 To Configure the S/MIME
To Configure the S/MIMEVerify that the basic features of Communications Express Mail are working after you install Messaging Server.
If you haven’t already, create or obtain private-public key pairs, with certificates in standard X.509 v3 format, for all your mail users who have permission to use the S/MIME features.
If smart cards are used for keys and certificates:
If local key stores of the browsers are used to store keys and certificates, instruct your mail users how to download their key pairs and certificate to the local key store.
Ensure that the correct libraries are on the client machines to support smart cards or local key stores. See 24.8 Key Access Libraries for the Client Machines
Set up your LDAP directory to support S/MIME:
Store all certificates for the CAs in the LDAP directory, accessible by Directory Server, under the distinguished name for certificate authorities. The LDAP attribute for these certificates is cacertificate;binary. Write down the directory information where you store them. You’ll need this information for a later step.
See trustedurl in Table 24–3 for an example of specifying LDAP directory information and 24.11 Managing Certificates for information to search an LDAP directory.
Store the public keys and certificates in the LDAP directory accessible by Directory Server. The LDAP attribute for public keys and certificates is usercertificate;binary. Write down the directory information where you store them. You’ll need this information for a later step.
See certurl in Table 24–3 for an example of specifying LDAP directory information and 24.11 Managing Certificates for information to search an LDAP directory.
Ensure that all users who send or receive S/MIME messages are given permission to use S/MIME with an LDAP filter in their user entries. A filter is defined with the mailAllowedServiceAccess or mailDomainAllowedServiceAccess LDAP attributes.
Note: By default, if you do not use mailAllowedServiceAccess or mailDomainAllowedServiceAccess, all services including smime, are allowed. If you explicitly specify services with these attributes, then the services http and smtp, as well as smime, must be specified to give mail users permission to use the S/MIME features.
See 24.10 Granting Permission to Use S/MIME Features for more information.
Edit the smime.conf file with any available text editor. See comments at the beginning of the file for parameter syntax.
All text and example parameters in smime.conf are preceded with a comment character (#). You can add the parameters you need to smime.conf or copy a parameter example to another part of the file and change its value. If you copy and edit an example, be sure to remove the # character at the beginning of its line.
Add these parameters to the file, each on its own line:
trustedurl (see Table 24–3)-- set to the LDAP directory information to locate the certificates of the CAs. Use the information you saved from Step a.
certurl (Table 24–3)-- set to the LDAP directory information to locate the public keys and certificates. Use the information you saved from Step b .
usersertfilter (see Table 24–3) -- set to the value of the example in the smime.conf file. The example value is almost always the filter you want. Copy the example and delete the # character at the beginning of the line.
This parameter specifies a filter definition for the primary, alternate, and equivalent email addresses of a Communications Express Mail user to ensure that all of a user’s private-public key pairs are found when the key pairs are assigned to different mail addresses.
sslrootcacertsurl (see Table 24–3)-- if you are using SSL for the communications link between the S/MIME applet and Messaging Server, set sslrootcacertsurl with the LDAP directory information to locate the certificates of CAs that are used to verify the Messaging Server’s SSL certificates. See 24.7 Securing Internet Links With SSL for more information.
checkoverssl (see Table 24–3)-- set to 0 if you are not using SSL for the communications link between the S/MIME applet and Messaging Server.
crlenable (see Table 24–3)-- set to 0 to disable CRL checking for now because doing CRL checking might require adding other parameters to the smime.conf file.
logindn and loginpw (Table 24–3)-- if the LDAP directory that contains the public keys and CA certificates requires authentication to access it, set these parameters to the distinguished name and password of the LDAP entry that has read permission.
Note: The values of logindn and loginpw are used whenever the LDAP directory is accessed with the LDAP information specified by the crlmappingurl, sslrootcacertsurl, or trustedurl parameters. See 24.5 Parameters of the smime.conf File and 24.4.3 Accessing LDAP for Public Keys, CA certificates and CRLs Using Credentials for more information.
Do not set logindn and loginpw if authentication is not required to access the LDAP directory.
Set the Messaging Server options with configutil:
local.webmail.smime.enable -- set to 1.
local.webmail.cert.enable -- set to 1 if you want to verify certificates against a CRL.
See 24.6 Messaging Server Options for more information.
Communications Express Mail is now configured for the S/MIME features. Verify that the S/MIME features are working with the following steps:
Restart the Messaging Server.
Check the Messaging Server log file, msg-svr-base /log/http, for diagnostic messages relating to S/MIME.
If any problems were detected for S/MIME, the diagnostic messages help you determine how to correct the problem with the configuration parameters.
Correct the necessary configuration parameters.
Repeat Steps a. through d. until there are no more diagnostic messages for S/MIME in the Messaging Server’s log file.
Check that the S/MIME features are working with the following steps:
Log in to Messaging Server from a client machine. Answer the special prompts for the S/MIME applet with Yes or Always. See 24.11 Managing Certificates
Compose a short message, addressed to yourself.
Encrypt your message by checking the Encrypt checkbox at the bottom of the Compose window if it is not already checked.
Click Send to send the encrypted message to yourself. This should exercise most of the mechanisms for keys and certificates.
If you find problems with the encrypted message, the most likely causes are the values you used for LDAP directory information in the smime.conf file and/or the way keys and certificates are stored in the LDAP directory. Check the Messaging Server log for more diagnostic messages.
The remaining S/MIME parameters, summarized in the table below, provide many options you might want to use to further configure your S/MIME environment. See 24.5 Parameters of the smime.conf File for more information about the parameters.
| Required Parameters for S/MIME | Parameters for Smart Cards and Local Key Stores | Parameters for CRL Checking | Parameters for Initial Settings and Secured Links | 
|---|---|---|---|
| certurl* | platformwin | checkoverssl | alwaysencrypt | 
| logindn | crlaccessfail | alwayssign | |
| loginpw | crldir | sslrootcacertsurl | |
| trustedurl* | crlenable | ||
| usercertfilter* | crlmappingurl | ||
| crlurllogindn | |||
| crlurlloginpw | |||
| crlusepastnextupdate | |||
| readsigncert | |||
| revocationunknown | |||
| sendencryptcert | |||
| sendencryptcertrevoked | |||
| readsigncert | |||
| sendsigncertrevoked | |||
| timestampdelta | 
* You must specify a value for these parameters because they have no default value.