Re: Re: Avoiding S/MIME
On 2023-09-01 16:15, Todd Zullinger wrote: > Hi, > > Jan Eden wrote: > > my configuration sets a PGP default key: > > > > set pgp_default_key = ... > > > > and outgoing messages are signed accordingly. But every time I reply > > to a message signed using S/MIME, mutt tries to add an S/MIME signature, > > too (which fails, as there is no S/MIME key available via GPGME). > > > > How can I prevent this behavior? > > You may want to check the crypt_auto* and crypt_reply* > variables to see how they are set. My first thought would > be disabling crypt_autosmime, e.g.: > > set crypt_autosmime=no Thanks, Todd, that worked. - Jan signature.asc Description: PGP signature
Re: Avoiding S/MIME
Hi, Jan Eden wrote: > my configuration sets a PGP default key: > > set pgp_default_key = ... > > and outgoing messages are signed accordingly. But every time I reply > to a message signed using S/MIME, mutt tries to add an S/MIME signature, > too (which fails, as there is no S/MIME key available via GPGME). > > How can I prevent this behavior? You may want to check the crypt_auto* and crypt_reply* variables to see how they are set. My first thought would be disabling crypt_autosmime, e.g.: set crypt_autosmime=no -- Todd signature.asc Description: PGP signature
Avoiding S/MIME
Hi, my configuration sets a PGP default key: set pgp_default_key = ... and outgoing messages are signed accordingly. But every time I reply to a message signed using S/MIME, mutt tries to add an S/MIME signature, too (which fails, as there is no S/MIME key available via GPGME). How can I prevent this behavior? Thanks, Jan signature.asc Description: PGP signature
Re: Option to disable S/MIME signature check?
I asked on gnupg-users. Adding "disable-dirmngr" to gpgsm.conf disbles the use of the Dirmngr and thus expensive online checks that can take a long time to timeout. This is a viable workaround. I still believe it would be great to have an option in Mutt not to use GPGME for S/MIME in the first place. But it's not urgent any more. Kevin J. McCarthy: Also, is there a way to shorten the time that SMIME signature verification needs before timing out? 25 seconds sounds much too long to me. I don't know what it's doing that takes so long to time out, and have no idea how to adjust that. Maybe others who use s/mime with GPGME have ideas. -- ilf If you upload your address book to "the cloud", I don't want to be in it.
Re: Option to disable S/MIME signature check?
Done, thanks: https://gitlab.com/muttmua/mutt/-/issues/450 Kevin J. McCarthy: Yes, please go ahead. I don't have a current timeline for starting master development again, but when I do, it will be good to have the request there. -- ilf If you upload your address book to "the cloud", I don't want to be in it.
Re: Option to disable S/MIME signature check?
On Mon, Jul 31, 2023 at 08:43:22PM +0200, ilf wrote: Do you think I should file a feature request for this in the tracker? Yes, please go ahead. I don't have a current timeline for starting master development again, but when I do, it will be good to have the request there. Thank you. -- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA signature.asc Description: PGP signature
Re: Option to disable S/MIME signature check?
Do you think I should file a feature request for this in the tracker? Kevin J. McCarthy: There seem to be quite a few users with this issue. Do you think a boolean option like "crypt_verify_smime" that explicitly works even with GPGME would be feasible? From a user POV, it sure sounds logical and useful. Yes, that may be possible although it might be better to then deprecate $crypt_verify_sig and just have the separate pgp and smime config vars (which should be quadoptions). It certainly wouldn't go in a stable release. -- ilf If you upload your address book to "the cloud", I don't want to be in it.
Re: Option to disable S/MIME signature check?
On Sat, Jul 29, 2023 at 02:48:56PM +0200, ilf wrote: I have also never used "spam" before. I wonder if this feature is really correct for my use-case, which has nothing to do with spam. It might do the job, but it doesn't feel clean. It _is_ a "creative" use of the spam command. I think if you read about the command you may agree there isn't anything particularly wrong with using it for this purpose. It just allows labeling messages in a way that is efficient to search against. There seem to be quite a few users with this issue. Do you think a boolean option like "crypt_verify_smime" that explicitly works even with GPGME would be feasible? From a user POV, it sure sounds logical and useful. Yes, that may be possible although it might be better to then deprecate $crypt_verify_sig and just have the separate pgp and smime config vars (which should be quadoptions). It certainly wouldn't go in a stable release. Also, is there a way to shorten the time that SMIME signature verification needs before timing out? 25 seconds sounds much too long to me. I don't know what it's doing that takes so long to time out, and have no idea how to adjust that. Maybe others who use s/mime with GPGME have ideas. -- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA signature.asc Description: PGP signature
Re: Option to disable S/MIME signature check?
I have never used "message-hook" before. That looks like a workable workaround. I have also never used "spam" before. I wonder if this feature is really correct for my use-case, which has nothing to do with spam. It might do the job, but it doesn't feel clean. There seem to be quite a few users with this issue. Do you think a boolean option like "crypt_verify_smime" that explicitly works even with GPGME would be feasible? From a user POV, it sure sounds logical and useful. Also, is there a way to shorten the time that SMIME signature verification needs before timing out? 25 seconds sounds much too long to me. Thanks a lot! Kevin J. McCarthy: So: How can I disable the S/MIME signature check while still using GPGME for OpenPGP? The option $crypt_verify_sig is shared between PGP and S/MIME, so you'll have to be creative if you are using GPGME. Maybe something like: spam content-type:.*pkcs7 smime message-hook ~A 'set crypt_verify_sig=yes' message-hook '~H smime' 'set crypt_verify_sig=no' # or '=ask-no' -- ilf If you upload your address book to "the cloud", I don't want to be in it.
Re: Option to disable S/MIME signature check?
On Wed, Jul 26, 2023 at 09:37:34AM +0800, Kevin J. McCarthy wrote: spam content-type:.*pkcs7 smime Sorry, it's a good idea to root the regexp above: spam ^content-type:.*pkcs7 smime -- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA signature.asc Description: PGP signature
Re: Option to disable S/MIME signature check?
On Tue, Jul 25, 2023 at 12:32:40PM +0200, ilf wrote: I do use OpenPGP. So disabling "crypt_use_gpgme" is not an option for me, same for changing "crypt_verify_sig". In the old thread from 2018, Kevin J. McCarthy proposed this: However, you could try set smime_verify_command="" (along with smime_verify_opaque_command and smime_decrypt_command). But this does not work. According to muttrc(5) the default value for these three options is already "", and I am not setting them anywhere. That option only works when $crypt_use_gpgme is unset. So: How can I disable the S/MIME signature check while still using GPGME for OpenPGP? The option $crypt_verify_sig is shared between PGP and S/MIME, so you'll have to be creative if you are using GPGME. Maybe something like: spam content-type:.*pkcs7 smime message-hook ~A 'set crypt_verify_sig=yes' message-hook '~H smime' 'set crypt_verify_sig=no' # or '=ask-no' -- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA signature.asc Description: PGP signature
Re: Option to disable S/MIME signature check?
Hi I would also like to disable the S/MIME signature check. I have no use for it. And "Invoking S/MIME..." takes 25 seconds before failing with "S/MIME signature could NOT be verified." I do use OpenPGP. So disabling "crypt_use_gpgme" is not an option for me, same for changing "crypt_verify_sig". In the old thread from 2018, Kevin J. McCarthy proposed this: However, you could try set smime_verify_command="" (along with smime_verify_opaque_command and smime_decrypt_command). But this does not work. According to muttrc(5) the default value for these three options is already "", and I am not setting them anywhere. So: How can I disable the S/MIME signature check while still using GPGME for OpenPGP? Thanks W. Martin Borgert wrote 2018-05-15: once in a while I get emails with S/MIME signatures. This is on public mailing lists, where I seldomly care about signatures, and I open the email only to read one or two lines to be sure I can actually press 'd' :~) Mutt says "Invoking S/MIME..." which takes too long for my taste (some seconds just to open one email which I will delete anyway) and then usually: "S/MIME signature could NOT be verified." I would like to disable this signature check altogether, because all my real contacts use either PGP or no signature at all. Is there an option in mutt to do this? Hopefully a run time option, not a compile time option... -- ilf If you upload your address book to "the cloud", I don't want to be in it.
Re: [ext] Re: Display info about S/MIME signature
IIUC, you would like to see which certificates have been used while reading the mail. Sometime I also need such extra info, and I was struggling to get the info. So I dove again a bit into it. On 13Oct22 08:26+0200, Ralf Hildebrandt via Mutt-users wrote: > > gpgsm --list-keys ralf.hildebra...@charite.de > > > > would give you all information about the key, including ID (which is the > > last part of the fingerprint), serial etc. > > Yeah, that's awesome. Exactly what I need! gpgsm actually lists the content of your gnupg pubring. So you need to have the certificate already added to this database. Otherwise it is not finding the cert. And also this seems to be unrelated to the mail which is currently open in mutt's pager. Another solution might be: In mutt (pager or index view), you can use the pipe_message function (default keybind is |) and pipe the mail to: --- paste: --- openssl smime -pk7out | openssl pkcs7 -print_certs -text|less --- eop --- This command should work on smime multipart emails. It extracts the attached certificates and prints them. So you can see, which certificate (and which CA) were used to sign this particular email. I think it is straight forward to bind this function to a key. It might also be possible to modify the config option 'smime_verify_commmand'. But that did not work in my tests, mutt claimed verification is not successful even though openssl returned successfully. Cheers, -- Bastian
Re: [ext] Re: Display info about S/MIME signature
* ckeader via Mutt-users : > gpgsm --list-keys ralf.hildebra...@charite.de > > would give you all information about the key, including ID (which is the > last part of the fingerprint), serial etc. Yeah, that's awesome. Exactly what I need! -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | https://www.charite.de
Re: [ext] Re: Display info about S/MIME signature
> certificate b43f1e2c.0 (foo) for firstname.lastn...@charite.de added. > > But what *IS* "b43f1e2c"? Is it a serial number, a part of the fingerprint? It looks like an openssl hash, the type c_rehash generates. Like, what you may find under /etc/ssl/certs. > > Also check the config options `crypt_verify_sig`, and > > `smime_verify_command`, `smime_verify_opaque_command` > > I'll have a look at those. > > > When receiving a smime signed mail, mutt tells me if the signature is > > valid or not. > > Well yes, but in some cases (please don't ask) my moron users have > more than one valid certifcate in use and I'd like to know which one > that is (because they don't know). I do not seem to have this problem. Maybe using S/MIME support via gpgme makes this all a bit easier to handle? gpgsm --list-keys ralf.hildebra...@charite.de would give you all information about the key, including ID (which is the last part of the fingerprint), serial etc.
Re: [ext] Re: Display info about S/MIME signature
* Bastian : > Try ^K, which is the default keybind for `extract-keys`. > This command extracts the public key and adds is to your keyring > (smime_keys). Yes, but this only displays precious little info. Enter label: Found 1 certificate chains Processing chain: subject=C = DE, ST = Berlin, L = Berlin, O = Charite- Universitaetsmedizin Berlin, SN = Lastname, GN = Firstname, CN = Firstname Lastname Certificate: /home/hildeb-adm/.smime/certificates/6ab64010.0 already installed. ==> about to verify certificate of b43f1e2c.0 /home/hildeb-adm/.smime/certificates/b43f1e2c.0: OK ==> checking purpose flags for b43f1e2c.0 S/MIME signing : Yes S/MIME encryption : Yes certificate b43f1e2c.0 (foo) for firstname.lastn...@charite.de added. But what *IS* "b43f1e2c"? Is it a serial number, a part of the fingerprint? > Also check the config options `crypt_verify_sig`, and > `smime_verify_command`, `smime_verify_opaque_command` I'll have a look at those. > When receiving a smime signed mail, mutt tells me if the signature is > valid or not. Well yes, but in some cases (please don't ask) my moron users have more than one valid certifcate in use and I'd like to know which one that is (because they don't know). -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | https://www.charite.de
Re: Display info about S/MIME signature
On 12Oct22 16:12+0200, Ralf Hildebrandt via Mutt-users wrote: > when receiving an S/MIME signed mail, how can I extract information > about the certificate / public key that was sent along with the > signature? Try ^K, which is the default keybind for `extract-keys`. This command extracts the public key and adds is to your keyring (smime_keys). Also check the config options `crypt_verify_sig`, and `smime_verify_command`, `smime_verify_opaque_command` When receiving a smime signed mail, mutt tells me if the signature is valid or not. HTH, -- Bastian
Display info about S/MIME signature
Hi! when receiving an S/MIME signed mail, how can I extract information about the certificate / public key that was sent along with the signature? -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | https://www.charite.de
Re: S/MIME stopped working
> >TBH this looks more like a gpg than a mutt problem, and I haven't > >figured out how to debug this. Same error for encrypting. > > Yes, it sounds like something changed with either the GPGME version, or > perhaps a configuration file. I can't offer much advice except to check > those things. :( PEBKAC. Files under ~/.gnupg deleted that shouldn't have been. Luckily I had a backup somewhere. Will know better next time.
Re: S/MIME stopped working
On Wed, Apr 07, 2021 at 12:36:53PM +0100, isdtor wrote: My S/MIME setup has died one from day to the next and I cannot find out why. Symptom: trying to send e.g. signed email, the result is error signing data: No CRL known? This an error coming back from GPGME when trying to perform the sign operation. TBH this looks more like a gpg than a mutt problem, and I haven't figured out how to debug this. Same error for encrypting. Yes, it sounds like something changed with either the GPGME version, or perhaps a configuration file. I can't offer much advice except to check those things. :( -- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA signature.asc Description: PGP signature
S/MIME stopped working
All, My S/MIME setup has died one from day to the next and I cannot find out why. Symptom: trying to send e.g. signed email, the result is error signing data: No CRL known? TBH this looks more like a gpg than a mutt problem, and I haven't figured out how to debug this. Same error for encrypting. Everything in the tool chain is at the latest version - mutt, gpg and components, openssl. I have verified that my certificate is not expired (years in the future) and that the crl is accessible by wget/curl. mutt in debug mode does not give any additional information, and I can't make much sense of an strace -f log either. The same certificate and process works just fine in thunderbird on the same machine. Any ideas?
Re: S/MIME Mail Display
On Thu, Mar 25, 2021 at 10:52:46PM +0100, Andy Spiegl wrote: > No mess at all. :-) > > see attached pic > > Andy Cheers Andy! Pete. smime.p7s Description: S/MIME cryptographic signature
Re: S/MIME Mail Display
No mess at all. :-) see attached pic Andy -- Now I know what a statesman is; he's a dead politician. We need more statesmen. (Bob Edwards)
S/MIME Mail Display
Hi all, I'm wondering how this mail appears to you all. Is it a mess or do you see the 'signed message' boundaries? Thanks. Pete. smime.p7s Description: S/MIME cryptographic signature
S/MIME security
Hi, my draft emails have a line in the header called Security: S/MIME. I then can’t send anything because I don’t have a pass phrase. Can I set Mutt to not use SMIME? Thank you! Rob
S/MIME no longer works
Hi all, I upgraded my email tool chain recently to the latest versions of mutt/gpg/gpgme etc. and now S/MIME signing and encrypting no longer works. The bad part is, going back to the previous executables also no longer works, so I'm wondering whether gpg has updated some files in an incompatible way? There were no changes to my mutt or gpg config files (other than trivial ones like adding a hook). An attempt to sign or encrypt is met by an error message from mutt: error encrypting data: Connection timed out? I've tried with debugging and -d5, but it is no help. All I know is that this is somehow related to the gpgme interface as the message is from crypt-gpgme.c. Encrypting and signing with pgp/mime continues to work fine. Old tool versions: mutt-1.14.6 gnupg-2.2.20 gpgme-1.13.1 libgcrypt-1.8.5. New: gnupg-2.2.21 gpgme-1.14.0 libgcrypt-1.8.6 Any ideas?
Re: Option to disable S/MIME signature check?
On Tue, May 15, 2018 at 03:27:15PM -0400, Todd Zullinger wrote: > Kevin J. McCarthy wrote: > > On Tue, May 15, 2018 at 09:40:38AM +0200, W. Martin Borgert wrote: > >> Is there an option in mutt to do this? Hopefully a run time > >> option, not a compile time option... > > > > The compile-time configuration is the cleanest way to turn it off. > > However, you could try set smime_verify_command="" (along with > > smime_verify_opaque_command and smime_decrypt_command). > > Out of curiosity, is it correct that --disable-smime only > applies when building without gpgme? It looks like with > --enable-gpgme, smime will be available via gpgme? Yes, if you turn on gpgme it will be available through that. -- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA signature.asc Description: PGP signature
Re: Option to disable S/MIME signature check?
On 2018-05-15 09:06, Kevin J. McCarthy wrote: > However, you could try set smime_verify_command="" (along with > smime_verify_opaque_command and smime_decrypt_command). Thanks, but unfortunately, this did not help. I found that set crypt_use_gpgme=no helps however (source: https://bugs.debian.org/838361).
Re: Option to disable S/MIME signature check?
Kevin J. McCarthy wrote: > On Tue, May 15, 2018 at 09:40:38AM +0200, W. Martin Borgert wrote: >> Is there an option in mutt to do this? Hopefully a run time >> option, not a compile time option... > > The compile-time configuration is the cleanest way to turn it off. > However, you could try set smime_verify_command="" (along with > smime_verify_opaque_command and smime_decrypt_command). Out of curiosity, is it correct that --disable-smime only applies when building without gpgme? It looks like with --enable-gpgme, smime will be available via gpgme? Thanks, -- Todd ~~ A common mistake people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. -- Douglas Adams signature.asc Description: PGP signature
Re: Option to disable S/MIME signature check?
On Tue, May 15, 2018 at 09:40:38AM +0200, W. Martin Borgert wrote: > Is there an option in mutt to do this? Hopefully a run time > option, not a compile time option... The compile-time configuration is the cleanest way to turn it off. However, you could try set smime_verify_command="" (along with smime_verify_opaque_command and smime_decrypt_command). Alternatively, you could set crypt_verify_sig=ask-yes, but that affects both PGP and S/MIME. -- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA signature.asc Description: PGP signature
Option to disable S/MIME signature check?
Hi, once in a while I get emails with S/MIME signatures. This is on public mailing lists, where I seldomly care about signatures, and I open the email only to read one or two lines to be sure I can actually press 'd' :~) Mutt says "Invoking S/MIME..." which takes too long for my taste (some seconds just to open one email which I will delete anyway) and then usually: "S/MIME signature could NOT be verified." I would like to disable this signature check altogether, because all my real contacts use either PGP or no signature at all. Is there an option in mutt to do this? Hopefully a run time option, not a compile time option... Many TIA & Cheers signature.asc Description: PGP signature
Re: Configuring S/MIME when crypt_use_gpgme = yes?
*sigh* Never mind, something is not communicating well. After flailing around for a while with gpgsm and associated tools, I found that the problem is either that an intermediate certificate is revoked or dirmngr is confused. I temporarily disabled CRL checking and now mutt is happy to sign with my X.509 key. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Configuring S/MIME when crypt_use_gpgme = yes?
I need to use PGP/MIME and S/MIME with different correspondents and I have crypt_use_gpgme set. This works fine for PGP/MIME but has broken S/MIME. I've set local-user in gpgsm but it seems to be ignored in Mutt: "error signing data: End of file?". If I set smime_default_key it always says "secret key SOMETHING not found". (I've tried the key ID with and without leading 0x, the key fingerprint, and my email address. 'gpgsm -K' understands all of these.) Yes, +CRYPT_BACKEND_GPGME is set. What am I missing? -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
S/MIME from the command line?
I found: http://comments.gmane.org/gmane.mail.mutt.user/40965 And right now I'm trying to send S/MIME signed mails from the command line. Invoking mutt interactively using my custom config: % mutt -F ~/muttrc works as expected (mail is being signed, sender is set correctly and so on) Invoking mutt from within a script like: mutt -F ~/muttrc \ -s "some subject" \ -a $somefile -- "${addr}" < mailbody.txt just sends an UNSIGNED mail (but at least it sends an email!) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: mutt with GPG and S/Mime
On 01Jul2015 20:12, Ian Zimmerman wrote: On 2015-07-02 12:20 +1000, Cameron Simpson wrote: I keep a little maildb which assigns group names to addresses, and autogenerate mutt aliases formed like the above from it. Why the maildb? Because my mail filing also uses these groups in its rules. Excuse my ignorance, but what is a maildb? Just a Berkeley DB file or similar with emails and groups? Or? Ah, sorry, it is a thing of my own. But any external-to-mutt db might do if it lets you tag or group addresses. Mine is a particular flavour of CSV, with an associated tool and some handy edit tools. My mailfiler knows how to consult it, so I get to use these groups in mail filing and also in mutt config. Cheers, Cameron Simpson It looked good-natured, she thought; Still it had very long claws and a great many teeth, so she felt it ought to be treated with respect.
Re: mutt with GPG and S/Mime
On 2015-07-02 12:20 +1000, Cameron Simpson wrote: > I keep a little maildb which assigns group names to addresses, and > autogenerate mutt aliases formed like the above from it. Why the > maildb? Because my mail filing also uses these groups in its rules. Excuse my ignorance, but what is a maildb? Just a Berkeley DB file or similar with emails and groups? Or? -- Please *no* private copies of mailing list or newsgroup messages. Rule 420: All persons more than eight miles high to leave the court.
Re: mutt with GPG and S/Mime
On 30Jun2015 16:47, Jon LaBadie wrote: On Tue, Jun 30, 2015 at 10:11:53PM +0200, jonas hedman wrote: On 15-06-30 22:00:27, Niels Kobschaetzki wrote: > is it possible to use with one account PGP and S/Mime? I found a how-to > for using S/Mime or using mutt with one account with PGP and one account > S/Mime. But I want to use my main account with both and would like to > choose on a per user basis whether I encrypt via PGP or S/Mime. I know > people who use only PGP and others only S/Mime. > So: is this possible in mutt? If yes, how - any how-tos you can > recommend? I use send-hooks for this for examples send-hook someonewhoperfersinlinecry...@mail.com "set pgp_autoinline; set pgp_autoencrypt" While I have S/Mime as standard in my default crypto settings. For configuration ease, so as not to have lots of send-hooks, could you do something like: set my_PersonsWhoUsePGP = "\ pers...@email1.com,\ pers...@email2.com,\ ... pers...@emailn.com" send-hook $my_PersonsWhoUsePGP "set pgp_autoinline; set pgp_autoencrypt" A cleaner solution might be to reframe the above like this: alias -group pgpers pgpers pers...@email1.com, pers...@email2.com, ... send-hook '%C pgpers' 'set pgp_autoinline; set pgp_autoencrypt' I suggest this for two reasons. First, address groups seem a much cleaner system for talking about groups of addresses and second, I use them aggressively! I keep a little maildb which assigns group names to addresses, and autogenerate mutt aliases formed like the above from it. Why the maildb? Because my mail filing also uses these groups in its rules. As a real world example, I use this in my muttrc for HTML: message-hook . 'unalternative_order *; alternative_order text/plain text/html' # Apple Mail embeds attachments in the HTML part instead of outside the multipart/mixed message-hook '~h "X-Mailer: Apple Mail" ~X 1-' 'unalternative_order *; alternative_order text/html multipart/mixed text/plain' message-hook '%f htmlers | ~f @no-re...@cc.yahoo-inc.com | ~f @outlook.com | ~f live.com | ~f @facebookmail.com' 'unalternative_order *; alternative_order text/html text/plain' That final message-hook selects HTML in preference for messages from people in my "htmlers" mutt group. Cheers, Cameron Simpson When Microsoft Office is your only hammer, pretty much everything begins to look like a nail. Or a thumb. - Rob Pegoraro
Re: mutt with GPG and S/Mime
On 30/06 16:47, Jon LaBadie wrote: On Tue, Jun 30, 2015 at 10:11:53PM +0200, jonas hedman wrote: On 15-06-30 22:00:27, Niels Kobschaetzki wrote: > Hi, > > is it possible to use with one account PGP and S/Mime? I found a how-to > for using S/Mime or using mutt with one account with PGP and one account > S/Mime. But I want to use my main account with both and would like to > choose on a per user basis whether I encrypt via PGP or S/Mime. I know > people who use only PGP and others only S/Mime. > So: is this possible in mutt? If yes, how - any how-tos you can > recommend? > > Thanks, > Niels Hi! I use send-hooks for this for examples send-hook someonewhoperfersinlinecry...@mail.com "set pgp_autoinline; set pgp_autoencrypt" While I have S/Mime as standard in my default crypto settings. For configuration ease, so as not to have lots of send-hooks, could you do something like: set my_PersonsWhoUsePGP = "\ pers...@email1.com,\ pers...@email2.com,\ ... pers...@emailn.com" send-hook $my_PersonsWhoUsePGP "set pgp_autoinline; set pgp_autoencrypt" Thanks a lot. Your suggestions look really good :) Niels
Re: mutt with GPG and S/Mime
* Jon LaBadie [2015-06-30 16:53]: > On Tue, Jun 30, 2015 at 10:11:53PM +0200, jonas hedman wrote: > > On 15-06-30 22:00:27, Niels Kobschaetzki wrote: > > > Hi, > > > > > > is it possible to use with one account PGP and S/Mime? I found a how-to > > > for using S/Mime or using mutt with one account with PGP and one account > > > S/Mime. But I want to use my main account with both and would like to > > > choose on a per user basis whether I encrypt via PGP or S/Mime. I know > > > people who use only PGP and others only S/Mime. > > > So: is this possible in mutt? If yes, how - any how-tos you can > > > recommend? > > > > > > Thanks, > > > Niels > > > > Hi! > > > > I use send-hooks for this for examples > > send-hook someonewhoperfersinlinecry...@mail.com "set pgp_autoinline; set > > pgp_autoencrypt" > > > > While I have S/Mime as standard in my default crypto settings. > > > > For configuration ease, so as not to have lots of send-hooks, > could you do something like: > > set my_PersonsWhoUsePGP = "\ > pers...@email1.com,\ > pers...@email2.com,\ > ... > pers...@emailn.com" > > send-hook $my_PersonsWhoUsePGP "set pgp_autoinline; set pgp_autoencrypt" > > I don't have that need, but I'm curious for other similar purposes. Thank you, this is a great contribution! I am also curious if the above solution would be able to distinguish between mails that are sent to the pers...@email1.com (who uses PGP) only and exclusively, and between mails that get sent to others in CC: as well. best, P
Re: mutt with GPG and S/Mime
On Tue, Jun 30, 2015 at 10:11:53PM +0200, jonas hedman wrote: > On 15-06-30 22:00:27, Niels Kobschaetzki wrote: > > Hi, > > > > is it possible to use with one account PGP and S/Mime? I found a how-to > > for using S/Mime or using mutt with one account with PGP and one account > > S/Mime. But I want to use my main account with both and would like to > > choose on a per user basis whether I encrypt via PGP or S/Mime. I know > > people who use only PGP and others only S/Mime. > > So: is this possible in mutt? If yes, how - any how-tos you can > > recommend? > > > > Thanks, > > Niels > > Hi! > > I use send-hooks for this for examples > send-hook someonewhoperfersinlinecry...@mail.com "set pgp_autoinline; set > pgp_autoencrypt" > > While I have S/Mime as standard in my default crypto settings. > For configuration ease, so as not to have lots of send-hooks, could you do something like: set my_PersonsWhoUsePGP = "\ pers...@email1.com,\ pers...@email2.com,\ ... pers...@emailn.com" send-hook $my_PersonsWhoUsePGP "set pgp_autoinline; set pgp_autoencrypt" I don't have that need, but I'm curious for other similar purposes. Jon -- Jon H. LaBadie j...@jgcomp.com 11226 South Shore Rd. (703) 787-0688 (H) Reston, VA 20190 (703) 935-6720 (C)
Re: mutt with GPG and S/Mime
On 15-06-30 22:00:27, Niels Kobschaetzki wrote: > Hi, > > is it possible to use with one account PGP and S/Mime? I found a how-to > for using S/Mime or using mutt with one account with PGP and one account > S/Mime. But I want to use my main account with both and would like to > choose on a per user basis whether I encrypt via PGP or S/Mime. I know > people who use only PGP and others only S/Mime. > So: is this possible in mutt? If yes, how - any how-tos you can > recommend? > > Thanks, > Niels Hi! I use send-hooks for this for examples send-hook someonewhoperfersinlinecry...@mail.com "set pgp_autoinline; set pgp_autoencrypt" While I have S/Mime as standard in my default crypto settings. /jonas signature.asc Description: Digital signature
mutt with GPG and S/Mime
Hi, is it possible to use with one account PGP and S/Mime? I found a how-to for using S/Mime or using mutt with one account with PGP and one account S/Mime. But I want to use my main account with both and would like to choose on a per user basis whether I encrypt via PGP or S/Mime. I know people who use only PGP and others only S/Mime. So: is this possible in mutt? If yes, how - any how-tos you can recommend? Thanks, Niels
S/MIME key renewal
Hi all, My smime certificate recently expired and I've had to renew it. Now I'm not entirely sure how I should use it. My first attempt was to import it using smime_keys and then updating my smime_default_key entry: set smime_default_key = '73bb549d.0' to set smime_default_key = '73bb549d.1' This has the annoying consequence, that i can not open any emails that were encrypted using the old key. Reading man muttrc, I thought that setting 'set smime_decrypt_use_default_key = no' would be the solution. This makes decrypting past emails a very tedious task since it asks me what key to use on every message. Finally, i tried setting set smime_default_key = '73bb549d.0 73bb549d.1' This solution works, but is similarly tedious as the one above. Unfortunately I haven't been able to find any documentation that gives me a solution that results in a convenient solution. Could someone please point out my errors? Any tips are very welcome. Thank you in advanve, Max signature.asc Description: Digital signature
Re: mutt & S/MIME
On Wed, Apr 29, 2015 at 07:33:01PM +0200, Thomas Klausner wrote: > Is there a way to configure mutt in such a way that I can read mails > encrypted using my old key and ones encrypted using my current key in > the same session? Expired x.509 keys are one of the true pains in the ass of email security. Most email clients don't handle this at all, or very badly. I have no idea of the answer to your question but I'm interested in the answer too. This happend to me once on Microsloth Outhouse and it was game over. /jl -- ASCII ribbon campaign ( ) Powered by Lemote Fuloong against HTML e-mail X Loongson MIPS and OpenBSD and proprietary/ \http://www.mutt.org attachments / \ Code Blue or Go Home! Encrypted email preferred PGP Key 2048R/DA65BC04
mutt & S/MIME
Hi! I want to use mutt to send S/MIME encrypted/signed mails. I managed to set up keys for myself and a friend once already, but they expired, so I replaced my key. (I haven't managed to replace his key yet. I find handling keys very hard, because there are too many formats and most guides assume too much knowledge, and smime_keys errors out quite easily.) Is there a way to configure mutt in such a way that I can read mails encrypted using my old key and ones encrypted using my current key in the same session? Using the piece of code most pages cite: set crypt_autosign = no set smime_default_key=".1" set smime_timeout=3600 # always encrypt to myself as well set smime_encrypt_command="openssl smime -encrypt -%a -outform DER -in %f %c /home/wiz/.smime/certificates/.1" I have to use change "smime_default" before every start to the appropriate key, otherwise it doesn't work. Thomas
S/MIME and multiple keys & selection
Hi, I'm using Mutt for some time and It is great! I have a number of cert/priv.keys already. All are imported into my store under the label "zito". All certs are one year validity. zito@bobek:~/.keystore$ smime_keys list|fgrep zito 243f80ec.0: Issued for: vaclav.ov...@i.cz "zito" (Expired) Subject: Ovs\xEDk V\xE1clav (zito) 243f80ec.1: Issued for: vaclav.ov...@i.cz "zito" (Expired) Subject: Ovs\xEDk V\xE1clav (zito) 243f80ec.2: Issued for: vaclav.ov...@i.cz "zito" (Expired) Subject: Ovs\xEDk V\xE1clav (zito) 243f80ec.3: Issued for: vaclav.ov...@i.cz "zito" (Expired) Subject: Ovs\xEDk V\xE1clav (zito) 243f80ec.4: Issued for: vaclav.ov...@i.cz "zito" (Trusted) Subject: Ovs\xEDk V\xE1clav (zito) 243f80ec.5: Issued for: vaclav.ov...@i.cz "zito" (Trusted) Subject: Ovs\xEDk V\xE1clav (zito) 243f80ec.6: Issued for: vaclav.ov...@i.cz "zito" (Trusted) Subject: Ovs\xC3\xADk V\xC3\xA1clav (zito) zito@bobek:~/.keystore/cert$ for x in 243f80ec.*; do echo -n "$x: "; openssl x509 -enddate -noout -in $x; done 243f80ec.0: notAfter=Feb 17 09:42:25 2009 GMT 243f80ec.1: notAfter=Jan 29 13:43:16 2011 GMT 243f80ec.2: notAfter=Jan 24 13:19:51 2012 GMT 243f80ec.3: notAfter=Feb 9 07:42:37 2010 GMT 243f80ec.4: notAfter=Jan 16 07:16:55 2013 GMT 243f80ec.5: notAfter=Jan 17 12:05:54 2014 GMT 243f80ec.6: notAfter=Nov 12 14:08:37 2014 GMT There are problems: 1) The only valid cert is the last (243f80ec.6), all previous are Expired. Some certs was valid in the time of its import (243f80ec.{4,5}). - What should I do, to refresh the validity in the .index file? ...of course I can change `t' to `e' by hand :), but I hope this is not the intention. 2) When I receive an encrypted message, Mutt asks me what key to use to decrypt a message and the keys it offers are in strange order. For example I hit the enc. message and the Mutt asks: Use ID 243f80ec.1 for vaclav.ov...@i.cz ? ([no]/yes): Use ID 243f80ec.2 for vaclav.ov...@i.cz ? ([no]/yes): Use ID 243f80ec.3 for vaclav.ov...@i.cz ? ([no]/yes): Use ID 243f80ec.4 for vaclav.ov...@i.cz ? ([no]/yes): Use ID 243f80ec.5 for vaclav.ov...@i.cz ? ([no]/yes): Use ID 243f80ec.6 for vaclav.ov...@i.cz ? ([no]/yes): Use ID 243f80ec.0 for vaclav.ov...@i.cz ? ([no]/yes): Enter keyID for vaclav.ov...@i.cz: ...and finally the list of all So this is a bit torture, especially in the case, some colleague send me a message encrypted with the already expired keys. 3) The above problem applies to archive of old messages. I'm not able to guess what key to use for several year old message and I simply tries everyone. Is it possible to configure Mutt to try every key from store to decrypt message without asking in the case the pass-phrase is the same for all keys? Best Regards -- Zito
Combining S/MIME Certificates
Hello- When I imported my S/MIME certificates using smime_keys, I noticed that it separated my signing certificate from my encryption certificate. Is there a way that I can keep them together such that when I sign an email the recipient can use the certificate attached to the signed email to send encrypted email back to me? Right now, when I sign an email the certificate included is only for signing. As such, I must separately attach my encryption certificate, and the recipient must manually import that certificate, prior to them being able to encrypt email to me. When I get a signed email from someone else and I inspect the included certificate, it includes certificates for both signing and encrypting. I've tried a couple of different ways of importing the certificates together into smime_keys, but it continues to separate them out. Any ideas? Please advise. Thanks!
S/MIME With Mutt
Hello- I'm enjoying Mutt as my email client for work, and would really like to get S/MIME working as well. I've posted a question at superuser.com that I wanted to repost here to see if anyone has some ideas. Thanks in advance for the help! http://superuser.com/questions/766676/is-it-possible-to-use-self-signed-smime-certs-with-mutt I'm trying to use a self-signed SMIME key that my company has issued me with Mutt. However, when I try to import it with `smime_keys` I get the following. Couldn't identify root certificate! No root and no intermediate certificates. Can't continue. at /usr/bin/smime_keys line 708. I'm using Mutt on OSX recently installed using Homebrew. Does anyone know a way to force `smime_keys` to accept my self-signed certificate? Can I add the signing certificate my company uses to some authoritative Root CA file somewhere? ## # UPDATE # ## OK, so I was able to get `smime_keys` to accept my self-signed certificate by first adding my company's root CA via `smime_keys add_root root-ca.cer`. Now, however, when I try to decrypt an encrypted email to me Mutt asks me for my encryption certificate's password and once I enter it I get a message saying `Could not copy message`. When I try to send a signed or encrypted email from Mutt, after entering in my certificate's password I get a message saying `Can't open OpenSSL subprocess!: No such file or directory (errno = 2)`. Some additional info - when I run Mutt in debug mode `mutt -d 3` and try to decrypt an encrypted email to me, I see the following in `.muttdebug0`. Failed on attachment of type application/pkcs7-mime. Bailing on attachment of type application/pkcs7-mime. Could not copy message Any ideas?
Can't sign messages using s/mime
When I try to sign messages using s/mime, I get: Varning: Temporärt certifikat hittas inte.Error opening signing key file /home/per/.smime/keys/658483e2.0 3074218136:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/home/per/.smime/keys/658483e2.0','r') 3074218136:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load signing key file Tryck på valfri tangent för att fortsätta... Ingen utdata från OpenSSL... Regards, Per Gunnarsson
Re: S/MIME configuration: .index-file
On Monday 06 Jan 2014 12:22:49 Heiko Heil wrote: > Hello Mick, > > On Sun, Jan 05, 2014 at 08:34:52PM +, Mick wrote: > >> I found the description of those fields in smime.c: > >> /* 0=email 1=name 2=nick 3=intermediate 4=trust */ (line 397) > >> Just wondering why "smime_keys add_p12" didn't insert the > >> intermediate certificate ("?"). > > > >Could it be that the intermediate cert was not part of the p12 file > >bundle? > > I just double-checked this: The Firefox-export didn't contain the > intermediate cert. > > But also extracting certificates from a smime-signed-e-mail (Ctrl-k) > doesn't work (? as intermediate). I use the S/MIME-configuration from my > homebrew setup > (homebrew/Cellar/mutt/1.5.22/share/doc/mutt/samples/smime.rc). > > Maybe I will check the workaround described on > http://wiki.cacert.org/EmailCertificates the next time. > > Best regards, > Heiko You can use this to look into the p12 file: openssl pkcs12 -in your_cert.p12 -info If it contains the whole chain you will see more than one certificate in there. To build your own bundle export your cert from Firefox in pkcs12 format (e.g. backup.p12) and then try this: openssl pkcs12 -export -out full_bundle.p12 -certfile intermediate.pem -in backup.p12 -name "My 2014 S/MIME certificate" An alternative way to do the same would be to include the whole chain of root CA and intermediate certificates by using the option '-chain': openssl pkcs12 -export -out full_bundle.p12 -chain -in backup.p12 -name "My 2014 S/MIME certificate" This assumes that your CA and any intermediate certificates have already been imported in your OS default CA store. If any of them is not there the command will fail. For more details look into 'man openssl-pkcs12' in case I have any errors in the syntax above. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: S/MIME configuration: .index-file
Hello Mick, On Sun, Jan 05, 2014 at 08:34:52PM +, Mick wrote: I found the description of those fields in smime.c: /* 0=email 1=name 2=nick 3=intermediate 4=trust */ (line 397) Just wondering why "smime_keys add_p12" didn't insert the intermediate certificate ("?"). Could it be that the intermediate cert was not part of the p12 file bundle? I just double-checked this: The Firefox-export didn't contain the intermediate cert. But also extracting certificates from a smime-signed-e-mail (Ctrl-k) doesn't work (? as intermediate). I use the S/MIME-configuration from my homebrew setup (homebrew/Cellar/mutt/1.5.22/share/doc/mutt/samples/smime.rc). Maybe I will check the workaround described on http://wiki.cacert.org/EmailCertificates the next time. Best regards, Heiko -- Heiko Heil • heiko.h...@me.com
Re: S/MIME configuration: .index-file
On Sunday 05 Jan 2014 19:10:42 Heiko Heil wrote: > On Sun, Jan 05, 2014 at 04:25:39PM +0100, Heiko Heil wrote: > > [...] > > first.l...@domain.com 1a2b3c4d.0 me ? t > > ^ email ^ key ^ label > > > >...but what about the last 2? I didn't find any information in the > >manuals. > > I found the description of those fields in smime.c: > /* 0=email 1=name 2=nick 3=intermediate 4=trust */ (line 397) > > Just wondering why "smime_keys add_p12" didn't insert the intermediate > certificate ("?"). Could it be that the intermediate cert was not part of the p12 file bundle? -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: S/MIME configuration: .index-file
On Sun, Jan 05, 2014 at 04:25:39PM +0100, Heiko Heil wrote: [...] first.l...@domain.com 1a2b3c4d.0 me ? t ^ email ^ key ^ label ...but what about the last 2? I didn't find any information in the manuals. I found the description of those fields in smime.c: /* 0=email 1=name 2=nick 3=intermediate 4=trust */ (line 397) Just wondering why "smime_keys add_p12" didn't insert the intermediate certificate ("?"). Best regards, Heiko -- Heiko Heil • heiko.h...@me.com • twitter @hhe • mobile +49 170 4713229
Re: S/MIME from command-line
2013/3/6 Andre Klärner : > Hi Kunszt, > > On Tue, Mar 05, 2013 at 09:05:06AM +0100, Kunszt Árpád wrote: >> When I'm using the interactive user-interface everything works fine, >> but from the command line it doesn't work. I tried a lot of things, >> googled half of the day, but I didn't found any working solution. >> >> Is it possible anyhow? Why Mutt acts differently when invoked from >> command-line parameters? It's very frustrating... > > Maybe it's another environment from cron? Thats quite usual, so maybe > something is not set that you require to work. I'm still testing from the command-line, I'm going to use cron after this. > > Also you might want to write a special muttrc for the automated sending > than mentions only the really required stuff. You might also want to use > "--passin" option to openssl so that your smime-key can be decrypted > properly. I'm only encrypting the message (no signing) so I only use the public certificate which isn't encrypted, of course. I checked the .muttdebugX files and there isn't any reference to S/MIME/encryption in the non-interactive case. It looks like it doesn't even try to do this. Thanks, for any advice! Arpad Kunszt
Re: S/MIME from command-line
Hi Kunszt, On Tue, Mar 05, 2013 at 09:05:06AM +0100, Kunszt Árpád wrote: > When I'm using the interactive user-interface everything works fine, > but from the command line it doesn't work. I tried a lot of things, > googled half of the day, but I didn't found any working solution. > > Is it possible anyhow? Why Mutt acts differently when invoked from > command-line parameters? It's very frustrating... Maybe it's another environment from cron? Thats quite usual, so maybe something is not set that you require to work. Also you might want to write a special muttrc for the automated sending than mentions only the really required stuff. You might also want to use "--passin" option to openssl so that your smime-key can be decrypted properly. Regards, Andre -- Andre Klärner smime.p7s Description: S/MIME cryptographic signature
S/MIME from command-line
Hi! I want to use Mutt to send S/MIME encrypted (no signing is planned at the moment, so just encrypting) e-mails from command line. The e-mails consists of a short body and a variable number of attached files. The content is generated by a cron job. When I'm using the interactive user-interface everything works fine, but from the command line it doesn't work. I tried a lot of things, googled half of the day, but I didn't found any working solution. Is it possible anyhow? Why Mutt acts differently when invoked from command-line parameters? It's very frustrating... The "encrypt the files with OpenSSL then attach isn't a solution" for me, I have to encrypt the full message in one piece. Thanks for any help. Best regards, Árpád Kunszt
Can't send S/MIME mails? (Can't open OpenSSL subprocess)
Hi, I have a S/MIME key I'd like to use to sign some mails with. However, when I select to sign a mail with my S/MIME key, after entering the passphrase, mutt gives the following error: Can't open OpenSSL subprocess!: No such file or directory (errno = 2) Any idea what piece is missing? I installed the key as follows: [remmy@silvertown ~ (master)]$ smime_keys add_p12 rrnieuw.p12 NOTE: This will ask you for two passphrases: 1. The passphrase you used for exporting 2. The passphrase you wish to secure your private key with. Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase: You may assign a label to this key, so you don't have to remember the key ID. This has to be _one_ word (no whitespaces). Enter label: nieuw added certificate: /home/remmy/.smime/certificates/1259690b.0. certificate 3b56685f.0 (nieuw) for re...@webconquest.com added. ==> about to verify certificate of re...@webconquest.com /home/remmy/.smime/certificates/3b56685f.0: OK added private key: /home/remmy/.smime/keys/3b56685f.0 for re...@webconquest.com In my .muttrc I have the following: set smime_ca_location= "~/.smime/ca-bundle.crt" set smime_certificates="~/.smime/certificates" set smime_keys="~/.smime/keys" set smime_sign_as = 3b56685f.0 set crypt_autosign = yes set crypt_replyencrypt = yes set crypt_replysign = yes set crypt_replysignencrypted = yes Any pointers are much appreciated! Mutt version is 1.5.21. Thanks, Remco pgpvdo7867AzT.pgp Description: PGP signature
Re: S/Mime signatures and Outlook 2010
On Thu, Nov 17, 2011 at 05:37:50PM -0500, Dave Dodge wrote: > On Thu, Nov 17, 2011 at 11:21:49PM +0100, P. Mazart wrote: > > Stas Verberkt schrieb am 17.11.2011 14:43:46: > > > Nevertheless, disabling the "clear text" mode is not really an option, > > > as this would render all my e-mails unreadable by those using older > > > e-mailclients or e-mailclients on smartphones. > > > > Actually we might not have an idea, what “clear text” mode is… > I understand this is a bit low on information, the problem is that Outlook does not give much more information in itself. However, I seem to have found some pointers on their technet website: http://technet.microsoft.com/en-us/library/aa995740%28EXCHG.65%29.aspx http://technet.microsoft.com/en-us/library/aa995749%28EXCHG.65%29.aspx > I believe in this case Outlook uses S/MIME multipart/signed, so the > signature is in a separate body part and clients without S/MIME > support can still read the text/plain part of the message. > > The other way Outlook can send signed messages (with "clear text" > disabled) involves wrapping the signature *and* text into some sort of > PKCS binary blob, which obviously causes a lot of trouble with other > clients. > This is probably true. Deactivating it leads to an attachment calles "smime.p7m", in which the e-mail and signature reside. According to those two Microsoft Technet pages, this is opaque signed. The other option is then clear text. However, this seems not to be inline, when I examine the message (as opposed to those send by Mutt). It seems these message have a text/plain and a text/html bodypart, as well as an "smime.p7s" attachment with the signature. If I could clarify more, I would be glad to do so. Kind regards pgpvOBBTeKXyM.pgp Description: PGP signature
Re: S/Mime signatures and Outlook 2010
On Thu, Nov 17, 2011 at 11:21:49PM +0100, P. Mazart wrote: > Stas Verberkt schrieb am 17.11.2011 14:43:46: > > Nevertheless, disabling the "clear text" mode is not really an option, > > as this would render all my e-mails unreadable by those using older > > e-mailclients or e-mailclients on smartphones. > > Actually we might not have an idea, what “clear text” mode is… I believe in this case Outlook uses S/MIME multipart/signed, so the signature is in a separate body part and clients without S/MIME support can still read the text/plain part of the message. The other way Outlook can send signed messages (with "clear text" disabled) involves wrapping the signature *and* text into some sort of PKCS binary blob, which obviously causes a lot of trouble with other clients. -Dave Dodge
Re: S/Mime signatures and Outlook 2010
Hi, Stas Verberkt schrieb am 17.11.2011 14:43:46: > Nevertheless, disabling the "clear text" mode is not really an option, > as this would render all my e-mails unreadable by those using older > e-mailclients or e-mailclients on smartphones. Actually we might not have an idea, what “clear text” mode is… Do you mean inline PGP‽ If so there’s a hook for inline pgp at http://wiki.mutt.org/?MuttFaq/Encryption Bye P.M.
S/Mime signatures and Outlook 2010
L.S., Besides my installation with Mutt and GPG, I also have an Outlook 2010 installation with S/Mime enabled. This system is set up such that it signs all my e-mail in the "clear text" mode. The problem is that this results in Mutt not being able to verify the signature and mentioning an incorrect multipart/signed structure. Nevertheless, disabling the "clear text" mode is not really an option, as this would render all my e-mails unreadable by those using older e-mailclients or e-mailclients on smartphones. Does anyone have an idea on how to get Mutt to accept the signatures Outlook 2010 sets? Kind regards, Stas Verberkt pgpCrUILi254H.pgp Description: PGP signature
Re: Difficulties adding startssl S/MIME certificate
On Sat, Sep 11, 2010 at 04:01:27PM +0200, Remco Rijnders wrote: > I'm hoping to use an S/MIME certificate issued by StartSSL to sign and > encrypt my mail. When trying to add the certificate I get the following > error: > > re...@silvertown:~$ smime_keys add_p12 startssl.cert.p12 > > NOTE: This will ask you for two passphrases: >1. The passphrase you used for exporting >2. The passphrase you wish to secure your private key with. > > Enter Import Password: > MAC verified OK > Enter PEM pass phrase: > Verifying - Enter PEM pass phrase: > Couldn't identify root certificate! > No root and no intermediate certificates. Can't continue. at > /usr/bin/smime_keys line 708. Having investigated and experimented further, I've been able to solve this problem. I've requested a new certificate for an alternate email address from StartSSL and saved it to and exported it from firefox (iceweasel). Trying to add this new certificate with smime_keys worked out of the box! It seems that the .p12 files I had generated from Apple's keychain application were missing the root and/or intermediate certificates from the bundle. This also explains why I had this problem with all certificates I tried to load. With this new knowledge, I was also able to create and validly add my old keys for signing and decrypting to mutt. That said, given that I was able to manually get my keys working, I think perhaps smime_keys is being too harsh on refusing to load files without a root certificate chain? Both thunderbird and firefox accept these certificates without complaint. Sincerely, Remco Rijnders signature.asc Description: Digital signature
Difficulties adding startssl S/MIME certificate
Hi all, I'm hoping to use an S/MIME certificate issued by StartSSL to sign and encrypt my mail. When trying to add the certificate I get the following error: re...@silvertown:~$ smime_keys add_p12 startssl.cert.p12 NOTE: This will ask you for two passphrases: 1. The passphrase you used for exporting 2. The passphrase you wish to secure your private key with. Enter Import Password: MAC verified OK Enter PEM pass phrase: Verifying - Enter PEM pass phrase: Couldn't identify root certificate! No root and no intermediate certificates. Can't continue. at /usr/bin/smime_keys line 708. Relevant .muttrc snippet: source /etc/Muttrc.d/smime.rc set smime_ca_location="~/.smime/roots.crt" Where /etc/Muttrc.d/smime.rc is the default that ships with Debian. This is using mutt 1.5.20. .smime/roots.crt is downloaded from http://www.startssl.com/certs/ca-bundle.crt . Does anyone have any pointers for me? Thanks, Remco
S/MIME verification problem
Greetings, I do have a valid S/MIME cert, which I am able to use in Thunderbird to sign an crypt/decrypt. However in mutt I fail to configure everything properly. I can sign, crypt and decrypt, but verification fails with this error: Verification failure 25294:error:21075075:PKCS7 routines:PKCS7_verify:certificate verify error:pk7_smime.c:245:Verify error:unable to get local issuer certificate I guess this has its roots in an error that already occured during the smime_keys import, which gave me this error: certificate d02a42ec.0 (-) for p...@state-of-mind.de added. ==> about to verify certificate of p...@state-of-mind.de /home/p/.smime/certificates/d02a42ec.0: /C=DE/O=TC TrustCenter GmbH/OU=TC TrustCenter Class 3 L1 CA/CN=TC TrustCenter Class 3 L1 CA IX error 20 at 1 depth lookup:unable to get local issuer certificate added private key: /home/p/.smime/keys/d02a42ec.0 for p...@state-of-mind.de I have verfied the certs (TC TrustCenter Class 3 L1 CA IX) are installed in ~/.smime/certificates and in /etc/ssl/certs/ca-certificates.crt and this is where I get lost. Is it verify depth? I couldn't find an argument to control the verification depth for a chained cert in openssl (I only found '--nochain'). Chances are, I have overlooked something, but fail to see it. Any ideas? Here's my S/MIME config, which I guess is also read by smime_keys: # -*-muttrc-*- ## The following options are only available if you have ## compiled in S/MIME support # If you compiled mutt with support for both PGP and S/MIME, PGP # will be the default method unless the following option is set #set smime_is_default # Uncoment this if you don't want to set labels for certificates you add. # unset smime_ask_cert_label # Passphrase expiration #set smime_timeout=300 # Global crypto options -- these affect PGP operations as well. #set crypt_autosign = yes #set crypt_replyencrypt = yes #set crypt_replysign = yes #set crypt_replysignencrypted = yes set crypt_verify_sig = yes # Section A: Key Management. # The (default) keyfile for signing/decrypting. Uncomment the following # line and replace the keyid with your own. set smime_default_key="d02a42ec.0" # Uncommen to make mutt ask what key to use when trying to decrypt a message. # It will use the default key above (if that was set) else. # unset smime_decrypt_use_default_key # Path to a file or directory with trusted certificates # set smime_ca_location="/etc/ssl/certs" set smime_ca_location=`for f in $HOME/.smime/ca-certificates.crt $HOME/.smime/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt ; do if [ -e $f ] ; then echo $f ; exit ; fi ; done` # Path to where all known certificates go. (must exist!) set smime_certificates="~/.smime/certificates" # Path to where all private keys go. (must exist!) set smime_keys="~/.smime/keys" # These are used to extract a certificate from a message. # First generate a PKCS#7 structure from the message. set smime_pk7out_command="openssl smime -verify -in %f -noverify -pk7out" # Extract the included certificate(s) from a PKCS#7 structure. set smime_get_cert_command="openssl pkcs7 -print_certs -in %f" # Extract the signer's certificate only from a S/MIME signature (sender verification) set smime_get_signer_cert_command="openssl smime -verify -in %f -noverify -signer %c -out /dev/null" # This is used to get the email address the certificate was issued to. set smime_get_cert_email_command="openssl x509 -in %f -noout -email" # Add a certificate to the database using smime_keys. set smime_import_cert_command="smime_keys add_cert %f" # Sction B: Outgoing messages # Algorithm to use for encryption. # valid choices are rc2-40, rc2-64, rc2-128, des, des3 set smime_encrypt_with="des3" # Encrypt a message. Input file is a MIME entity. set smime_encrypt_command="openssl smime -encrypt -%a -outform DER -in %f %c" # Sign. set smime_sign_command="openssl smime -sign -signer %c -inkey %k -passin stdin -in %f -certfile %i -outform DER" #Section C: Incoming messages # Decrypt a message. Output is a MIME entity. set smime_decrypt_command="openssl smime -decrypt -passin stdin -inform DER -in %f -inkey %k -recip %c" # Verify a signature of type multipart/signed set smime_verify_command="openssl smime -verify -inform DER -in %s %C -content %f" # Verify a signature of type application/x-pkcs7-mime set smime_verify_opaque_command="\ openssl smime -verify -inform DER -in %s %C || \ openssl smime -verify -inform DER -in %s -noverify 2>/dev/null" Thanks, p...@rick -- Postfix - Einrichtung, Betrieb und Wartung <http://www.postfix-buch.com> saslfinger (debugging SMTP AUTH): <http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>
S/MIME recipient address/key selection
I've been wrestling with this for a while, and I'm finally at the point where I think I need help. I've got a working S/MIME setup with mutt, and everything's great except when it comes to selecting the right key to use when S/MIME kicks in. For example, I have two keys: one for patrick.mor...@hp.com and another for anotheraddr...@somewhereelse.com. When encrypted mail comes in to anotheraddr...@somewhereelse.com, what I'd really like (and what I could swear I've had before) is for mutt to use the key that matches that email, but it doesn't even seem to look at the "To:" address. Instead, I get something more like the following: Enter keyID for pmor...@myhostname.mydomain.com: The above is an example... what I get is the FQDN of my local machine, which does not appear anywhere in the email message itself. Below are my S/MIME config settings, which I'm using on Mutt 1.5.20 (2009-06-14, Gentoo 1.5.20-r4): set smime_is_default set smime_timeout=7200 set smime_ask_cert_label set smime_default_key="cf8014d7.0" # my KeyID unset smime_decrypt_use_default_key set smime_ca_location="/etc/ssl/certs" set smime_certificates="~/.smime/certificates" set smime_keys="~/.smime/keys" set smime_encrypt_with="des3" set smime_pk7out_command="openssl smime -verify -in %f -noverify -pk7out" set smime_get_cert_command="openssl pkcs7 -print_certs -in %f" set smime_get_signer_cert_command="openssl smime -verify -in %f -noverify -signer %c -out /dev/null" set smime_get_cert_email_command="openssl x509 -in %f -noout -email" set smime_import_cert_command="smime_keys add_cert %f" set smime_encrypt_command="openssl smime -encrypt -%a -outform DER -in %f %c" set smime_sign_command="openssl smime -sign -signer %c -inkey %k -passin stdin -in %f -certfile %i -outform DER" set smime_decrypt_command="openssl smime -decrypt -passin stdin -inform DER -in %f -inkey %k -recip %c" set smime_verify_command="openssl smime -verify -inform DER -in %s %C -content %f" set smime_verify_opaque_command="openssl smime -verify -inform DER -in %s %C || openssl smime -verify -inform DER -in %s -noverify 2>/dev/null"
Re: can sign from PGP menu but not from S/MIME menu
Hi, * rj wrote: When I try to "(s)ign" an outgoing message from the S/MIME menu ("S" from within the Compose Menu), I'm getting this warning: "Can't sign: No key specified. Use Sign As." And when I try to "sign (a)s" from the S/MIME menu, I get this warning: "/.index: No such file or directory (errno = 2)" . By contrast, when I sign or sign-as from the PGP menu ("p" from the Compose Menu), things work as they should. I have a .gpg.rc file, and in my .muttrc I have: source ~/.gpg.rc In both my .muttrc and my .gpg.rc I have: set pgp_sign_as=fc5c7370 In my .gnupg/options file I have: default-key FC5C7370 Your mutt -v output says you don't use gpgme for crypto, i.e. you use gpg/pgp-interface for PGP-compatible crypto and OpenSSL for S/MIME crypto. You only configured the PGP part with these settings, not the OpenSSL part. You need to tell mutt where you're certificates are and what your S/MIME key is and probably how to call OpenSSL (analogous to gpg.rc). Please check the S/MIME docs, $smime_certificates and $smime_default_key. Also, the fact that we "source .gpg.rc" in the .muttrc makes me wonder if it might also be necessary to somehow source the ".gnupg/options" file from the .muttrc as well. Or is the ".gnupg/options" file read by mutt automatically because it is in the .gnupg directory? Thanks for any tips. .gnupg/options contains the configuration for gnupg but not for mutt (please try sourcing that file next time before asking because it would have given you tons of syntax errors and answered that question easily). The file gpg.rc for mutt in contrib just gives you a bridge between gnupg's command line interface and mutt expectations from a crypto tool. Rocco
Re: can sign from PGP menu but not from S/MIME menu
rj: > When I try to "(s)ign" an outgoing message from the S/MIME menu ("S" from > within the Compose Menu), I'm getting this warning: "Can't sign: No key > specified. Use Sign As." I'm seing the same behavior here with mutt 1.5.18 on FreeBSD. JL -- JL <[EMAIL PROTECTED]> This message optimized for teletypes.
can sign from PGP menu but not from S/MIME menu
When I try to "(s)ign" an outgoing message from the S/MIME menu ("S" from within the Compose Menu), I'm getting this warning: "Can't sign: No key specified. Use Sign As." And when I try to "sign (a)s" from the S/MIME menu, I get this warning: "/.index: No such file or directory (errno = 2)" . By contrast, when I sign or sign-as from the PGP menu ("p" from the Compose Menu), things work as they should. I have a .gpg.rc file, and in my .muttrc I have: source ~/.gpg.rc In both my .muttrc and my .gpg.rc I have: set pgp_sign_as=fc5c7370 In my .gnupg/options file I have: default-key FC5C7370 So why the warning from the S/MIME menu? Also, the fact that we "source .gpg.rc" in the .muttrc makes me wonder if it might also be necessary to somehow source the ".gnupg/options" file from the .muttrc as well. Or is the ".gnupg/options" file read by mutt automatically because it is in the .gnupg directory? Thanks for any tips. Mutt 1.5.18 (2008-05-17) Copyright (C) 1996-2008 Michael R. Elkins and others. Mutt comes with ABSOLUTELY NO WARRANTY; for details type `mutt -vv'. Mutt is free software, and you are welcome to redistribute it under certain conditions; type `mutt -vv' for details. System: NetBSD 5.0_BETA (i386) slang: 20103 libiconv: 1.9 hcache backend: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003) Compile options: DOMAIN="panix.com" -DEBUG -HOMESPOOL -USE_SETGID +USE_DOTLOCK -DL_STANDALONE -USE_FCNTL -USE_FLOCK +USE_POP +USE_IMAP -USE_SMTP -USE_GSS +USE_SSL_OPENSSL -USE_SSL_GNUTLS -USE_SASL +HAVE_GETADDRINFO +HAVE_REGCOMP -USE_GNU_REGEX +HAVE_COLOR -HAVE_START_COLOR -HAVE_TYPEAHEAD -HAVE_BKGDSET -HAVE_CURS_SET -HAVE_META -HAVE_RESIZETERM +CRYPT_BACKEND_CLASSIC_PGP +CRYPT_BACKEND_CLASSIC_SMIME -CRYPT_BACKEND_GPGME -EXACT_ADDRESS -SUN_ATTACHMENT +ENABLE_NLS -LOCALES_HACK +HAVE_WC_FUNCS +HAVE_LANGINFO_CODESET +HAVE_LANGINFO_YESEXPR +HAVE_ICONV -ICONV_NONTRANS -HAVE_LIBIDN +HAVE_GETSID +USE_HCACHE ISPELL="/usr/local/bin/ispell" SENDMAIL="/usr/sbin/sendmail" MAILPATH="/var/mail" PKGDATADIR="/pkg/mutt-1.5.18/share/mutt" SYSCONFDIR="/pkg/mutt-1.5.18/etc/conf/mutt/mutt-1.5.18" EXECSHELL="/bin/sh" -MIXMASTER To contact the developers, please mail to <[EMAIL PROTECTED]>. To report a bug, please visit http://bugs.mutt.org/.
S/Mime in non interactive mode
Hi, I want to send a mail with S/MIME encryption without user activity. S/Mime config works well in interactive mode, but I can't send an encrypted mail via command line. The mail was always send in clear text. Is it possible? Perhaps with macros, builtin commands that specified at commandline -e, or via unix command expect? Anybody an idea or *experience with this issue*?
Re: S/MIME "encrypt-to" functionality as in GnuPG
Quoting Omen Wild <[EMAIL PROTECTED]> on Wed, Sep 25 10:37: > > I'll look into this. If that's the cause, then the problem is between > my keyboard and chair, not yours. ;-) For anyone following this, the problem was indeed on my end. I have an updated patch, available from http://descolada.dartmouth.edu/mutt/patch-1.5.1-ow.smime-encrypt-self.2 for anyone interested. Omen -- Too much of a good thing is WONDERFUL. smime.p7s Description: application/pkcs7-signature
Re: S/MIME "encrypt-to" functionality as in GnuPG
Quoting Ren? Clerc <[EMAIL PROTECTED]> on Wed, Sep 25 15:01: > > Typically PEBCAK. The segfault was a result of not setting this > variable. Strange side-effect, of course, but it works now! I'll look into this. If that's the cause, then the problem is between my keyboard and chair, not yours. ;-) Omen -- Hlade's Law: If you have a difficult task, give it to a lazy person -- they will find an easier way to do it. smime.p7s Description: application/pkcs7-signature
Re: S/MIME "encrypt-to" functionality as in GnuPG
* René Clerc <[EMAIL PROTECTED]> [25-09-2002 14:47]: > * René Clerc <[EMAIL PROTECTED]> [25-09-2002 14:25]: > > > * René Clerc <[EMAIL PROTECTED]> [25-09-2002 10:30]: > > > > > This patch makes mutt segfault right after sending the e-mail. Despite > > > of this, it works: both recipient and I are able to decrypt and read > > > the message. > > > > > > A clue, anyone? > > > > Let me be more specific: like I've already mailed Omen, I applied the > > patch to the 1.5.1 tarball. I will try the cvs version too, and post > > my results here. > > Results are the same. Note that the patch had 1.5.1 in it's name, so > it should have worked, I guess... > > Does anybody have any options? It was a small patch, so it must tickle > someone...??? Typically PEBCAK. The segfault was a result of not setting this variable. Strange side-effect, of course, but it works now! Thanks very much! -- René Clerc - ([EMAIL PROTECTED]) Birthdays are good for you. Statistics show that the people who have the most live the longest. -Rev. Larry Lorenzoni msg31192/pgp0.pgp Description: PGP signature
Re: S/MIME "encrypt-to" functionality as in GnuPG
* René Clerc <[EMAIL PROTECTED]> [25-09-2002 14:25]: > * René Clerc <[EMAIL PROTECTED]> [25-09-2002 10:30]: > > > This patch makes mutt segfault right after sending the e-mail. Despite > > of this, it works: both recipient and I are able to decrypt and read > > the message. > > > > A clue, anyone? > > Let me be more specific: like I've already mailed Omen, I applied the > patch to the 1.5.1 tarball. I will try the cvs version too, and post > my results here. Results are the same. Note that the patch had 1.5.1 in it's name, so it should have worked, I guess... Does anybody have any options? It was a small patch, so it must tickle someone...??? -- René Clerc - ([EMAIL PROTECTED]) Birthdays are good for you. Statistics show that the people who have the most live the longest. -Rev. Larry Lorenzoni msg31190/pgp0.pgp Description: PGP signature
Re: S/MIME "encrypt-to" functionality as in GnuPG
* René Clerc <[EMAIL PROTECTED]> [25-09-2002 10:30]: > This patch makes mutt segfault right after sending the e-mail. Despite > of this, it works: both recipient and I are able to decrypt and read > the message. > > A clue, anyone? Let me be more specific: like I've already mailed Omen, I applied the patch to the 1.5.1 tarball. I will try the cvs version too, and post my results here. -- René Clerc - ([EMAIL PROTECTED]) We are not retreating - we are advancing in another direction. -General Douglas MacArthur msg31187/pgp0.pgp Description: PGP signature
Re: S/MIME "encrypt-to" functionality as in GnuPG
* Omen Wild <[EMAIL PROTECTED]> [24-09-2002 21:24]: > Quoting Ren? Clerc <[EMAIL PROTECTED]> on Tue, Sep 24 19:08: > > > > I'm looking for the S/MIME equivalent of the GnuPG option: > > > > encrypt-to > > As far as I could tell, it doesn't exist. This patch add that > functionality. Set $smime_encrypt_self to true and S/MIME encrypted > messages you send will also be encrypted to $smime_default_key. This patch makes mutt segfault right after sending the e-mail. Despite of this, it works: both recipient and I are able to decrypt and read the message. A clue, anyone? -- René Clerc - ([EMAIL PROTECTED]) A Smith and Wesson beats four aces. -Canada Bill Jones msg31183/pgp0.pgp Description: PGP signature
Re: S/MIME "encrypt-to" functionality as in GnuPG
Quoting Ren? Clerc <[EMAIL PROTECTED]> on Tue, Sep 24 19:08: > > I'm looking for the S/MIME equivalent of the GnuPG option: > > encrypt-to As far as I could tell, it doesn't exist. This patch add that functionality. Set $smime_encrypt_self to true and S/MIME encrypted messages you send will also be encrypted to $smime_default_key. Omen -- Disclaimer: "These opinions are my own, though for a small fee they be yours too." ? .command.sh ? .config ? ^ ? patch-1.5.1-ow.smime-encrypt-self.1 ? patchlist.c ? pgpewrap ? smime_keys Index: crypt.c === RCS file: /home/roessler/cvs/mutt/crypt.c,v retrieving revision 3.8 diff -u -d -b -B -r3.8 crypt.c --- crypt.c 26 Mar 2002 22:23:57 - 3.8 +++ crypt.c 28 Aug 2002 21:57:19 - @@ -243,6 +243,13 @@ #ifdef HAVE_SMIME if (msg->security & APPLICATION_SMIME) { + if (OPTSMIMEENCRYPTSELF && SmimeDefaultKey) { + int keylist_size; + + keylist_size = mutt_strlen(keylist) + mutt_strlen (SmimeDefaultKey) ++ 1; + safe_realloc ((void **)&keylist, keylist_size); + sprintf (keylist + mutt_strlen(keylist), "%s\n", SmimeDefaultKey); + /* __SPRINTF_CHECKED__ */ + } if (!(tmp_pbody = smime_build_smime_entity (tmp_smime_pbody, keylist))) { /* signed ? free it! */ Index: init.h === RCS file: /home/roessler/cvs/mutt/init.h,v retrieving revision 3.20 diff -u -d -b -B -r3.20 init.h --- init.h 9 Aug 2002 06:58:35 - 3.20 +++ init.h 28 Aug 2002 21:57:20 - @@ -1508,6 +1508,11 @@ #endif /* HAVE_PGP */ #ifdef HAVE_SMIME + { "smime_encrypt_self", DT_BOOL, R_NONE, OPTSMIMEENCRYPTSELF, +1 }, + /* + ** .pp + ** Encrypt the message to smime_default_key too. + */ { "smime_timeout", DT_NUM, R_NONE, UL &SmimeTimeout, 300 }, /* ** .pp Index: mutt.h === RCS file: /home/roessler/cvs/mutt/mutt.h,v retrieving revision 3.10 diff -u -d -b -B -r3.10 mutt.h --- mutt.h 24 Jul 2002 09:46:50 - 3.10 +++ mutt.h 28 Aug 2002 21:57:20 - @@ -437,6 +437,7 @@ OPTCRYPTREPLYSIGNENCRYPTED, OPTCRYPTTIMESTAMP, #ifdef HAVE_SMIME + OPTSMIMEENCRYPTSELF, OPTSMIMEISDEFAULT, OPTASKCERTLABEL, OPTSDEFAULTDECRYPTKEY, Index: PATCHES === --- PATCHES~Tue Nov 6 19:59:33 2001 +++ PATCHES Tue Nov 6 19:59:42 2001 @@ -1,0 +1 @@ +patch-1.5.1-ow.smime-encrypt-self.1 smime.p7s Description: application/pkcs7-signature
S/MIME "encrypt-to" functionality as in GnuPG
Hi all, I'm looking for the S/MIME equivalent of the GnuPG option: encrypt-to Because now I'm unable to read the encrypted e-mails I have sent to some recipients... I was not able to find it in TFM... Thanks, -- René Clerc - ([EMAIL PROTECTED]) If you want to be worshipped, go to India and moo. -The Quiz Show msg31164/pgp0.pgp Description: PGP signature
Re: S/MIME interoperability
You are right. If you look at smime.c you will see that Mutt desperatly needs either smime-type or (to satisfy Netscape 4.x mailers) a Content-Description. As s/mime is in development, we all have to wait or find some workarounds for it. See my mail from 18-09-02 for my current solution. I'm sure we have to discuss this further in private or join the mutt-dev list. BTW: the right way of figuring out if we have an "enveloped-data" or "signed-data" would be to look into the data itself (I was told). You can do this by: openssl smime -pk7out -in mail.msg | openssl asn1parse -dump Timo T. Rajala [2002-09-20 14:18]: > * Timo T. Rajala <[EMAIL PROTECTED]> writes: > > One difference is that the "smime-type=enveloped-data;" row is missing > > from the MS mail. I inserted this row in the MS mail and opened the > > mail in mutt: now both signature check and decrypt works. > > > > My question is: Is the MS MUA not following the S/MIME standard by > > omitting this row or is mutt wrong by not being able to handle it > > without this row? > > So this MS MUA SHOULD include "smime-type", but is not and mutt should > be able to determine the MIME type from the file extension but is not. -- Alex Pleiner zeitform Internet Dienste Fraunhoferstrasse 5 64283 Darmstadt, Germany http://www.zeitform.deTel.: +49 (0)6151 155-635 mailto:[EMAIL PROTECTED]Fax: +49 (0)6151 155-634 GnuPG/PGP Key-ID: 0x613C21EA
Re: S/MIME interoperability
* Timo T. Rajala <[EMAIL PROTECTED]> writes: > One difference is that the "smime-type=enveloped-data;" row is missing > from the MS mail. I inserted this row in the MS mail and opened the > mail in mutt: now both signature check and decrypt works. > > My question is: Is the MS MUA not following the S/MIME standard by > omitting this row or is mutt wrong by not being able to handle it > without this row? I'm quoting from RFC2633: 3.2: ... Because there are several types of application/pkcs7-mime objects, a sending agent SHOULD do as much as possible to help a receiving agent know about the contents of the object without forcing the receiving agent to decode the ASN.1 for the object. The MIME headers of all application/pkcs7-mime objects SHOULD include the optional "smime- type" parameter, as described in the following sections. 3.2.1: For the application/pkcs7-mime, sending agents SHOULD emit the optional "name" parameter to the Content-Type field for compatibility with older systems. Sending agents SHOULD also emit the optional Content-Disposition field [CONTDISP] with the "filename" parameter. If a sending agent emits the above parameters, the value of the parameters SHOULD be a file name with the appropriate extension: MIME TypeFile Extension Application/pkcs7-mime (signedData, .p7m envelopedData) Application/pkcs7-mime (degenerate .p7c signedData "certs-only" message) Application/pkcs7-signature .p7s So this MS MUA SHOULD include "smime-type", but is not and mutt should be able to determine the MIME type from the file extension but is not. -- Timo T. Rajala
S/MIME interoperability
I am currently using mutt 1.5.1 and the S/MIME functions have proved to work without problems. But today I received an encrypted and signed S/MIME message which could not be neither verified nor decrypted by mutt (openssl). Here are the significant headers from two different mails, the first mail is created by Lotus Notes R5 and the second is created by some Microsoft MUA (don't know which, no MUA header). Both are signed and encrypted. The Notes mail works, the MS mail doesn't: Lotus Notes: Content-Transfer-Encoding: base64 Content-Type: application/x-pkcs7-mime; smime-type=enveloped-data; name=smime.p7m Content-Disposition: attachment; filename="smime.p7m" Content-Description: S/MIME Enveloped Data Microsoft unknown MUA: Content-Type: application/x-pkcs7-mime; name="smime.p7m" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7m" One difference is that the "smime-type=enveloped-data;" row is missing from the MS mail. I inserted this row in the MS mail and opened the mail in mutt: now both signature check and decrypt works. My question is: Is the MS MUA not following the S/MIME standard by omitting this row or is mutt wrong by not being able to handle it without this row? Any comments? -- Timo T. Rajala
[patch 1.5.1] have S/MIME check the from for a keyid
I have been looking into the mailing list software sympa and one of its features is that when you send an S/MIME mail encrypted to the list, it will re-encrypt for each recipient. The problem is that the mail shows as being from me and to the list, so S/MIME was unable to find a key to use to decrypt it. I have patched smime.c:smime_getkeys so it checks if there is a key that matches the From: and tries to use that. I can now read encrypted emails that are sent to me by sympa. Omen -- Acid absorbs 47 times it's weight in excess Reality. --- PATCHES~Tue Nov 6 19:59:33 2001 +++ PATCHES Tue Nov 6 19:59:42 2001 @@ -1,0 +1 @@ +patch-1.5.1.ow.smime_from.1 Index: smime.c === RCS file: /home/roessler/cvs/mutt/smime.c,v retrieving revision 3.23 diff -u -d -b -B -U8 -r3.23 smime.c --- smime.c 1 May 2002 23:21:10 - 3.23 +++ smime.c 24 Jun 2002 21:21:08 - @@ -781,16 +781,22 @@ for (t = env->to; !found && t; t = t->next) if (mutt_addr_is_user (t)) { found = 1; _smime_getkeys (t->mailbox); } for (t = env->cc; !found && t; t = t->next) +if (mutt_addr_is_user (t)) +{ + found = 1; + _smime_getkeys (t->mailbox); +} + for (t = env->from; !found && t; t = t->next) if (mutt_addr_is_user (t)) { found = 1; _smime_getkeys (t->mailbox); } if (!found && (t = mutt_default_from())) { _smime_getkeys (t->mailbox);
Re: S/MIME
Hi, * Mike Schiraldi <[EMAIL PROTECTED]> [02-04-15 15:55]: >> That doesn't sound as if you were a friend of these. Since I saw a few >> using S/MIME in this list, what might have been their reason? Is >> S/MIME better established with non-free software? >We had a discussion in February about this. Check out Jeremy's excellent >posts: > >http://marc.theaimsgroup.com/?l=mutt-users&m=101258931506891&w=2 >http://marc.theaimsgroup.com/?l=mutt-users&m=101260020607114&w=2 > >and, in the interest of equal time, Will's counterpoint: > >http://marc.theaimsgroup.com/?l=mutt-users&m=101260114609607&w=2 Thanks, that was interesting! Thorsten -- The history of Liberty is a history of the limitation of government power. - Woodrow Wilson msg27199/pgp0.pgp Description: PGP signature
Re: S/MIME
Hi, * Mike Schiraldi [04/15/02 15:55:22 CEST] wrote: [ interesting points ] Good points, thanks for mentioning. But in my opinion current problems/difficulties with PGP only affect people currently using it. So the concept of a web of trust and the resulting problems only motivate people currently using it to switch to S/MIME. Another point why PGP and encryption/signing is not very widely used is that there are lots people using the internet who are not technically interested in it. If they knew more details they maybe were interested in PGP or S/MIME. S/MIME won't become the no. 1 standard unless people see a need to use digital signatures. There're good reasons, I know, but someone has to tell them besides all the colorfull tv commercials promising ultimate security out-of-the-box. There are lots of servers still running telnet daemons and allowing users to log into a ftp machine by sending the passwort as plaintext. And not only that, some users/administrators don't see any reason why to switch to ssh. And on the other hand there're people complaining about PGPs web of trust and try to motivate others to use S/MIME instead. IMO there's a long way to go. Furthermore I personally prefer the pgp concept of trust than just to generally trust an authority. I don't know in detail how they work and thus don't want to trust them blindly that they're doing their job the way I would. I want to have the power to decide which key I trust and which not on my own. Cheers, Rocco. msg27192/pgp0.pgp Description: PGP signature
Re: S/MIME
> That doesn't sound as if you were a friend of these. Since I saw a few > using S/MIME in this list, what might have been their reason? Is > S/MIME better established with non-free software? We had a discussion in February about this. Check out Jeremy's excellent posts: http://marc.theaimsgroup.com/?l=mutt-users&m=101258931506891&w=2 http://marc.theaimsgroup.com/?l=mutt-users&m=101260020607114&w=2 and, in the interest of equal time, Will's counterpoint: http://marc.theaimsgroup.com/?l=mutt-users&m=101260114609607&w=2 Some excerpts from Jeremy's messages: S/MIME does not use keyservers like OpenPGP does. It also does not have a web of trust concept, instead relying on central CAs. They consider this an advantage, since it means you can always verify a message regardless of your current network connection status, etc... all that you need to verify the message is containted in the message itself and your local list of trusted CA certs. [...] The difficulty of PGP is what's kept it from being publically accepted as a normal thing to do [...] People need to accept encryption the way they accept envelopes on snail mail. They never would have globally accepted these if you couldn't use one unless you knew how to make your own adhesive, ink, and stamps. I saw Phil Zimmerman speak a few months ago at ALS in Oakland, and he understands this more than anyone. He expressed a good bit of dismay at how clique-ish PGP usage is, and how much it has missed the mark of being a way to give encryption to the masses and make it normal. He endured all manner of government harassment to defend people's right to use this stuff, and yet years later, hardly anyone is taking advantage of it. It was really interesting hearing him speak. It's too bad he had to stop due to people in the audience arguing that there was no value at all in people using PGP unless they all used it completely securely (the main antagonist noted that he keeps his private keys on a CD and never has that near his computer unless it's completely disconnected from the network), which prompted a bunch more people to complain that there was too much talking and not enough key signing going on. So my summary point is that the mailers designed "for the masses" are choosing S/MIME instead of PGP because PGP's trust model is too complicated for, say, my mother to understand. Look in the PGP manual under, for example, "--edit-key". All kinds of complicated trust issues, with phrases like, "the signature is marked as non-exportable", "this updates the trust-db", "add a subkey to this key", "marginally trusted" "fully trusted", "ultimately trusted" ... I have no idea what most of that means, and no amount of UI design is going to help that. Will Outlook pop up a message which asks Joe AOL User, "Do you marginally trust this, or ultimately trust it?" Joe doesn't understand the security issues. With S/MIME, the only question is, "Do you trust [company] to certify that people are who they say they are?" Assuming Joe does, everything else is completely automatic. -- Mike Schiraldi VeriSign Applied Research msg27189/pgp0.pgp Description: PGP signature
Re: S/MIME
begin Thorsten Haude quotation: > > using S/MIME in this list, what might have been their reason? Is > S/MIME better established with non-free software? Exactly. -- Shawn McMahon| McMahon's Laws of Linux support: http://www.eiv.com | 1) There's more than one way to do it AIM: spmcmahonfedex, smcmahoneiv | 2) Somebody thinks your way is wrong msg27176/pgp0.pgp Description: PGP signature
Re: S/MIME
Hi, * Will Yardley <[EMAIL PROTECTED]> [02-04-14 23:44]: >s/mime sigs usually include the key itself along with the signature >(which is why s/mime signed mails are so rediculously large). That doesn't sound as if you were a friend of these. Since I saw a few using S/MIME in this list, what might have been their reason? Is S/MIME better established with non-free software? >there is a sort of PKI system for it, which you can read about on the >thawte site, but in any event, the whole thing is more analagous to an >SSL website certificate than to PGP / GnuPG. Yes, this Thawte site seems to have some useful information (and some really funny German), so that may be all I need. Thanks! Thorsten -- You're not supposed to be so blind with patriotism that you can't face reality. Wrong is wrong, no matter who does it or who says it. - Malcolm X
Re: S/MIME
Thorsten Haude wrote: > Yes, that gives a nice introduction and good pointers to technical > documents (which I may need if I ever get around to get my filter > really aware of the different formats). > I would still like to read something about the key infrastructure. > Example: If I get a mail signed with PGP/GPG, I know that I need a > key, where to get that key, how to authenticate the key, etc. Most > important, I know how to make and distribute my own key. > > I don't know these things for S/MIME. S/MIME doesn't work the same way as PGP. you can get a free cert from thawte. s/mime sigs usually include the key itself along with the signature (which is why s/mime signed mails are so rediculously large). you can inport the certificate using ^K i believe. there is a sort of PKI system for it, which you can read about on the thawte site, but in any event, the whole thing is more analagous to an SSL website certificate than to PGP / GnuPG. as with SSL certs for web / email servers, you can probably generate your own using openssl, but it won't be signed by a trusted CA. -- Will Yardley input: william < @ hq . newdream . net . >
Re: S/MIME
Hi, * Rocco Rutte <[EMAIL PROTECTED]> [02-04-14 22:56]: >* Thorsten Haude [04/13/02 10:41:21 CEST] wrote: >> I want to get a better picture about S/MIME, but can't find an >> introduction in the net. Could one of you point me to a S/MIME >> introduction or tutorial that is written for the user? >The "Linux Security HowTo" just points to one of Netscapes >pages: > ><http://home.netscape.com/assist/security/smime/overview.html> 404 >...but maybe better have a look at: > ><http://www.imc.org/smime-pgpmime.html> Yes, that gives a nice introduction and good pointers to technical documents (which I may need if I ever get around to get my filter really aware of the different formats). I would still like to read something about the key infrastructure. Example: If I get a mail signed with PGP/GPG, I know that I need a key, where to get that key, how to authenticate the key, etc. Most important, I know how to make and distribute my own key. I don't know these things for S/MIME. Thorsten -- You're not supposed to be so blind with patriotism that you can't face reality. Wrong is wrong, no matter who does it or who says it. - Malcolm X msg27160/pgp0.pgp Description: PGP signature
Re: S/MIME
Hi, * Thorsten Haude [04/13/02 10:41:21 CEST] wrote: > I want to get a better picture about S/MIME, but can't find an > introduction in the net. Could one of you point me to a S/MIME > introduction or tutorial that is written for the user? The "Linux Security HowTo" just points to one of Netscapes pages: <http://home.netscape.com/assist/security/smime/overview.html> ...but maybe better have a look at: <http://www.imc.org/smime-pgpmime.html> Cheers, Rocco. msg27157/pgp0.pgp Description: PGP signature
S/MIME
Hi, I want to get a better picture about S/MIME, but can't find an introduction in the net. Could one of you point me to a S/MIME introduction or tutorial that is written for the user? Thorsten -- They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. - Benjamin Franklin
Re: S/MIME display bug
On Tue, Feb 26, 2002 at 11:52:49AM +, Luke Ross wrote: > How about a red line in the status bar? Would be most elegent surely? that's what mutt_error does. > I'm still on old S/MIME mutt, and I saw: [ ... something ... ] > What was the reason behind changing it? No screen corruption here. because now certificates issued for multiple addresses are supported as well, so the check has changed. if the printf-solution will be the prefered one, it should not be too hard to dump all of them, though. still, it would be a good idea to review the cert in that case anyways ... oliver
Re: S/MIME display bug
On Tue, Feb 26, 2002 at 11:24:56AM -0500, David Collantes wrote: > What about only the sleep? The continue garbles my screen here, for some > reason. I just patched with your diff, which got some rejection, btw. I > would make it sleep for, lets say, 3 seconds and then to the mutt_error(). i think the reject comes from that stupid long line (wherever it came from; cut-n-paste) where it reads 'unable to create OpenSSL subprocess!' you have to cut everything beyont the ';' sorry. :-} once there are no rejects, its actually supposed to work... i dislike that sleep very much and i guess i'd rather drop one of the messages. hmm... oliver
Re: S/MIME display bug
On Tue, Feb 26, 2002 at 12:20:33PM +0100, Oliver Ehli wrote: > alternatively, we could just printf() the first (ie _not_ use > mutt_error), wait for any_key, and then mutt_error() the second/final > warning. What about only the sleep? The continue garbles my screen here, for some reason. I just patched with your diff, which got some rejection, btw. I would make it sleep for, lets say, 3 seconds and then to the mutt_error(). Cheers, -- David Collantes - http://www.bus.ucf.edu/david/ College of Business Administration, University of Central Florida "Great spirits have often encountered violent opposition from weak minds." smime.p7s Description: application/pkcs7-signature
Re: S/MIME display bug
On Tue, Feb 26, 2002 at 12:20:33PM +0100, Oliver Ehli wrote: > > A warning should absolutely be displayed, but should > > mutt_any_key_to_continue() be called? A previous bugfix in another part of > > smime.c mentioned that this is bad, and it added a sleep(5) call whose > > purpose i didn't understand -- surely there must be a more elegant way? > > the following fixes the error. it again introduces some sleep (who > included the first one ?) that is needed here to display both error > messages. we could drop one of them, and thus get rid of it. the > (obviously not so) elegant solution was calling any_key [... SNIP ..] Was the diff checked out on CVS? I just got the latest CVS and it seems not to be there? Cheers, -- David Collantes - http://www.bus.ucf.edu/david/ College of Business Administration, University of Central Florida "Sometimes one pays most for the things one gets for nothing." smime.p7s Description: application/pkcs7-signature
Re: S/MIME display bug
Hi, On Mon, Feb 25, 2002 at 02:24:27PM -0500, Mike Schiraldi wrote: > Looks like we've got a display-corruption bug in current CVS -- when a > message arrives whose "From" address doesn't match any in the S/MIME cert > (like this message), the screen gets garbled. > > A warning should absolutely be displayed, but should > mutt_any_key_to_continue() be called? A previous bugfix in another part of > smime.c mentioned that this is bad, and it added a sleep(5) call whose > purpose i didn't understand -- surely there must be a more elegant way? How about a red line in the status bar? Would be most elegent surely? I'm still on old S/MIME mutt, and I saw: Alert: Certificate belongs to "[EMAIL PROTECTED]". But sender was "[EMAIL PROTECTED]". Press any key to continue... What was the reason behind changing it? No screen corruption here. Luke smime.p7s Description: application/pkcs7-signature
Re: S/MIME display bug
On Mon, Feb 25, 2002 at 02:24:27PM -0500, Mike Schiraldi wrote: > Looks like we've got a display-corruption bug in current CVS -- when a > message arrives whose "From" address doesn't match any in the S/MIME cert > (like this message), the screen gets garbled. > > A warning should absolutely be displayed, but should > mutt_any_key_to_continue() be called? A previous bugfix in another part of > smime.c mentioned that this is bad, and it added a sleep(5) call whose > purpose i didn't understand -- surely there must be a more elegant way? the following fixes the error. it again introduces some sleep (who included the first one ?) that is needed here to display both error messages. we could drop one of them, and thus get rid of it. the (obviously not so) elegant solution was calling any_key alternatively, we could just printf() the first (ie _not_ use mutt_error), wait for any_key, and then mutt_error() the second/final warning. diff -u smime.c~ smime.c --- smime.c~Wed Feb 13 15:05:49 2002 +++ smime.c Tue Feb 26 12:11:33 2002 @@ -915,15 +915,16 @@ if (ret == -1) { -mutt_copy_stream (fperr, stdout); mutt_endwin(NULL); -mutt_error (_("Alert: No mailbox specified in certificate.\n")); +mutt_copy_stream (fperr, stdout); +mutt_any_key_to_continue (_("Error: unable to create OpenSSL subprocess!")); +mutt_error (_("Alert: No mailbox specified in certificate.\n")); ret = 1; } else if (!ret) { -mutt_endwin(NULL); +/* mutt_endwin(NULL); */ mutt_error (_("Alert: Certificate does *NOT* belong to \"%s\".\n"), mailbox); +mutt_sleep(5); ret = 1; } else ret = 0; @@ -1455,7 +1456,10 @@ { mutt_unlink(tempfname); if (smime_handle_cert_email (certfile, mbox, 0, NULL, NULL)) - mutt_any_key_to_continue(NULL); + { + if(isendwin()) + mutt_any_key_to_continue(NULL); + } else retval = 0; mutt_unlink(certfile); msg24793/pgp0.pgp Description: PGP signature
S/MIME display bug
Looks like we've got a display-corruption bug in current CVS -- when a message arrives whose "From" address doesn't match any in the S/MIME cert (like this message), the screen gets garbled. A warning should absolutely be displayed, but should mutt_any_key_to_continue() be called? A previous bugfix in another part of smime.c mentioned that this is bad, and it added a sleep(5) call whose purpose i didn't understand -- surely there must be a more elegant way? Looking for a primer on reporting errors in mutt and the rationale for the sleep(). Thanks. smime.p7s Description: application/pkcs7-signature
Re: S/MIME Howto
Something else you can try -- rename your ~/.smime and reinitialize it, so that it is completely empty. Then, send your mutt account a signed message from your Outlook account. Extract the S/MIME sig from it, and then reply to it, with encryption turned on. See if Outlook can decrypt -that-. -- Mike Schiraldi VeriSign Applied Research msg24706/pgp0.pgp Description: PGP signature
Re: S/MIME Howto
Sorry if this seems like a "did you check the power cord" answer, but you mention that you have two certificates. Are you positive that the one you are encrypting to is the one which is installed in Outlook? -- Mike Schiraldi VeriSign Applied Research msg24705/pgp0.pgp Description: PGP signature
Re: S/MIME Howto
On Fri, Feb 22, 2002 at 10:45:51AM -0500, Mike Schiraldi wrote: > > Does anyone knows where could I find a s/mime howto? I just got 1.5.0i and > > I want to try the s/mime support, but nothing comes with it to set it up. > > How to create my certificate/key? How can I make it(them) 'legal' for the > > top CA? Any help highly appreciated. > > See doc/smime-notes.txt and contrib/smime.rc. If you have any difficulty at > all or suggestions for improving either of those files, please let me know. Mike, I have sucessfully setup smime using THAWTE free and VErisign ($14.95) certificates. The problem is different now. I can sign and encrypt messages fine, but only Mutt is able to decrypt. If I open the messages with Outlook, I can see and verify the signed one's fine, but the encrypted ones shows: ,--- | |Error Decrypting Message |You cannot read the message. | | | |This might be because: | |You may have lost or deleted the Digital ID that the message is encrypted |to. | |You may have installed the Digital ID that the message is encrypted to on |another computer. | |The sender may have meant the message for somebody else. | |You do not have the necessary security package installed on this computer. | `-- But I have the certificate installed on the Outlook client. Any suggestions? Cheers, -- David Collantes - http://www.bus.ucf.edu/david/ College of Business Administration, University of Central Florida "Two things are omnipresent in the Universe: Hydrogen and my Stupidity."