Testing S/MIME

Merijn Schering Merijn ScheringAugust 24, 2023
Testing S/MIME

We're working on the next major release with version 6.8. We want to include support for PHP 8.2 in that release. One of things we needed to do is replace the old mail component SwiftMailer which is deprecated now. We've choosen to use PHPMailer instead because of its simplicity and it has no dependencies to other libraries. It lacked only full support for S/MIME signing and encrypting, so we've extended PHPMailer and implemented these features.

To test S/MIME I needed a certificate that I could use for signing, encrypting and verifying. I used openssl to generate my certificate on the command line:

Create certificate authority

The first step is to create your own Certificate Authority (CA):

openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Enter the required information in the prompts.
You're CA is not trusted by the regular mail clients. So you will have to install and trust your CA on your system.
For example in the Mac OS keychain or Thunderbird.

Create E-Mail Certificate Request

Then I created a certificate request for my test e-mail address. You need one for each address you'd like to send from:

openssl genrsa -des3 -out test.key 4096 openssl req -new -key test.key -out test.csr

Enter the required information in the prompts.

Sign the certificate request

Your certificate request needs to be signed by the CA you've just created using this command:

openssl x509 -req -days 365 -in test.csr -CA ca.crt \ -CAkey ca.key -set_serial 1 \ -out test.crt -setalias "My Test E-Mail Certificate" \ -addtrust emailProtection \ -addreject clientAuth -addreject serverAuth -trustout

This will output the "test.crt" file which is your signed certificate.

Create a PCKS12 file

We use a .p12 file in PCKS12 format to exchange the certificate with private key. We can upload this in to Group-Office.

openssl pkcs12 -export -in test.crt -inkey test.key \ -out test.p12

You can now use "test.p12" in Group-Office or install it in other software like the Apple Keychain or Thunderbird.

Trusting your CA in Group-Office

Your certificate is self-signed and will not validate unless you specify that your Certifcate Authority is trusted. You can do that with a config option in config.php:

$config['smime_root_cert_location'] = "/etc/groupoffice/ssl/ca.crt";

Add this option in /etc/groupoffice/config.php and put the ca.crt in /etc/groupoffice/ssl/ca.crt. Now Group-Office will validate your certificate.

Follow our documentation on how to setup S/MIME in your Group-Office account.

Twitter LinkedIn GitHub Mastodon