Greetings, I do have a valid S/MIME cert, which I am able to use in Thunderbird to sign an crypt/decrypt.
However in mutt I fail to configure everything properly. I can sign, crypt and decrypt, but verification fails with this error: Verification failure 25294:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:245:Verify error:unable to get local issuer certificate I guess this has its roots in an error that already occured during the smime_keys import, which gave me this error: certificate d02a42ec.0 (-) for p...@state-of-mind.de added. ==> about to verify certificate of p...@state-of-mind.de /home/p/.smime/certificates/d02a42ec.0: /C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 3 L1 CA/CN=TC TrustCenter Class 3 L1 CA IX error 20 at 1 depth lookup:unable to get local issuer certificate added private key: /home/p/.smime/keys/d02a42ec.0 for p...@state-of-mind.de I have verfied the certs (TC TrustCenter Class 3 L1 CA IX) are installed in ~/.smime/certificates and in /etc/ssl/certs/ca-certificates.crt and this is where I get lost. Is it verify depth? I couldn't find an argument to control the verification depth for a chained cert in openssl (I only found '--nochain'). Chances are, I have overlooked something, but fail to see it. Any ideas? Here's my S/MIME config, which I guess is also read by smime_keys: # -*-muttrc-*- ## The following options are only available if you have ## compiled in S/MIME support # If you compiled mutt with support for both PGP and S/MIME, PGP # will be the default method unless the following option is set #set smime_is_default # Uncoment this if you don't want to set labels for certificates you add. # unset smime_ask_cert_label # Passphrase expiration #set smime_timeout=300 # Global crypto options -- these affect PGP operations as well. #set crypt_autosign = yes #set crypt_replyencrypt = yes #set crypt_replysign = yes #set crypt_replysignencrypted = yes set crypt_verify_sig = yes # Section A: Key Management. # The (default) keyfile for signing/decrypting. Uncomment the following # line and replace the keyid with your own. set smime_default_key="d02a42ec.0" # Uncommen to make mutt ask what key to use when trying to decrypt a message. # It will use the default key above (if that was set) else. # unset smime_decrypt_use_default_key # Path to a file or directory with trusted certificates # set smime_ca_location="/etc/ssl/certs" set smime_ca_location=`for f in $HOME/.smime/ca-certificates.crt $HOME/.smime/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt ; do if [ -e $f ] ; then echo $f ; exit ; fi ; done` # Path to where all known certificates go. (must exist!) set smime_certificates="~/.smime/certificates" # Path to where all private keys go. (must exist!) set smime_keys="~/.smime/keys" # These are used to extract a certificate from a message. # First generate a PKCS#7 structure from the message. set smime_pk7out_command="openssl smime -verify -in %f -noverify -pk7out" # Extract the included certificate(s) from a PKCS#7 structure. set smime_get_cert_command="openssl pkcs7 -print_certs -in %f" # Extract the signer's certificate only from a S/MIME signature (sender verification) set smime_get_signer_cert_command="openssl smime -verify -in %f -noverify -signer %c -out /dev/null" # This is used to get the email address the certificate was issued to. set smime_get_cert_email_command="openssl x509 -in %f -noout -email" # Add a certificate to the database using smime_keys. set smime_import_cert_command="smime_keys add_cert %f" # Sction B: Outgoing messages # Algorithm to use for encryption. # valid choices are rc2-40, rc2-64, rc2-128, des, des3 set smime_encrypt_with="des3" # Encrypt a message. Input file is a MIME entity. set smime_encrypt_command="openssl smime -encrypt -%a -outform DER -in %f %c" # Sign. set smime_sign_command="openssl smime -sign -signer %c -inkey %k -passin stdin -in %f -certfile %i -outform DER" #Section C: Incoming messages # Decrypt a message. Output is a MIME entity. set smime_decrypt_command="openssl smime -decrypt -passin stdin -inform DER -in %f -inkey %k -recip %c" # Verify a signature of type multipart/signed set smime_verify_command="openssl smime -verify -inform DER -in %s %C -content %f" # Verify a signature of type application/x-pkcs7-mime set smime_verify_opaque_command="\ openssl smime -verify -inform DER -in %s %C || \ openssl smime -verify -inform DER -in %s -noverify 2>/dev/null" Thanks, p...@rick -- Postfix - Einrichtung, Betrieb und Wartung <http://www.postfix-buch.com> saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
