+Set C<RejectOnUnencrypted> to 1 if all incoming email must be
+properly encrypted. All unencrypted emails will be rejected by RT.
+
+Set C<RejectOnMissingPrivateKey> to 0 if you don't want to reject
+emails encrypted for key RT doesn't have and can not decrypt.
+
+Set C<RejectOnBadData> to 0 if you don't want to reject letters
+with incorrect data.
+
+If you want to allow people to encrypt attachments inside the DB then
+set C<AllowEncryptDataInDB> to 1.
+
+Set C<Dashboards> to a hash with Encrypt and Sign keys to control
+whether dashboards should be encrypted and/or signed correspondingly.
+By default they are not encrypted or signed.
+
+=back
+
+=cut
+
+Set( %Crypt,
+ Incoming => undef, # ['GnuPG', 'SMIME']
+ Outgoing => undef, # 'SMIME'
+
+ RejectOnUnencrypted => 0,
+ RejectOnMissingPrivateKey => 1,
+ RejectOnBadData => 1,
+
+ AllowEncryptDataInDB => 0,
+
+ Dashboards => {
+ Encrypt => 0,
+ Sign => 0,
+ },
+);
+
+=head2 SMIME configuration
+
+A full description of the SMIME integration can be found in
+L<RT::Crypt::SMIME>.
+
+=over 4
+
+=item C<%SMIME>
+
+Set C<Enable> to 0 or 1 to disable or enable SMIME for
+encrypting and signing messages.
+
+Set C<OpenSSL> to path to F<openssl> executable.
+
+Set C<Keyring> to directory with key files. Key and certificates should
+be stored in a PEM file in this directory named named, e.g.,
+F<email.address@example.com.pem>.
+
+Set C<CAPath> to either a PEM-formatted certificate of a single signing
+certificate authority, or a directory of such (including hash symlinks
+as created by the openssl tool C<c_rehash>). Only SMIME certificates
+signed by these certificate authorities will be treated as valid
+signatures. If left unset (and C<AcceptUntrustedCAs> is unset, as it is
+by default), no signatures will be marked as valid!
+
+Set C<AcceptUntrustedCAs> to allow arbitrary SMIME certificates, no
+matter their signing entities. Such mails will be marked as untrusted,
+but signed; C<CAPath> will be used to mark which mails are signed by
+trusted certificate authorities. This configuration is generally
+insecure, as it allows the possibility of accepting forged mail signed
+by an untrusted certificate authority.
+
+Setting C<AcceptUntrustedCAs> also allows encryption to users with
+certificates created by untrusted CAs.
+
+Set C<Passphrase> to a scalar (to use for all keys), an anonymous
+function, or a hash (to look up by address). If the hash is used, the
+'' key is used as a default.
+
+See L<RT::Crypt::SMIME> for details.
+
+=back
+
+=cut
+
+Set( %SMIME,
+ Enable => @RT_SMIME@,
+ OpenSSL => 'openssl',
+ Keyring => q{@RT_VAR_PATH@/data/smime},
+ CAPath => undef,
+ AcceptUntrustedCAs => undef,
+ Passphrase => undef,
+);
+
+=head2 GnuPG configuration