Mutt - Signing and Encrypting Email Messages
How to sign and encrypt email messages (S/MIME) with Mutt
WARNING: as implied from the above note, this document is supported when I have time, of which I have little at the moment. Unfortunately, this document has not been updated for the new Entrust CA. I will update it when I have time, which unfortunately probably won't be very soon. Patches welcome.
Assumptions
- You have Mutt v1.5 or greater. Mutt 1.4 does not support S/MIME.
- If you are building Mutt, please patch your source with my patch so that you can add certificate chains.
- You have a PKCS#12 Certificate and Key package from somewhere.
- You can find a
ca-bundle.crtthat came with OpenSSL or Mutt, or you are content to add CA Certificates. - You have chosen a location for your certificates and keys, herein
~/.smime.
Set up Mutt
Add the contents of smime.rc
to your .muttrc. smime.rc can also be found
in /usr/local/doc/mutt/samples if you installed in default
locations.
If you want to keep your certificates in a location other than
~/.smime, you will have to change the applicable
references.
Set up your key and certificate repositories
- Initialize the database:
smime_keys init
This should create~/.smime,~/.smime/certificatesand~/.smime/keys - Copy
ca-bundle.crtto~/.smime/or create an empty file named~/.smime/ca-bundle.crt - Add the PKCS#12 package to your database:
smime_keys add_p12 file.p12
- You will be asked for the passphrase for the private key in the PKCS#12 file, as well as a new passphrase for encrypting the key in your database. It doesn't matter if you use the same passphrase both times. This passphrase is not recoverable, so make sure you remember it
- You will be askes what you want to call the certificate; it makes to difference to anyone what you call it, but you can't have two certificates with the same nickname.
- Make note of the hash for your key (the line that says:
added private keyfollowed by a path and a hex number ending in.0
. - Find the line in your
.muttrcthat saysset smime_default_key="12345678.0"
and change12345678.0
to the hash for your key. - Download the Equifax CA
Certificate and the UW
Certificate and add them to your certificate file (in that order) by
running:
$ smime_keys add_root equifax1.pem $ smime_keys add_root uwmsn.pem
Test
You should be set to sign email.
Send a signed email to yourself
- Compose an email to yourself.
- After the email is composed, you should see:
S/MIME: Sign sign as: 12345678.0
(where12345678.0
is yourdefault key
from above) on theComposemenu. - When you hit
y
to send the message, you will be prompted for the passphrase for your private key. - When the message makes it through your email system (which should be
shortly), you will see
sin the index before you read the message andSafter your have read the message (assuming that the message signature is valid.) - When you open the message in the Pager, you should see:
[-- OpenSSL output follows (current time: Tue 25 Oct 2005 01:33:41 PM CDT) --] Verification successful [-- End of OpenSSL output --] [-- The following data is signed --] ... [-- End of signed data --]
Where thecurrent time
is actually the current time, and...
is your message.S/MIME signature successfully verified.
Should appear in the status bar at the bottom of the screen.
Send an encrypted email to yourself
- Compose an email to yourself.
- After the email is composed, you should see:
S/MIME: Sign sign as: 12345678.0
(where12345678.0
is yourdefault key
from above) on theComposemenu, under the regular header information. - Hit
S
to access the S/MIME Options, selectb
tob
oth encrypt and sign. The menu should now show:S/MIME: Sign, Encrypt sign as: 12345678.0 Encrypt with: des3
- When you hit
y
to send the message, you will be prompted for the passphrase for your private key. It may ask you what key you want to use when encrypting, choose wisely, otherwise you can't read your top secret message. - When the message makes it through your email system (which should be
shortly), you will see
P(encyp
ted) in the index before you read the message andSafter your have read the message (assuming that the message signature is valid.) You may be prompted for the passphrase to your private key. - When you open the message in the Pager, you should see:
[-- The following data is S/MIME encrypted --] [-- OpenSSL output follows (current time: Tue 25 Oct 2005 03:00:59 PM CDT) --] Verification successful [-- End of OpenSSL output --] [-- The following data is signed --] ... [-- End of signed data --] [-- End of S/MIME encrypted data. --]Where thecurrent time
is actually the current time, and...
is your message.S/MIME signature successfully verified.
Should appear in the status bar at the bottom of the screen.
Importing certificates
In general, Ctl-K should be bound to
extract-keys
, so you can simply extract keys.
Due to problems with the way that some email clients send signatures,
you may not be able to add some certificates automatically, with the default
installation. We have a patch, or you can follow a simple
procedure:
If you can patch your Mutt source
- Download smime_keys.diff
- Go to the extracted source directory (something like
mutt-1.5.10/) - Patch smime_keys.pl:
$ patch -p1 < smime_keys.diff patching file smime_keys.pl
- Build Mutt as usual. (Don't forget
--with-ssl!)
If you cannot patch your Mutt source
- Extract the PKCS#7 object:
$ openssl smime -verify -in file.msg -noverify -pk7out > file.pk7
- Dump the certificates in that file
openssl pkcs7 -print_certs -in file.pk7 > file.pem
- Open the file in your favorite text editor and seperate out each
certificate individually in to it's own file and import:
- For each
CA
certificate that you want to trust:smime_keys add_root file.pem
Note: You do not need to trust all intermediate CAs. You can simply trust the end-user certificate. - For the subject certificate that you want to add:
smime_keys add_cert file.pem
- For each