S/MIME is decrypted but contents in smime.p7m instead of body

Infos:

  • Used Zammad version: git stable branch
  • Used Zammad installation type: git source
  • Operating system: mac 13.5
  • Browser + version: safari and chrome

Expected behavior:

  • All encrypted emails are decoded and their contents shown as the body of a ticket

Actual behavior:

  • Some encrypted emails are decoded and attached to a ticket as smime.p7m

Steps to reproduce the behavior:

  • I have not figured out yet what causes some encrypted emails to show up this way.
  • When a ticket showss “no visible content” and has an smime.p7m attachment you can download the p7m and cat the file. The first line before Content-Type is binary but the part after is plain text encoding and readable. I only did the screen shot to the first part of the message that I could share.

The logs don’t show anything funny that I could see, even turning them up to debug.

Hi @mnestor. Do you know if this is related to the last update of your Zammad instance?

If so: Do you know the version/commit sha it was working fine?

This has been happening a while. I’ve done a few updates and it hasn’t resolved the issue.

I’m at 9516335315fe5be7ae0aed0f9f9992c0bbfb2cd9 now.

I’ve gone back to the few people I have this happening from and asked them to try sending different types of encrypted emails. rft vs html, attachment vs none.

1 user this happens most of the time but if he replies to the auto-response email then it shows up correctly while that doesn’t happen to anyone else. The account he’s sending to has only had 1 cert created for it so far so it’s not a bad cert in his cache as far as I can tell. I’m due to renew that cert in 2 months though.

1 Like

Thanks for the information, let’s see what we can figure out with it.

One user is sending from Windows10, Outlook M365 Enterprise with HTML enabled.

I’ve gotten HTML enabled emails and they came through just fine before so nothing surprising in those settings.

1 Like

Hi @mnestor,

are all the wrong-displayed emails signed as well?

Well, it appears signed+encrypted is reproducible. Though I thought I saw that fix in the stable branch.

The signature is not detached and not added as a MIME part in the decrypted message. Zammad is not able to handle that. We’ll check if this is a valid (RFC conform) build SMIME message.

Looking at the article.preferences for one that is signed and encrypted I get this. That seems like signature verification failed but nothing was logged.

{
    "send-auto-response"=>true,
    "is-auto-response"=>false,
    "security"=>{
        "type"=>"S/MIME",
        "sign"=>{
            "success"=>false,
            "comment"=>nil
        },
        "encryption"=>{
            "success"=>true,
            "comment"=>"/C=US/O=....."
        }
    }
}

I’ll cross my fingers Outlook conforms to RFC… Don’t die laughing :slight_smile:

2 Likes
1 Like

This topic was automatically closed 360 days after the last reply. New replies are no longer allowed.