24.5 Parameters of the smime.conf File

alwaysencrypt

Controls the initial setting for whether all outgoing messages are automatically encrypted for all Communications Express Mail users with permission to use S/MIME. Each Communications Express Mail user can override this parameter’s value for their messages by using the checkboxes described in Table 24–5.

Choose one of these values: 

0 - do not encrypt messages. The encryption checkboxes within Communications Express Mail are displayed as unchecked. This is the default.

1 - always encrypt messages. The encryption checkboxes within Communications Express Mail are displayed as checked.

Example: 

alwaysencrypt==1

alwayssign

Controls the initial setting for whether all outgoing messages are automatically signed for all Communications Express Mail users with permission to use S/MIME. Each Communications Express Mail user can override this parameter’s value for their messages by using the checkboxes described in Table 24–5.

Choose one of these values: 

0 - do not sign messages. The signature checkboxes within Communications Express Mail are displayed as unchecked. This is the default.

1 - always sign messages. The signature checkboxes within Communications Express Mail are displayed as checked.

Example: 

alwaysensign==1

certurl

Specifies the LDAP directory information to locate the public keys and certificates of Communications Express Mail users (the LDAP attribute for public keys is usercertificate;binary). See 24.11 Managing Certificates for more information about certificates.

This parameter must point to the highest node in the user/group of the LDAP directory information tree (DIT) that includes all users that are being served by the Messaging Server. This is particularly important for sites with more than one domain; the distinguished name must be the root distinguished name of the user/group tree instead of the subtree that contains users for a single domain. 

This is a required parameter that you must set. 

Example: 

certurl==ldap://mail.siroe.com:389/ou=people,o=siroe.com,o=ugroot

checkoverssl

Controls whether an SSL communications link is used when checking a key’s certificate against a CRL. See 24.7 Securing Internet Links With SSL for more information.

Choose one of these values: 

0 - do not use an SSL communications link.

1 - use an SSL communications link. This is the default.

A problem can occur when a proxy server is used with CRL checking in effect. See 24.9.4 Proxy Server and CRL Checking

crlaccessfail 

Specifies how long to wait before the Messaging Server attempts to access a CRL after it has failed to do so after multiple attempts. This parameter has no default values. 

Syntax:

crlaccessfail==number_of_failures:time_period_for_failures:wait_time_before_retry

where: 

number_of_failures is the number of times that the Messaging Server can fail to access a CRL during the time interval specified by time_period_for_failures. The value must be greater than zero.

time_period_for_failures is the number of seconds over which the Messaging Server counts the failed attempts to access a CRL. The value must be greater than zero.

wait_time_before_retry is the number of seconds that the Messaging Server waits, once it detects the limit on failed attempts over the specified time interval, before trying to access the CRL again. The value must be greater than zero.

Example: 

crlaccessfail==10:60:300

In this example, Messaging Server fails 10 times within a minute to access the CRL. It then waits 5 minutes before attempting to access the CRL again. See 24.9.7 Trouble Accessing a CRL

crldir

Specifies the directory information where the Messaging Server downloads a CRL to disk. The default is msg-svr-base/data/store/mboxlist, where msg-svr-base is the directory where Messaging Server is installed. See 24.9.5 Using a Stale CRL for more information.

crlenable

Controls whether a certificate is checked against a CRL. If there is a match, the certificate is considered revoked. The values of the send*revoked parameters in the smime.conf file determine whether a key with a revoked certificate is rejected or used by Communications Express Mail. See 24.9 Verifying Private and Public Keys for more information.

Choose one of these values: 

0- each certificate is not checked against a CRL.

1- each certificate is checked against a CRL. This is the default. Ensure that the local.webmail.cert.enable option of the Messaging Server is set to 1, otherwise CRL checking is not done even if crlenable is set to 1.

crlmappingurl

Specifies the LDAP directory information to locate the CRL mapping definitions. This parameter is only required when you have mapping definitions. See 24.9.3 Accessing a CRL optionally add the DN and password that has access to the URL.

Syntax: 

crlmappingurl URL[|URL_DN | URL_password]

Example: 

crlmappingurl==ldap://mail.siroe.com:389/cn=XYZ Messaging, 
ou=people, o=mail.siroe.com,o=isp?msgCRLMappingRecord?sub?(
objectclass=msgCRLMappingTable) | cn=Directory Manager | pAsSwOrD

crlurllogindn

Specifies the distinguished name of the LDAP entry that has read permission for the CRL mapping definitions (not if the entry is directly from the certificate, see “Accessing a CRL” on page 904. for more information). 

If values for crllogindn and crlloginpw are not specified, the Messaging Server uses the log in values for the HTTP server to gain entry to the LDAP directory. If that fails, Messaging Server attempts to access the LDAP directory anonymously.

Example: 

crllogindn==cn=Directory Manager

crlurlloginpw

Specifies the password, in ASCII text, for the distinguished name of the crllogindn parameter.

If values for crllogindn and crlloginpw are not specified, Messaging Server uses the log in values for the HTTP server to gain entry to the LDAP directory. If that fails, Messaging Server attempts to access the LDAP directory anonymously.

Example: 

crlloginpw==zippy

crlusepastnextupdate

Controls whether a CRL is used when the current date is past the date specified in the CRL’s next-update field. See 24.9.5 Using a Stale CRL for more information.

Choose one of these values: 

0 - do not use the stale CRL.

1 - use the stale CRL. This is the default.

logindn

Specifies the distinguished name of the LDAP entry that has read permission for the public keys and their certificates, and the CA certificates located in the LDAP directory specified by the certurl and trustedurl parameters.

If values for logindn and loginpw are not specified, the Messaging Server uses the log in values for the HTTP server to gain entry to the LDAP directory. If that fails, Messaging Server attempts to access the LDAP directory anonymously.

Example: 

logindn==cn=Directory Manager

loginpw

Specifies the password, in ASCII text, for the distinguished name of the logindn parameter.

If values for logindn and loginpw are not specified, Messaging Server uses the log in values for the HTTP server to gain entry to the LDAP directory. If that fails, Messaging Server attempts to access the LDAP directory anonymously.

Example: 

loginpw==SkyKing

platformwin

Specifies one or more library names that are necessary when using smart cards or a local key store on a Windows platform. Change this parameter only if the default value does not work for your client machines. The default is: 

platformwin==CAPI:library=capibridge.dll;

See 24.8 Key Access Libraries for the Client Machines for more information.

readsigncert

Controls whether a public key’s certificate is checked against a CRL to verify an S/MIME digital signature when the message is read. (A private key is used to create a digital signature for a message but it cannot be checked against a CRL, so the certificate of the public key associated with the private key is checked against the CRL.) See 24.9 Verifying Private and Public Keys

Choose one of these values: 

0 - do not check the certificate against a CRL.

1 - check the certificate against a CRL. This is the default.

revocationunknown

Determines the action to take when an ambiguous status is returned when checking a certificate against a CRL. In this case, it is not certain whether the certificate is valid or has a revoked status. See 24.9 Verifying Private and Public Keys for more information.

Choose one of these values: 

ok - treat the certificate as valid.

revoked - treat the certificate as revoked. This is the default.

sendencryptcert

Controls whether the certificate of a public key that is used to encrypt an outgoing message is checked against a CRL before using it. See 24.9 Verifying Private and Public Keys

Choose one of these values: 

0 - do not check the certificate against a CRL.

1 - check the certificate against a CRL. This is the default.

sendencryptcertrevoked

Determines the action to take if the certificate of a public key that is used to encrypt an outgoing message is revoked. See 24.9 Verifying Private and Public Keys for more information.

Choose one of these values: 

allow - use the public key.

disallow - do not use the public key. This is the default.

sendsigncert 

Controls whether a public key’s certificate is checked against a CRL to determine if a private key can be used to create a digital signature for an outgoing message. (A private key is used for a digital signature but it cannot be checked against a CRL, so the certificate of the public key associated with the private key is checked against the CRL.) See 24.9 Verifying Private and Public Keys for more information.

Choose one of these values: 

0 - do not check the certificate against a CRL.

1 - check the certificate against a CRL. This is the default.

sendsigncertrevoked

Determines the action to take when it is determined that a private key has a revoked status. (A private key is used to create a digital signature for a message but it cannot be checked against a CRL, so the certificate of the public key associated with the private key is checked against the CRL. If the public key certificate is revoked, then it’s corresponding private key is also revoked.) See 24.9 Verifying Private and Public Keys for more information.

Choose one of these values: 

allow - use the private key with a revoked status.

disallow - do not use the private key with a revoked status. This is the default.

sslrootcacertsurl

Specifies the distinguished name and the LDAP directory information to locate the certificates of valid CAs which are used to verify the Messaging Server’s SSL certificates. This is a required parameter when SSL is enabled in the Messaging Server. See 24.7 Securing Internet Links With SSL for more information.

If you have SSL certificates for a proxy server that receives all requests from client application, the CA certificates for those SSL certificates must also be located in the LDAP directory pointed to by this parameter. 

You can also optionally add the DN and password that has access to the URL. 

Syntax: 

crlmappingurl URL[|URL_DN | URL_password]

Example: 

sslrootcacertsurl==ldap://mail.siroe.com:389/cn=SSL Root CA 
Certs,ou=people,o=siroe.com,o=isp? cacertificate;binary?base?
(objectclass=certificationauthority)|cn=Directory Manager | 
pAsSwOrD

timestampdelta

Specifies a time interval, in seconds, that is used to determine whether a message’s sent time or received time is used when checking a public key’s certificate against a CRL. 

The parameter’s default value of zero directs Communications Express Mail to always use the received time. See 24.9.6 Determining Which Message Time to Use for more information.

Example: 

timestampdelta==360

trustedurl

Specifies the distinguished name and LDAP directory information to locate the certificates of valid CAs. This is a required parameter. 

You can also optionally add the DN and password that has access to the URL. 

Syntax: 

crlmappingurl URL[|URL_DN | URL_password]

Example: 

trustedurl==ldap://mail.siroe.com:389/cn=Directory Manager, 
ou=people, o=siroe.com,o=ugroot?cacertificate?sub?
(objectclass=certificationauthority)|cn=Directory Manager 
| pAsSwOrD

usercertfilter

Specifies a filter definition for the primary, alternate, and equivalent email addresses of a Communications Express Mail user to ensure that all of a user’s private-public key pairs are found when they are assigned to different mail addresses. 

This parameter is required and has no default values.