Corresponding proposal at TWiki:Codev/SmimeUpgrade
When I initially implemented S/MIME signatures for TWiki notification support, there were some limitations.
They can now be lifted.
- Net::SMTP can now be used as a mailer for S/MIME
- The Configure GUI checks certificates and private keys to reduce the opportunity for configuration errors.
- DES3-encrypted private key files can be used to store keys used to send mail.
This checkin also includes in tools/ scripts used to run web statistics and mail notify on my sites. This is related to S/MIME in that they use the S/MIME certificate/keys for mail notify, and for authentication (X509Plugin
) on client certficate controlled websites. (They don't require this, however.) They were posted on twiki.org some years ago, but have been updated to support encrypted passwords when running mailnotify. I'm including them in the MANIFEST for the core and recomend their use on all sites. However, for now I'm not updating the install docs.
For compatibility with behavior of another wiki, certificate problems will now cause notifications to be sent unsigned. These events are logged as warnings. I think this is bad behavior, but we can adjust it (or add yet another config knob to die in such cases) later.
Checked-in, remaining action is up to others.
The checkin included some apparently "unused" files; this was intentional, as they are related to the checker and will be used momentarily.
This release upgrades support for TWiki-initated Signed (secure)email.
Signed notifications (still) require the CPAN:Crypt::SMIME
module. If it is not installed, Configure will now complain, but each email sent will still generate an entry in the warning log. In this case, the email will be sent unsigned. Don't do that.
Configure will verify the certificate and key file contents if CPAN:Crypt::X509
are installed. This is highly recommended, as they can detect configuration errors that even experts have been known to make. If theses modules are not present, Configure will recommend them, but for compatability with any existing installations, their absence will not prevent signed email from being sent. (If the files are OK).
If signed e-mail is not in use (both the certificate and key file configuration items are empty), none of these CPAN modules need to be installed.
DES3-encrypted private key files can now be used to store keys used to send mail. We recommend encrypting private key files, even though the password is stored in plaintext in the TWiki configuration file.
Thank you Timothe!