Re: [rt-users] S/MIME signed emails are detected as non-plaintext
On 20/08/2014 18:33, Alex Vandiver wrote: > On 08/18/2014 11:12 AM, m...@fv-berlin.de wrote: >> we're running RT 4.2.5 and have noticed a minor annoyance. >> >> When you send an S/MIME-signed (not encrypted!) mail to RT to create a >> ticket, the email body will be added as quoted text because "it's not >> plain text". You can click on the quoted text to read it perfectly fine, >> but this is still somewhat of an annoyance. Is this behaviour something >> I can configure, maybe in a list of acceptable content-types or something? > > Can you try enabling RT's S/MIME support, and see how that improves > things? See: > > http://docs.bestpractical.com/RT_Config.html#Cryptography > http://docs.bestpractical.com/RT/Crypt.html#CONFIGURATION > http://docs.bestpractical.com/RT/Crypt/SMIME.html#CONFIGURATION > > The following should be a minimal implementation: > > Set( %SMIME, > Enable => 1, > AcceptUntrustedCAs => 1, > ); > > Set(@MailPlugins, 'Auth::MailFrom', 'Auth::Crypt' ); > > > - Alex > > That does seem to work, although I had to add the keyring and CAPath options because otherwise the rt-fulltext-indexer cron job would send an error email every 5 minutes indicating it didnt find the keyring. Now there's no log entries regarding s/mime whatsoever. This is good and bad: - good because emails in RT show up perfectly fine now. The change is not retroactive, but I didn't expect that, thats fine. - bad because if you try to sign outgoing response emails, the sent emails are empty (if "Sign" is left unchecked, they are fine). It is entirely possible this is an error on my end putting a wrong/incomplete keyfile there, but at least I wouldv'e hoped to find some INFO/WARN/ERR-type log entries regarding that, but sadly not. I might enable debug-logging and see what's going on later. Thanks for the help! -- RT Training - Boston, September 9-10 http://bestpractical.com/training
Re: [rt-users] S/MIME signed emails are detected as non-plaintext
On 08/18/2014 11:12 AM, m...@fv-berlin.de wrote: > we're running RT 4.2.5 and have noticed a minor annoyance. > > When you send an S/MIME-signed (not encrypted!) mail to RT to create a > ticket, the email body will be added as quoted text because "it's not > plain text". You can click on the quoted text to read it perfectly fine, > but this is still somewhat of an annoyance. Is this behaviour something > I can configure, maybe in a list of acceptable content-types or something? Can you try enabling RT's S/MIME support, and see how that improves things? See: http://docs.bestpractical.com/RT_Config.html#Cryptography http://docs.bestpractical.com/RT/Crypt.html#CONFIGURATION http://docs.bestpractical.com/RT/Crypt/SMIME.html#CONFIGURATION The following should be a minimal implementation: Set( %SMIME, Enable => 1, AcceptUntrustedCAs => 1, ); Set(@MailPlugins, 'Auth::MailFrom', 'Auth::Crypt' ); - Alex -- RT Training - Boston, September 9-10 http://bestpractical.com/training
Re: [rt-users] s/mime
On 07/31/2014 10:18 AM, Matthias Henze wrote: > Am 30.07.2014 um 17:07 schrieb Alex Vandiver: >> All tests passed, meaning that whatever problem you're having does not >> affect our tests, which include sending mail via S/MIME. As such, it is >> not a fundamental problem with S/MIME in your environment, but rather >> with the data involved. At this point, we'd need a test email (possibly >> as well as keys/certs) that triggers the behavior you're seeing, as that >> seems to be the only common piece of the problems you're having. > > So what should I do next ? Provide a test email (along with relevant keys/certs as necessary) that trigger the behavior you're seeing. - Alex -- RT Training - Boston, September 9-10 http://bestpractical.com/training
Re: [rt-users] s/mime
Am 30.07.2014 um 17:07 schrieb Alex Vandiver: > On 07/30/2014 02:16 AM, Matthias Henze wrote: >> OK, I see ... here are the results: >> [snip] > > All tests passed, meaning that whatever problem you're having does not > affect our tests, which include sending mail via S/MIME. As such, it is > not a fundamental problem with S/MIME in your environment, but rather > with the data involved. At this point, we'd need a test email (possibly > as well as keys/certs) that triggers the behavior you're seeing, as that > seems to be the only common piece of the problems you're having. So what should I do next ? -- MHC SoftWare GmbH Fichtera 17 96274 Itzgrund/Germany voice: +49-(0)9533-92006-0 fax: +49-(0)9533-92006-6 e-mail: i...@mhcsoftware.de HR Coburg: B2242 Geschäftsführer: Matthias Henze -- RT Training - Boston, September 9-10 http://bestpractical.com/training
Re: [rt-users] s/mime
On 07/30/2014 02:16 AM, Matthias Henze wrote: > OK, I see ... here are the results: > [snip] All tests passed, meaning that whatever problem you're having does not affect our tests, which include sending mail via S/MIME. As such, it is not a fundamental problem with S/MIME in your environment, but rather with the data involved. At this point, we'd need a test email (possibly as well as keys/certs) that triggers the behavior you're seeing, as that seems to be the only common piece of the problems you're having. - Alex -- RT Training - Boston, September 9-10 http://bestpractical.com/training
Re: [rt-users] s/mime
Am 29.07.2014 21:33, schrieb Alex Vandiver:
> On 07/29/2014 08:23 AM, Matthias Henze wrote:
>> Am 28.07.2014 um 22:57 schrieb Alex Vandiver:
>>> What version of MIME::Parser? You can check by running
>>> perl -MMIME::Parser\ 99
>>
>> root@rt:~# perl -MMIME::Parser\ 99
>> MIME::Parser version 99 required--this is only version 5.505.
>> BEGIN failed--compilation aborted.
>
> Hm, OK. Unfortunately, nothing particularly telling there.
>
>> Bailout called. Further testing stopped: RT_DBA_USER and
>> RT_DBA_PASSWORD environment variables need to be set in order to run
>> 'make test'
>>
>> Then I set the two variables by export and got:
>
> Those two should be set to the username and password of a user which has
> the right to create and drop databases. The errors you show imply that
> it failed to create the database.
OK, I see ... here are the results:
root@rt:/tmp/rt-4.2.6# prove -wl t/{crypt,mail,web}/smime/*.t
t/crypt/smime/attachments-in-db.t . ok
t/crypt/smime/bad-recipients.t ok
t/crypt/smime/status-string.t . ok
t/mail/smime/incoming.t ... ok
t/mail/smime/other-signed.t ... ok
t/mail/smime/outgoing.t ... ok
t/mail/smime/realmail.t ... ok
t/mail/smime/reject_on_unencrypted.t .. ok
t/web/smime/outgoing.t ok
All tests successful.
Files=9, Tests=720, 254 wallclock secs ( 0.37 usr 0.10 sys + 145.24
cusr 32.12 csys = 177.83 CPU)
Result: PASS
--
MHC SoftWare GmbH
Fichtera 17
96274 Itzgrund/Germany
voice: +49-(0)9533-92006-0
fax: +49-(0)9533-92006-6
e-mail: i...@mhcsoftware.de
HR Coburg: B2242
Geschäftsführer: Matthias Henze
--
RT Training - Boston, September 9-10
http://bestpractical.com/training
Re: [rt-users] s/mime
On 07/29/2014 08:23 AM, Matthias Henze wrote: > Am 28.07.2014 um 22:57 schrieb Alex Vandiver: >> What version of MIME::Parser? You can check by running >> perl -MMIME::Parser\ 99 > > root@rt:~# perl -MMIME::Parser\ 99 > MIME::Parser version 99 required--this is only version 5.505. > BEGIN failed--compilation aborted. Hm, OK. Unfortunately, nothing particularly telling there. > Bailout called. Further testing stopped: RT_DBA_USER and > RT_DBA_PASSWORD environment variables need to be set in order to run > 'make test' > > Then I set the two variables by export and got: Those two should be set to the username and password of a user which has the right to create and drop databases. The errors you show imply that it failed to create the database. - Alex -- RT Training - Boston, September 9-10 http://bestpractical.com/training
Re: [rt-users] s/mime
Am 28.07.2014 um 22:57 schrieb Alex Vandiver:
> What version of MIME::Parser? You can check by running
> perl -MMIME::Parser\ 99
root@rt:~# perl -MMIME::Parser\ 99
MIME::Parser version 99 required--this is only version 5.505.
BEGIN failed--compilation aborted.
>
> Needless to say, local tests don't show doubled newlines, so determining
> a way to replicate this for us would be quite useful.
>
> It might be instructive to run RT's test suite and see if that passes
> for you. You'll need to re-run configure with --enable-developer, which
did this:
root@rt:/tmp/rt-4.2.6# ./configure --with-web-user=www-data
--with-web-group=www-data --enable-graphviz --enable-gd --enable-smime
--with-db-dba=postgres --with-db-type=Pg --enable-developer
> will add some additional perl dependencies for 'make testdeps' to
> install.
...
All dependencies have been found.
> You'll then be able to run RT's tests:
>
> $ prove -wl t/{crypt,mail,web}/smime/*.t
> t/crypt/smime/attachments-in-db.t . ok
> t/crypt/smime/bad-recipients.t ok
> t/crypt/smime/status-string.t . ok
> t/mail/smime/incoming.t ... ok
> t/mail/smime/other-signed.t ... ok
> t/mail/smime/outgoing.t ... ok
> t/mail/smime/realmail.t ... ok
> t/mail/smime/reject_on_unencrypted.t .. ok
> t/web/smime/outgoing.t ok
> All tests successful.
> Files=9, Tests=720, 214 wallclock secs ( 0.40 usr 0.06 sys +
> 155.68 cusr 11.91 csys = 168.05 CPU)
> Result: PASS
Did not work - first try:
Bailout called. Further testing stopped: RT_DBA_USER and
RT_DBA_PASSWORD environment variables need to be set in order to run
'make test'
Then I set the two variables by export and got:
t/crypt/smime/attachments-in-db.t . Connect Failed FATAL: Datenbank
>>rt4test<< existiert nicht
at /tmp/rt-4.2.6/lib/RT/Test.pm line 643.
BEGIN failed--compilation aborted at t/crypt/smime/attachments-in-db.t
line 4.
t/crypt/smime/attachments-in-db.t . 1/?
and several pages other errors ...
--
MHC SoftWare GmbH
Fichtera 17
96274 Itzgrund/Germany
voice: +49-(0)9533-92006-0
fax: +49-(0)9533-92006-6
e-mail: i...@mhcsoftware.de
HR Coburg: B2242
Geschäftsführer: Matthias Henze
--
RT Training - Boston, September 9-10
http://bestpractical.com/training
Re: [rt-users] s/mime
On 07/28/2014 01:13 PM, Matthias Henze wrote:
> Am 28.07.2014 um 18:15 schrieb Alex Vandiver:
>> On 07/26/2014 10:44 AM, Matthias Henze wrote:
>>> Key and certificate get detected and displayed by the queue. I want all
>>> messages to be signed. When I enable "Sign all auto-generated mail."
>>> auto-generated mails get signed and the destroyed by duplicating all
>>> newlines. This leads to an invalid signed message.
>>
>> Interesting -- what version of openssl are you using,
>
> root@rt:~# dpkg -l | grep openssl
> ii openssl 1.0.1e-2+deb7u11 amd64
>
>> and are you using HTML templates?
>
> No
What version of MIME::Parser? You can check by running
perl -MMIME::Parser\ 99
Needless to say, local tests don't show doubled newlines, so determining
a way to replicate this for us would be quite useful.
It might be instructive to run RT's test suite and see if that passes
for you. You'll need to re-run configure with --enable-developer, which
will add some additional perl dependencies for 'make testdeps' to
install. You'll then be able to run RT's tests:
$ prove -wl t/{crypt,mail,web}/smime/*.t
t/crypt/smime/attachments-in-db.t . ok
t/crypt/smime/bad-recipients.t ok
t/crypt/smime/status-string.t . ok
t/mail/smime/incoming.t ... ok
t/mail/smime/other-signed.t ... ok
t/mail/smime/outgoing.t ... ok
t/mail/smime/realmail.t ... ok
t/mail/smime/reject_on_unencrypted.t .. ok
t/web/smime/outgoing.t ok
All tests successful.
Files=9, Tests=720, 214 wallclock secs ( 0.40 usr 0.06 sys +
155.68 cusr 11.91 csys = 168.05 CPU)
Result: PASS
- Alex
--
RT Training - Boston, September 9-10
http://bestpractical.com/training
Re: [rt-users] s/mime
Am 28.07.2014 um 19:13 schrieb Matthias Henze: > Am 28.07.2014 um 18:15 schrieb Alex Vandiver: >> On 07/26/2014 10:44 AM, Matthias Henze wrote: >>> Since I've enabled s/mime no answers get sent out any more by e-mail. >>> Auto generated mails are sent. What causes this? >> >> What do you mean by "no answers get sent out any more"? What do RT's >> error logs say? > > When I create a answer for a ticket no mails get sent. Wrong, I've fixed a problem in the configuration and now answers get sent AND they are signet correctly when and ONLY when it does NOT contain newlines. If the answer contains newlines (by typing or by a signature) all newlines get duplicated after signing and so it breaks the signature. -- MHC SoftWare GmbH Fichtera 17 96274 Itzgrund/Germany voice: +49-(0)9533-92006-0 fax: +49-(0)9533-92006-6 e-mail: i...@mhcsoftware.de HR Coburg: B2242 Geschäftsführer: Matthias Henze -- RT Training - Boston, September 9-10 http://bestpractical.com/training
Re: [rt-users] s/mime
Am 28.07.2014 um 18:15 schrieb Alex Vandiver: > On 07/26/2014 10:44 AM, Matthias Henze wrote: >> Key and certificate get detected and displayed by the queue. I want all >> messages to be signed. When I enable "Sign all auto-generated mail." >> auto-generated mails get signed and the destroyed by duplicating all >> newlines. This leads to an invalid signed message. > > Interesting -- what version of openssl are you using, root@rt:~# dpkg -l | grep openssl ii openssl 1.0.1e-2+deb7u11 amd64 > and are you using HTML templates? No > If so, does the malformed signature persist if you > switch to text templates, via ./etc/upgrade/switch-templates-to text ? > >> Since I've enabled s/mime no answers get sent out any more by e-mail. >> Auto generated mails are sent. What causes this? > > What do you mean by "no answers get sent out any more"? What do RT's > error logs say? When I create a answer for a ticket no mails get sent. I will send logs and example mails to your personal address. -- MHC SoftWare GmbH Fichtera 17 96274 Itzgrund/Germany voice: +49-(0)9533-92006-0 fax: +49-(0)9533-92006-6 e-mail: i...@mhcsoftware.de HR Coburg: B2242 Geschäftsführer: Matthias Henze -- RT Training - Boston, September 9-10 http://bestpractical.com/training
Re: [rt-users] s/mime
On 07/26/2014 10:44 AM, Matthias Henze wrote: > Key and certificate get detected and displayed by the queue. I want all > messages to be signed. When I enable "Sign all auto-generated mail." > auto-generated mails get signed and the destroyed by duplicating all > newlines. This leads to an invalid signed message. Interesting -- what version of openssl are you using, and are you using HTML templates? If so, does the malformed signature persist if you switch to text templates, via ./etc/upgrade/switch-templates-to text ? > Since I've enabled s/mime no answers get sent out any more by e-mail. > Auto generated mails are sent. What causes this? What do you mean by "no answers get sent out any more"? What do RT's error logs say? - Alex -- RT Training - Boston, September 9-10 http://bestpractical.com/training
Re: [rt-users] S/MIME
On Apr 23, 2008, at 7:42 PM, Jay Kline wrote:
Jesse Vincent wrote:
On Apr 23, 2008, at 5:12 PM, Jay Kline wrote:
Our organization makes heavy use of S/MIME for signatures and
encryption
of email, and we would like RT to indicate if a message is signed,
and
has a valid signature. I saw a few mentions of it in the
archives, but
most are old or inconclusive.
We did a full integration for a client, but haven't found the cycles
to polish it for release just yet :/
Would you be willing to share the patch, even if it dosnt get included
in the release? It surely would be helpful :-)
"polish it for release" includes "remove customer-specific identifying
details" which, as you might imagine, is relatively important ;)
Related to this, we use these certs for client auth in web
browers, has
anyone configured RT to use client certs for auth instead of
cookies, or
HTTP auth?
RT has support for HTTP auth (say, using apache's support for certs)
as a flag in the config file.
Yep, unfortunately this makes for really ugly usernames, as Apache
sets
the username to the full DN of the cert, we would ideally like to just
use the CN, or map it to another name entirely (like the email
address).
That bit is easy. In your RT config file:
sub RT::Interface::Web::WebCanonicalizeInfo {
my $user =$ENV{'REMOTE_USER'};
$user =~ s/[EMAIL PROTECTED]//i;
return $user;
}
If its not really been done, Ill probably implement something using
the
Cookie based external auth that is already out there.
Jay
PGP.sig
Description: This is a digitally signed message part
___
http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users
Community help: http://wiki.bestpractical.com
Commercial support: [EMAIL PROTECTED]
Discover RT's hidden secrets with RT Essentials from O'Reilly Media.
Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] S/MIME
Jesse Vincent wrote: > > On Apr 23, 2008, at 5:12 PM, Jay Kline wrote: >> Our organization makes heavy use of S/MIME for signatures and encryption >> of email, and we would like RT to indicate if a message is signed, and >> has a valid signature. I saw a few mentions of it in the archives, but >> most are old or inconclusive. > > We did a full integration for a client, but haven't found the cycles > to polish it for release just yet :/ > Would you be willing to share the patch, even if it dosnt get included in the release? It surely would be helpful :-) > >> Related to this, we use these certs for client auth in web browers, has >> anyone configured RT to use client certs for auth instead of cookies, or >> HTTP auth? >> > RT has support for HTTP auth (say, using apache's support for certs) > as a flag in the config file. > Yep, unfortunately this makes for really ugly usernames, as Apache sets the username to the full DN of the cert, we would ideally like to just use the CN, or map it to another name entirely (like the email address). If its not really been done, Ill probably implement something using the Cookie based external auth that is already out there. Jay ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
Re: [rt-users] S/MIME
On Apr 23, 2008, at 5:12 PM, Jay Kline wrote: Our organization makes heavy use of S/MIME for signatures and encryption of email, and we would like RT to indicate if a message is signed, and has a valid signature. I saw a few mentions of it in the archives, but most are old or inconclusive. We did a full integration for a client, but haven't found the cycles to polish it for release just yet :/ Related to this, we use these certs for client auth in web browers, has anyone configured RT to use client certs for auth instead of cookies, or HTTP auth? RT has support for HTTP auth (say, using apache's support for certs) as a flag in the config file. Jay ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com PGP.sig Description: This is a digitally signed message part ___ http://lists.bestpractical.com/cgi-bin/mailman/listinfo/rt-users Community help: http://wiki.bestpractical.com Commercial support: [EMAIL PROTECTED] Discover RT's hidden secrets with RT Essentials from O'Reilly Media. Buy a copy at http://rtbook.bestpractical.com
