Klaus Knopper answers your Linux questions
Adding Encryption to Thunderbird
How can I add encryption and signature capabilities to the Thunderbird mail program?
Because they are part of the Mozilla suite, the procedure of importing certificates and keys is the same for the Firefox browser (Iceweasel in Debian) and the Thunderbird mail client (Icedove in Debian).
In theory, you could just import the keys.p12
private/public keypair combo file that was created in the answer to the previous question, into Firefox and Thunderbird using the Import function in the Preferences | Advanced | View Certificates section. But not yet! Before you start the actual import, you have to tell Firefox that the self-signed public key contained in the file is trustworthy and acceptable for encryption and signature verification. The "trust" principle is very important in SSL; attackers could easily trick you into accepting wrong keys by just creating a certificate with a given name, if you were not required to verify and accept a new contact certificate manually.
To do this, import the public.pem
file (created previously) as Certificate Authority. Firefox will display a dialog asking about trust options; you should at least select Trust this CA to identify email users (Figure 3). Next, you can import the file keys.p12
into Your Certificates to install the private key in Firefox (Figures 4 and**5) as well.
The Details dialog shows the key's fingerprint and gives you access to the content of the certificate, in case someone asks for verification of your public key data (Figure 6). The fingerprint (or checksum) is a reliable criterion for the authenticity of a certificate, other than the name or mail address, which can just be entered by the user during certificate creation. The fingerprint cannot easily be faked, because it must match the cryptographic key as well as the human-readable, personal data associated with it.
The import procedure is the same for Thunderbird, Firefox, and Chrome/Chromium, as well as proprietary mail clients like MS Outlook/Exchange on other operating systems (Figure 7).
Back to Thunderbird; you can now digitally sign messages using your personal SSL key and read encrypted messages sent by friends who have your SSL public key (remember, the file was public.pem
in the example), which is automatically attached when you send a signed email (Figure 8).
Safety Check
How can I be sure that my mail program does not send email or mail access passwords over an insecure network with no encryption?
Go into your mail program's Account settings and check both the incoming message and outgoing message servers and protocols. For encrypted transfer of access passwords, as well as encrypted mail transport, the protocol for receiving messages should be "IMAPS" (usually port 993 on the server) or "POP3S" (usually port 995 on the server).
For sending email, TLS and/or SSL should be required. Some mailers use the standard mail port 25 for switching to transport layer security only if the mail client explicitly asks for it, but the standard port for SMPTS running in SSL-enabled mode is 465, which you should use if your mail provider offers this service.
Once TLS or SSL are enabled, your mail program should ask you a question to verify validity of the presented SSL certificate's fingerprint and content. You should check whether the certificate verifies against a trusted certificate authority (most mailers have a built-in list).
If in doubt, contact the technical administrator of the mail server and verify the certificate's fingerprint. After this one-time verification, your mail traffic will be point-to-point encrypted between you and the mail server.
Apart from the secured transport layer, confidential email should always be encrypted by itself so that only the holder(s) of the secret key(s), namely the designated recipients, can read it.
Adding Encryption to Mutt
How can I add encryption and signature capabilities to the text-based Mutt mailer program?
Make sure you have the OpenSSL package installed and add the lines shown in Listing 1 to your .muttrc
configuration file.
Listing 1
Settings for Handling S/MIME Attachments
To create the public key infrastructure for Mutt – in directory $HOME/.smime
in this example – you need the smime_keys
command, which is part of the SSL-enabled Mutt package. The command
smime_keys add_cert public.pem
imports your self-signed public key from the previous examples and
smime add_p12 keys.p12
adds your secret key for signing and decrypting messages.
From Mutt's Send dialog, you can type S to get into the S/MIME options to encrypt or sign a message before sending.
Decryption and signature verification of received mail containing S/MIME attachments work automatically once you have the corresponding public and secret keys installed.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
TUXEDO Computers Unveils Linux Laptop Featuring AMD Ryzen CPU
This latest release is the first laptop to include the new CPU from Ryzen and Linux preinstalled.
-
XZ Gets the All-Clear
The back door xz vulnerability has been officially reverted for Fedora 40 and versions 38 and 39 were never affected.
-
Canonical Collaborates with Qualcomm on New Venture
This new joint effort is geared toward bringing Ubuntu and Ubuntu Core to Qualcomm-powered devices.
-
Kodi 21.0 Open-Source Entertainment Hub Released
After a year of development, the award-winning Kodi cross-platform, media center software is now available with many new additions and improvements.
-
Linux Usage Increases in Two Key Areas
If market share is your thing, you'll be happy to know that Linux is on the rise in two areas that, if they keep climbing, could have serious meaning for Linux's future.
-
Vulnerability Discovered in xz Libraries
An urgent alert for Fedora 40 has been posted and users should pay attention.
-
Canonical Bumps LTS Support to 12 years
If you're worried that your Ubuntu LTS release won't be supported long enough to last, Canonical has a surprise for you in the form of 12 years of security coverage.
-
Fedora 40 Beta Released Soon
With the official release of Fedora 40 coming in April, it's almost time to download the beta and see what's new.
-
New Pentesting Distribution to Compete with Kali Linux
SnoopGod is now available for your testing needs
-
Juno Computers Launches Another Linux Laptop
If you're looking for a powerhouse laptop that runs Ubuntu, the Juno Computers Neptune 17 v6 should be on your radar.