Klaus Knopper answers your Linux questions
Adding Encryption to Thunderbird
How can I add encryption and signature capabilities to the Thunderbird mail program?
Because they are part of the Mozilla suite, the procedure of importing certificates and keys is the same for the Firefox browser (Iceweasel in Debian) and the Thunderbird mail client (Icedove in Debian).
In theory, you could just import the
keys.p12 private/public keypair combo file that was created in the answer to the previous question, into Firefox and Thunderbird using the Import function in the Preferences | Advanced | View Certificates section. But not yet! Before you start the actual import, you have to tell Firefox that the self-signed public key contained in the file is trustworthy and acceptable for encryption and signature verification. The "trust" principle is very important in SSL; attackers could easily trick you into accepting wrong keys by just creating a certificate with a given name, if you were not required to verify and accept a new contact certificate manually.
To do this, import the
public.pem file (created previously) as Certificate Authority. Firefox will display a dialog asking about trust options; you should at least select Trust this CA to identify email users (Figure 3). Next, you can import the file
keys.p12 into Your Certificates to install the private key in Firefox (Figures 4 and**5) as well.
The Details dialog shows the key's fingerprint and gives you access to the content of the certificate, in case someone asks for verification of your public key data (Figure 6). The fingerprint (or checksum) is a reliable criterion for the authenticity of a certificate, other than the name or mail address, which can just be entered by the user during certificate creation. The fingerprint cannot easily be faked, because it must match the cryptographic key as well as the human-readable, personal data associated with it.
The import procedure is the same for Thunderbird, Firefox, and Chrome/Chromium, as well as proprietary mail clients like MS Outlook/Exchange on other operating systems (Figure 7).
Back to Thunderbird; you can now digitally sign messages using your personal SSL key and read encrypted messages sent by friends who have your SSL public key (remember, the file was
public.pem in the example), which is automatically attached when you send a signed email (Figure 8).
How can I be sure that my mail program does not send email or mail access passwords over an insecure network with no encryption?
Go into your mail program's Account settings and check both the incoming message and outgoing message servers and protocols. For encrypted transfer of access passwords, as well as encrypted mail transport, the protocol for receiving messages should be "IMAPS" (usually port 993 on the server) or "POP3S" (usually port 995 on the server).
For sending email, TLS and/or SSL should be required. Some mailers use the standard mail port 25 for switching to transport layer security only if the mail client explicitly asks for it, but the standard port for SMPTS running in SSL-enabled mode is 465, which you should use if your mail provider offers this service.
Once TLS or SSL are enabled, your mail program should ask you a question to verify validity of the presented SSL certificate's fingerprint and content. You should check whether the certificate verifies against a trusted certificate authority (most mailers have a built-in list).
If in doubt, contact the technical administrator of the mail server and verify the certificate's fingerprint. After this one-time verification, your mail traffic will be point-to-point encrypted between you and the mail server.
Apart from the secured transport layer, confidential email should always be encrypted by itself so that only the holder(s) of the secret key(s), namely the designated recipients, can read it.
Adding Encryption to Mutt
How can I add encryption and signature capabilities to the text-based Mutt mailer program?
Make sure you have the OpenSSL package installed and add the lines shown in Listing 1 to your
.muttrc configuration file.
Settings for Handling S/MIME Attachments
set smime_default_key="<your smime key file ID>" set smime_ca_location="~/.smime/ca-bundle.crt" set smime_certificates="~/.smime/certificates" set smime_keys="~/.smime/keys" set smime_pk7out_command="openssl smime -verify -in %f -noverify -pk7out" set smime_get_cert_command="openssl pkcs7 -print_certs -in %f" set smime_get_signer_cert_command="openssl smime -verify -in %f -noverify -signer %c -out /dev/null" set smime_get_cert_email_command="openssl x509 -in %f -noout -email" set smime_import_cert_command="smime_keys add_cert %f" set smime_encrypt_with="des3" set smime_encrypt_command="openssl smime -encrypt -%a -outform DER -in %f %c" set smime_sign_command="openssl smime -sign -signer %c -inkey %k -passin stdin -in %f -outform DER" set smime_decrypt_command="openssl smime -decrypt -noverify -passin stdin -inform DER -in %f -inkey %k -recip %c" set smime_verify_command="openssl smime -verify -inform DER -in %s -content %f -noverify" set smime_verify_opaque_command="openssl smime -verify -inform DER -in %s -noverify"
To create the public key infrastructure for Mutt – in directory
$HOME/.smime in this example – you need the
smime_keys command, which is part of the SSL-enabled Mutt package. The command
smime_keys add_cert public.pem
imports your self-signed public key from the previous examples and
smime add_p12 keys.p12
adds your secret key for signing and decrypting messages.
From Mutt's Send dialog, you can type S to get into the S/MIME options to encrypt or sign a message before sending.
Decryption and signature verification of received mail containing S/MIME attachments work automatically once you have the corresponding public and secret keys installed.
Buy this article as PDF
Linux Foundation's big event celebrates the 25th anniversary of Linux
Competitors get in the game with RHEL without Red Hat
Security researchers have already notified Microsoft; some fixes are available
The company is collaborating with Google and Intel to use Kubernetes as an engine for Fuel
Customers can take a free test drive of SLES for HPC on the Azure Cloud
San Francisco-based chip company announces their first fully open source chip platform.
The whole distro gets rebuilt on glibc 2.3
Ubuntu Vendor tries to solve app packaging and distribution problem across distributions.