Configuring S/MIME
BlueMind webmail supports S/MIME, enabling users to encrypt and/or sign their messages. However, BlueMind does not offer a PKI solution, so it is up to the administrator to set it up and provide the PKCS#12 file(s) for each user who will be using it.
Importing trusted certification authorities (CAs)
In the S/MIME standard, trust is based on certification authorities. So, for an S/MIME client to consider an end-user certificate as trusted, the certification authority that generated it must be considered trusted.
It's the administrator's role to add the CA certificates he needs and trusts. At the very least, you need to add the certificate of the one used internally to generate your users' certificates.
Via CLI
To add a CA certificate, use the command :
# bm-cli certificate add-smime --domain=devenv.blue --ca=cacert.pem
And to list CA certificates already added :
# bm-cli certificate list-smime --domain=devenv.blue
Via the administration console
See the Domain Administration
It is not possible to display the list of certificates via the admin console.
Revocation list management (CRLs)
When a CA certificate is imported, BlueMind checks whether the "X509v3 CRL Distribution Points" property is present. This property lets you specify where to find the revocation lists linked to this CA. If the BlueMind server can access them, the revocation lists will be retrieved and the webmail will check whether each certificate has been revoked.
Enable S/MIME for a user
Assign role
To enable users to encrypt and/or sign messages, they must be assigned the appropriate role.
To do this:
- Go to the page Directories > Directory entries
- Select the desired user or group
- Assign the role "Authorize S/MIME on webmail":
- Save
Import public certificates
To facilitate the exchange of encrypted messages, the administrator can add one or more public certificates to the user information. This saves users having to import them when The recipient's certificate is missing.
To import a user's public certificate(s) :
- Go to the page Directories > Directory entries
- Select the user you want to configure
- Go to
User informationtab - Click on
Add more fieldsthen onPublic Key Certificate (PEM)
- Add certificate in PEM format
- Add an additional certificate if necessary in the field that appears automatically when you enter the 1st certificate.
- Save
Provide PKCS#12 files to users
Send the user his or her PKCS#12 file(s) - depending on the certificate properties and his or her needs - so that he or she can import them into his or her Mail preferences for Enabling S/MIME encryption.
Certificates can have different properties depending on their purpose. A certificate can be used either for encryption, either for signing, either for both. Depending on the type of certificate, a user can therefore have several files - for example, a certificate for encrypting/decrypting and a certificate for digitally signing/verifying e-mails.
The e-mail address specified in the certificate must match the user's default e-mail address, otherwise the user will not be able to import the certificate into his preferences. In the certificate, the mail address is searched for in the subjectAltName property or in the emailAddress subject field.