Skip to main content

Configuring S/MIME

BlueMind's webmail supports S/MIME and requires a PKCS#12 file for each user. However, BlueMind does not offer a PKIsolution, which must be set up and maintained by the organization's administrator.

Importing trusted certification authorities (CAs)

In the S/MIME standard, trust is based on certification authorities. So, for an S/MIME client to consider an end-user certificate as trusted, the certification authority that generated it must be considered trusted.

It's the administrator's role to add the CA certificates he needs and trusts. At the very least, you need to add the certificate of the one used internally to generate your users' certificates.

Via CLI

To add a CA certificate, use the command :

# bm-cli certificate add-smime --domain=devenv.blue --ca=cacert.pem

And to list CA certificates already added :

# bm-cli certificate list-smime --domain=devenv.blue

Via the administration console

See the Domain Administration

note

It is not possible to display the list of certificates via the admin console.

Revocation list management (CRLs)

When a CA certificate is imported, BlueMind checks whether the "X509v3 CRL Distribution Points" property is present. This property lets you specify where to find the revocation lists linked to this CA. If the BlueMind server can access them, the revocation lists will be retrieved and the webmail will check whether each certificate has been revoked.

Enabling S/MIME for users

Assign role

To enable a user to encrypt and/or sign messages, the appropriate role must be assigned.

To do this:

  • Go to Directories > Directory entries
  • Select the desired user or group
  • Assign the role "Authorize S/MIME on webmail":
  • Save

Provide PKCS#12 files to users

Each of your users wishing to use S/MIME in their webmail will need to import a PKCS#12file.

Please note that the e-mail address specified in the certificate must match the user's default e-mail address, otherwise the user will not be able to import the certificate into his preferences. In the certificate, the mail address is searched for in the subjectAltName property or in the emailAddress subject field.

Find out more

Last updated on