to mail private key file
* Path to the S/MIME private key file.
*
* The file must contain a PEM-encoded private key matching the S/MIME certificate.
*
* @see $g_email_smime_cert_file
*
Expand All @@ -773,14 +777,21 @@
$g_email_smime_key_file = '';

/**
* mail private key pass
* Password for the S/MIME private key.
*
* Leave blank if the private key is not protected by a passphrase.
* @see $g_email_smime_key_file
*
* @global string $g_email_smime_key_password
*/
$g_email_smime_key_password = '';

/**
* Path to mail extra certification file
* Optional path to S/MIME extra certificates.
*
* The file must contain one (or more) PEM-encoded certificates, which will be
* included in the signature to help the recipient verify the certificate
* specified in {@see $g_email_smime_cert_file} ("CA Chain").
*
* @global string $g_email_smime_extracerts_file
*/
Expand Down
91 changes: 91 additions & 0 deletions docbook/Admin_Guide/en-US/config/email.xml
Expand Up @@ -554,4 +554,95 @@ $g_notify_flags['new'] = array(
</listitem>
</itemizedlist>
</para>

<section id="admin.config.email.smime">
<title>S/MIME signature</title>

<variablelist>
<varlistentry>
<term>$g_email_smime_cert_file</term>
<listitem>
<para>Path to the
<ulink url="https://en.wikipedia.org/wiki/S/MIME">S/MIME</ulink>
certificate.
</para>
<para>The file must contain a
<ulink url="https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail">PEM-encoded</ulink>
certificate.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>$g_email_smime_key_file</term>
<listitem>
<para>Path to the S/MIME private key file.</para>
<para>The file must contain a PEM-encoded private key
matching the S/MIME certificate.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>$g_email_smime_key_password</term>
<listitem>
<para>Password for the S/MIME private key.</para>
<para>Leave blank if the private key is not protected
by a passphrase.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>$g_email_smime_extracerts_file</term>
<listitem>
<para>Optional path to S/MIME extra certificates.</para>
<para>The file must contain one (or more) PEM-encoded
certificates, which will be included in the signature to
help the recipient verify the certificate specified in
<emphasis>$g_email_smime_cert_file</emphasis>
("CA Chain").
</para>
</listitem>
</varlistentry>
</variablelist>

<note>
<para>MantisBT expects the S/MIME certificates and the private key
files to be in
<ulink url="https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail">PEM</ulink>
format.
If you have a <ulink url="https://en.wikipedia.org/wiki/PKCS_12">PKCS12</ulink>
encrypted certificate (typically with a .pfx or .p12 extension),
you may use the following <literal>openssl</literal> commands
to extract and convert the individual elements:
</para>
<itemizedlist>
<listitem>
<para>Certificate</para>
<programlisting>
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.crt
</programlisting>
</listitem>
<listitem>
<para>Extra certificates ("CA chain")</para>
<programlisting>
openssl pkcs12 -in cert.pfx -cacerts -nokeys -out ca-chain.crt
</programlisting>
</listitem>
<listitem>
<para>Private key
(<literal>-passout</literal> specifies the private key's password)
</para>
<programlisting>
openssl pkcs12 -in cert.pfx -nocerts -out cert.key -passout pass:
</programlisting>
</listitem>
</itemizedlist>
<para>If the input file is protected, openssl will ask for the password;
alternatively, you can specify it on the command-line with the
<emphasis>-passin</emphasis> option, e.g.
<literal>-passin pass:PASSWORD</literal>
</para>
</note>

</section>

</section>

0 comments on commit 741d91f

Please sign in to comment.