Topics Map >

Mutt - Signing and Encrypting Email Messages

How to sign and encrypt email messages (S/MIME) with Mutt

Note: It should be noted that this is not a UW-Madison Help Desk or DoIT Middleware supported procedure, and, naturally, we can't take responsibility for any damage you do while following or attempting to follow these procedures. Be sure you understand what you are doing.

WARNING: as implied from the above note, this document is supported when I have time, of which I have little at the moment. Unfortunately, this document has not been updated for the new Entrust CA. I will update it when I have time, which unfortunately probably won't be very soon. Patches welcome.

Assumptions

  • You have Mutt v1.5 or greater. Mutt 1.4 does not support S/MIME.
  • If you are building Mutt, please patch your source with my patch so that you can add certificate chains.
  • You have a PKCS#12 Certificate and Key package from somewhere.
  • You can find a ca-bundle.crt that came with OpenSSL or Mutt, or you are content to add CA Certificates.
  • You have chosen a location for your certificates and keys, herein ~/.smime.

Set up Mutt

Add the contents of smime.rc to your .muttrc. smime.rc can also be found in /usr/local/doc/mutt/samples if you installed in default locations.

If you want to keep your certificates in a location other than ~/.smime, you will have to change the applicable references.

Set up your key and certificate repositories

  1. Initialize the database:
    smime_keys init
    This should create ~/.smime, ~/.smime/certificates and ~/.smime/keys
  2. Copy ca-bundle.crt to ~/.smime/ or create an empty file named ~/.smime/ca-bundle.crt
  3. Add the PKCS#12 package to your database:
    smime_keys add_p12 file.p12
    • You will be asked for the passphrase for the private key in the PKCS#12 file, as well as a new passphrase for encrypting the key in your database. It doesn't matter if you use the same passphrase both times. This passphrase is not recoverable, so make sure you remember it
    • You will be askes what you want to call the certificate; it makes to difference to anyone what you call it, but you can't have two certificates with the same nickname.
  4. Make note of the hash for your key (the line that says: added private key followed by a path and a hex number ending in .0.
  5. Find the line in your .muttrc that says
    set smime_default_key="12345678.0"
    and change 12345678.0 to the hash for your key.
  6. Download the Equifax CA Certificate and the UW Certificate and add them to your certificate file (in that order) by running:
    $ smime_keys add_root equifax1.pem
    $ smime_keys add_root uwmsn.pem
    

Test

You should be set to sign email.

Send a signed email to yourself

  1. Compose an email to yourself.
  2. After the email is composed, you should see:
     S/MIME: Sign                                                                                                
     sign as: 12345678.0
    
    (where 12345678.0 is your default key from above) on the Compose menu.
  3. When you hit y to send the message, you will be prompted for the passphrase for your private key.
  4. When the message makes it through your email system (which should be shortly), you will see s in the index before you read the message and S after your have read the message (assuming that the message signature is valid.)
  5. When you open the message in the Pager, you should see:
    [-- OpenSSL output follows (current time: Tue 25 Oct 2005 01:33:41 PM CDT) --]
    Verification successful
    [-- End of OpenSSL output --]
    
    [-- The following data is signed --]
     ...
    [-- End of signed data --]
    
    Where the current time is actually the current time, and ... is your message.
    S/MIME signature successfully verified.
    
    Should appear in the status bar at the bottom of the screen.

Send an encrypted email to yourself

  1. Compose an email to yourself.
  2. After the email is composed, you should see:
      S/MIME: Sign                                                                                                
     sign as: 12345678.0
    
    (where 12345678.0 is your default key from above) on the Compose menu, under the regular header information.
  3. Hit S to access the S/MIME Options, select b to both encrypt and sign. The menu should now show:
      S/MIME: Sign, Encrypt                                                                                       
     sign as: 12345678.0                    Encrypt with: des3                                                    
    
  4. When you hit y to send the message, you will be prompted for the passphrase for your private key. It may ask you what key you want to use when encrypting, choose wisely, otherwise you can't read your top secret message.
  5. When the message makes it through your email system (which should be shortly), you will see P (encypted) in the index before you read the message and S after your have read the message (assuming that the message signature is valid.) You may be prompted for the passphrase to your private key.
  6. When you open the message in the Pager, you should see:
    [-- The following data is S/MIME encrypted --]                                                                
    [-- OpenSSL output follows (current time: Tue 25 Oct 2005 03:00:59 PM CDT) --]                                
    Verification successful                                                                                       
    [-- End of OpenSSL output --]                                                                                 
                                                                                                                  
    [-- The following data is signed --]
     ...
    [-- End of signed data --]                                                                                    
                                                                                                                  
    [-- End of S/MIME encrypted data. --]                                                                         
    
    Where the current time is actually the current time, and ... is your message.
    S/MIME signature successfully verified.
    
    Should appear in the status bar at the bottom of the screen.

Importing certificates

In general, Ctl-K should be bound to extract-keys, so you can simply extract keys.

Due to problems with the way that some email clients send signatures, you may not be able to add some certificates automatically, with the default installation. We have a patch, or you can follow a simple procedure:

If you can patch your Mutt source

  1. Download smime_keys.diff
  2. Go to the extracted source directory (something like mutt-1.5.10/)
  3. Patch smime_keys.pl:
    $ patch -p1 < smime_keys.diff
    patching file smime_keys.pl
    
  4. Build Mutt as usual. (Don't forget --with-ssl!)

If you cannot patch your Mutt source

  1. Extract the PKCS#7 object:
    $ openssl smime -verify -in file.msg -noverify -pk7out > file.pk7
    
  2. Dump the certificates in that file
    openssl pkcs7 -print_certs -in file.pk7 > file.pem
    
  3. Open the file in your favorite text editor and seperate out each certificate individually in to it's own file and import:
    • For each CA certificate that you want to trust:
      smime_keys add_root file.pem
      Note: You do not need to trust all intermediate CAs. You can simply trust the end-user certificate.
    • For the subject certificate that you want to add:
      smime_keys add_cert file.pem




Keywords: s/mime smime mutt pki digital certificate public key infrastructure mail signed encrypted   Doc ID: 4091
Owner: Jon M.Group: Middleware
Created: 2005-10-23 19:00 CDTUpdated: 2011-01-17 19:00 CDT
Sites: Middleware