Claws-Mail and S/MIME encrypted Emails

Forum Forums General Software Claws-Mail and S/MIME encrypted Emails

  • This topic has 3 replies, 2 voices, and was last updated Apr 8-3:39 pm by skidoo.
Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
    Posts
  • #49557
    Member
    AvatarRobin

    I have just experienced, that it is really time consuming and difficult to get Email encryption to work, when using pre-installed programs in antix. In order to comunicate with people and corporations which use S/MIME type of encryption instead of PGP first I installed Thunderbird as E-Mail client. Therein it took not longer than 10 minutes to import the needed certificates and klick two or three checkboxes to be able to comunicate fully end-to-end encrypted.

    Now I wanted to give the pre-installed Claws-Mail client a try, and what I experienced with was really annoying.
    Even qute familiar with the concepts I had to research some hours, and encountered several error messages. Moreover there where some tricky steps and commands to be executed a normal user never would get through.

    I will report the pitfalls I noticed:

    1.) The necessery plugin “claws-mail-smime-plugin” is not pre-installed in antiX (ver 17.x, maybe it is in 19 already present, I can’t check.)
    an unexperienced user wouldn’t even be able to figure he would want to install it, or even be aware of it.
    2.) When trying to find a checkbox to activate email-encryption user is sent to “S/MIME howto” in order to get instructions. So he will check for the prerequisites listed there first:

    	apt-cache policy pinentry
    	pinentry:
    	  Installiert:           (keine)
    	  Installationskandidat: (keine)
    	  Versionstabelle:
    

    maybe he will check anyway:

    	pinentry --help
    		No $DBUS_SESSION_BUS_ADDRESS found, falling back to curses
    		pinentry-gnome3 (pinentry) 1.0.0
    		Copyright (C) 2016 g10 Code GmbH
    		License GPLv2+: GNU GPL version 2 or later <https://www.gnu.org/licenses/>
    		This is free software: you are free to change and redistribute it.
    		There is NO WARRANTY, to the extent permitted by law
    

    which will clearly show pinentry is installed allready.

    
    	apt-cache policy ca-certificates
    	ca-certificates:
    	  Installiert:           20200601~deb9u1
    	  Installationskandidat: 20200601~deb9u1
    	  Versionstabelle:
    	  *** 20200601~deb9u1 500
    		500 http://ftp.de.debian.org/debian stretch-updates/main i386 Packages
            	500 http://ftp.de.debian.org/debian stretch/main i386 Packages
    	       	100 /var/lib/dpkg/status
    
    	apt-cache policy dirmngr
    	dirmngr:
    	  Installiert:           2.1.18-8~deb9u4
    	  Installationskandidat: 2.1.18-8~deb9u4
    	  Versionstabelle:
    	     2.2.12-1+deb10u1~bpo9+1 100
    	        100 http://ftp.de.debian.org/debian stretch-backports/main i386 Packages
    	 *** 2.1.18-8~deb9u4 500
    	        500 http://ftp.de.debian.org/debian stretch/main i386 Packages
    	        100 /var/lib/dpkg/status
    	     2.1.18-8~deb9u2 500
    	        500 http://security.debian.org stretch/updates/main i386 Packages
    
    	apt-cache policy gnupg
    	gnupg:
    	  Installiert:           2.1.18-8~deb9u4
    	  Installationskandidat: 2.1.18-8~deb9u4
    	  Versionstabelle:
    	     2.2.12-1+deb10u1~bpo9+1 100
    	        100 http://ftp.de.debian.org/debian stretch-backports/main i386 Packages
    	 *** 2.1.18-8~deb9u4 500
    	        500 http://ftp.de.debian.org/debian stretch/main i386 Packages
    	        100 /var/lib/dpkg/status
    	     2.1.18-8~deb9u2 500
    	        500 http://security.debian.org stretch/updates/main i386 Packages
    
    	apt-cache policy gpgme
    	  N: Paket gpgme kann nicht gefunden werden.
    	gpgme --help
    	  bash: gpgme: Kommando nicht gefunden.
    

    Do we really need this last one (pgpme) since it doesn’t seem to exist in antiX repos? Further investigation unsheathed there is installed a packet called

    	apt-cache policy libgpgme11
    	libgpgme11:
    	  Installiert:           1.8.0-3+b2
    	  Installationskandidat: 1.8.0-3+b2
    	  Versionstabelle:
    	     1.12.0-6~bpo9+1 100
    	        100 http://ftp.de.debian.org/debian stretch-backports/main i386 Packages
    	 *** 1.8.0-3+b2 500
    	        500 http://ftp.de.debian.org/debian stretch/main i386 Packages
    	        100 /var/lib/dpkg/status
    

    Does this replace or represent the program pgpme in antiX? Where in documentation can this peace of information be found?
    Well, I assumed it would fit the needs and proceded to next step: “Configuring & running the GPG agent”

    
    	ls $HOME/.gnupg/gpg-agent.conf
    	cat: /home/demo/.gnupg/gpg-agent.conf: Datei oder Verzeichnis nicht gefunden
    

    turns out file doesn’t exist. so user will create this file and copy following lines into it:

    
    	pinentry-program /usr/bin/pinentry
    	default-cache-ttl 86400   # be aware that the passphrases will be cached for 86400 seconds! set accordingly to your needs
    	max-cache-ttl 86400
    	disable-scdaemon
    	write-env-file ~/.gnupg/.gpg-agent-info
    	allow-mark-trusted
    	keep-display
    	display :0.0
    	debug-level basic
    

    and save it to disk.

    Next the guide tells to start gpg-agent using the command which produces confusingly the message it is running allready.

    
    	eval 'gpg-agent --daemon'
    		gpg-agent[8197]: /home/demo/.gnupg/gpg-agent.conf:5: obsolete option "write-env-file" - it has no effect
    		gpg-agent[8197]: enabled debug flags: ipc
    		gpg-agent[8197]: DBG: chan_4 <- OK Pleased to meet you, process 8197
    		gpg-agent[8197]: DBG: chan_4 -> BYE
    		gpg-agent: a gpg-agent is already running - not starting a new one
    		gpg-agent: secmem usage: 0/65536 bytes in 0 blocks
    

    so probably user will remember the way services and daemons are started in antiX and try
    service --status-all
    which will show him there is no deamon named “gpg-agent” existing. How is it to be accessed (restarted) in antiX? He might try

    	service gpg-agent start
    		gpg-agent: unrecognized service

    in analogy to all the other services and daemons in use. But this will produce an error message only. At this point normal user is lost.

    Let’s step over to next chapter: “Importing S/MIME certificates into gpgsm”
    gpgsm --import my-cert-bundle.p12
    (which is the same as one would have installed in thunderbird.) It contains your private certificate, the root-certificate (Class1) of your Certificate Authority (CA) as well as the intermediate Certificate (Class3) along with your private Key.

    Next the guide asks user to import certificates:
    gpgsm --import /usr/share/ca-certificates/mozilla/*
    which will import 108 keys, but 12 keys are refused. User will not be able to decide from the output whether this is a problem or can be neglected. Now he is asked to test them:

    	gpgsm --list-secret-keys
    gpgsm: enabled debug flags: ipc
    gpgsm: DBG: chan_4 <- OK Pleased to meet you, process 7861
    gpgsm: DBG: connection to agent established
    gpgsm: DBG: chan_4 -> RESET
    gpgsm: DBG: chan_4 <- OK
    gpgsm: DBG: chan_4 -> OPTION ttyname=/dev/pts/1
    gpgsm: DBG: chan_4 <- OK
    gpgsm: DBG: chan_4 -> OPTION ttytype=xterm
    gpgsm: DBG: chan_4 <- OK
    gpgsm: DBG: chan_4 -> OPTION display=:0.0
    gpgsm: DBG: chan_4 <- OK
    gpgsm: DBG: chan_4 -> OPTION xauthority=/home/demo/.Xauthority
    gpgsm: DBG: chan_4 <- OK
    gpgsm: DBG: chan_4 -> OPTION lc-ctype=de_DE.UTF-8
    gpgsm: DBG: chan_4 <- OK
    gpgsm: DBG: chan_4 -> OPTION lc-messages=de_DE.UTF-8
    gpgsm: DBG: chan_4 <- OK
    gpgsm: DBG: chan_4 -> GETINFO version
    gpgsm: DBG: chan_4 <- D 2.1.18
    gpgsm: DBG: chan_4 <- OK
    gpgsm: DBG: chan_4 -> OPTION allow-pinentry-notify
    gpgsm: DBG: chan_4 <- OK
    gpgsm: DBG: chan_4 -> HAVEKEY ****************************************
    gpgsm: DBG: chan_4 <- OK
    gpgsm: DBG: chan_4 -> KEYINFO ****************************************
    gpgsm: DBG: chan_4 <- S KEYINFO **************************************** D - - 1 P - - -
    gpgsm: DBG: chan_4 <- OK
    gpgsm: DBG: chan_4 -> HAVEKEY ****************************************
    gpgsm: DBG: chan_4 <- ERR 67108881 Kein geheimer Schlüssel <GPG Agent>
    gpgsm: DBG: chan_4 -> HAVEKEY ****************************************
    gpgsm: DBG: chan_4 <- ERR 67108881 Kein geheimer Schlüssel <GPG Agent>
    gpgsm: DBG: chan_4 -> HAVEKEY ****************************************
    gpgsm: DBG: chan_4 <- ERR 67108881 Kein geheimer Schlüssel <GPG Agent>
    gpgsm: DBG: chan_4 -> HAVEKEY ****************************************
    gpgsm: DBG: chan_4 <- ERR 67108881 Kein geheimer Schlüssel <GPG Agent>
    gpgsm: DBG: chan_4 -> HAVEKEY ****************************************
    gpgsm: DBG: chan_4 <- ERR 67108881 Kein geheimer Schlüssel <GPG Agent>
    [....] a hundred times [...]
    /home/demo/.gnupg/pubring.kbx
    -----------------------------
               ID: ***********
              S/N: ******
           Issuer: /CN=CA Cert Signing Authority/OU=http:\x2f\x2fwww.cacert.org/O=Root CA/EMail=support@cacert.org
          Subject: /CN=CAcert WoT User/EMail=my.email.address@somewhere.org
              aka: my.email.address@somewhere.org
         validity: 2021-01-09 21:43:16 through 2021-07-08 21:43:16
         key type: 4096 bit RSA
        key usage: digitalSignature keyEncipherment keyAgreement
    ext key usage: emailProtection (suggested), clientAuth (suggested), 1.3.6.1.4.1.311.10.3.4 (suggested), serverGatedCrypto.ms (suggested), serverGatedCrypto.ns (suggested)
      fingerprint: **:**:**:**:**:**:**:**:*:*:*:*:*:*:*:*:*:*:*:*
    
    secmem usage: 0/16384 bytes in 0 blocks
    

    OK, user may be confused a little, and concerned about all these ERR 67108881 messages what lies at the root of these?
    At least, his Email certificate is propperly displayed in the end, so he hopefully goes on without sorting out all the other errors.

    Configuring GnuPG S/MIME

    	ls $HOME/.gnupg/gpgsm.conf
    	ls: Zugriff auf '/home/demo/.gnupg/gpgsm.conf' nicht möglich: Datei oder Verzeichnis nicht gefunden

    well, let’s create this file and put the follwing contents into it:

    	disable-policy-checks
    	auto-issuer-key-retrieve
    	include-certs -1  # this will include all certificates in the chain up to the root
    	debug-level basic

    save and exit.
    gpgsm --list-secret-keys 2>/dev/null |grep fingerprint | awk '{print "default-key " $2}' | sed s/://g >> ~/.gnupg/gpgsm.conf
    will add the default key to the file. (What will happen if I will have to handle more than one e-mail certificate later, since this one belongs to the email-certificate issued for a specific email address?)

    Setting up the trust:
    gpgsm --list-keys 2>/dev/null | grep fingerprint | awk '{print $2 " S"}' >> ~/.gnupg/trustlist.txt

    Setting up Claws Mail itself:

    Configuration-->Plugins, activate: PGP/Core, S/MIME.
    Configuration-->Email-Account GPG:  Chose Key from e-mail-address.

    Now everything should be fine, since the .p12 file contains root certificates allready. But trying to sign a mail now produces an error message:
    "claws-mail S/MIME : Cannot sign, Fehlendes Herausgeberzertifikat in der Kette (185)" What the heck!?
    I decided to install these certificates which build the chain again manually (they should have been present, since they were merged into the pkcs12 file):

    	gpgsm --import class3_X0E.crt
    	gpgsm --import root_X0F.crt

    which led to next error message while trying to send signed mail in claws-Mail:
    "Unable to sign any key - gpg: signing failed: Inappropriate ioctl for device Code = 32870"
    Well, after researching this error message I found this was due to pinentry wasnt’t able to display on any screen. About twenty different solutions were to be found in internet, including strange loopback constructions. But I decided just to check what applications are present in ls /usr/bin/pinentry* so I tried to enter each of them one after another into gpg-agent.conf file.
    Finally, after restarting claws-mail the entry “pinentry-program /usr/bin/pinentry-gtk-2” did the job.

    I was sometimes asked to set up additional passwords during the whole proccess I don’t have a clue what these are good for.
    And finally, since this is a persistent antiX running from USB-Stick still, how can all these encryption settings get backuped in case of messing up system on next upgrade, what has to be transfered to another USB-Stick, where are alle the corresponding files located? This is a question rather designed for a developer as for standard user. In thunderbird I simply copy one single profile directory and everything is fine.

    And finally: will all this still work after next reboot? Or do I have to create some startup entries?

    Conclusions of my self-experiment:
    The instructions found in the guide claws-mail sends user to during encryption setup (“Informationen darüber, wie S/MIME Zertifikate in Verbindung mit GPGSM funktionieren, finden Sie unter:
    http://www.claws-mail.org/faq/index.php/S/MIME_howto&#8221;)
    will disorient antiX users, since the tools listed there seem not to be present. Indeed, they are present, but in other places and they have partly different names nobody could guess. Moreover they require partly different commands.

    You might imagine, I have needed about 3 to 4 hours to get end-to-end encryption working in claws-mail, having the pkcs12 file at hand allready. And now compare this with the setup way employed in thunderbird, which was done in 5 to 10 minutes maximum, selecting the pkcs12 file from a directory and import it, then checking two or three well documented checkboxes in general setings and email-account settings. That was all. No joke.
    I really dislike the way mozilla behaves in the last period of time, but in this case they have done something the right path. It is not a really good idea to leave user on his own on this difficult task, foraging in the engine room. Is anybody around who is able to make the process in Claws mail version delivered with antiX more convenient? Maybe a wrapper script might help? At least please point out what is the correct way here? I’m not sure whether I was making some detours after all, or creating some security issues by messing around unknowingly, but finally I got it work at least. This is not what I’d like other antiX users to experience while they enyoy this distro…

    I am not that familiar with this encryption tools behind the screen, but I think that normal user would resign at some point in this process.
    I managed to get through, but it was a pain. May somebody could tell me whether I have done anything wrong, what would have been the straight way and where it is documented.

    Robin.

    • This topic was modified 4 months ago by caprea.
    • This topic was modified 4 months ago by Robin. Reason: structuring for better screen display
    #50582
    Member
    Avatarskidoo

    “claws-mail-smime-plugin” is not pre-installed in antiX (ver 17.x, maybe it is in 19 already present, I can’t check.)

    I have not used the plugin, just posting to report that it is not preinstalled in antiX19 full
    but v3.17.3-2 of the plugin is avialiable via apt install

    #57238
    Member
    AvatarRobin

    Addendum:

    Last time I missed out the question, how to deal with more than one email certificate once it would be needed. I’ll catch up right now with the answer.

    Given you have set up the encryption using the components described above for claws mail, you’ll have to edit a config file manually now. Let me start again at the point, having your additional pkcs12 certificate bundle present already (just as you would import it to any other email client also).

    1.) Then you need first to perform the command
    gpgsm --import <your-pkcs12-cert-bundle.p12>
    in a terminal window, using your new certificate this time. In case you obtained it from the same Signing Authority (Root-CA) you had got your first certificate from, you don’t need to re-import their root certificates again, otherwise repeat the correspondent steps from above.

    2.) Now enter in terminal window the command
    gpgsm --list-secret-keys 2>/dev/null | grep fingerprint | awk '{print "default-key " $2}' | sed s/://g
    and open the file
    ~/.gnupg/trustlist.txt
    using a text editor like “geany” or “leafpad” (again, don’t use a word processing software like e.g. “libreoffice” for this!). Compare the keys displayed from the terminal output carefully with the findings in the trustlist file. Simply add the key which is not present in the file already in a new line of this file, save and close it.
    There is no need to restart the deamons.

    3.) Start claws mail and look into the account settings of each mail account using encrypted transfer, menu entry “plugins–>s/mime–>signing keys” and set it to “chose key appropriate to email address”. Make also sure you have set in menu “account–>privacy the standard privacy system to “s/mime” and checked all the checkboxes, probably except for the very last, (which says to store all mails unencrypted on your hard drive) according to your needs.

    Now claws mail will chose the correct certificate for every email sender address when sending a mail automatically.

    happy mail encrypting 🙂
    Robin

    P.S.: Thanks skidoo for checking in antiX 19.x. So somebody could please add some lines explaining how to apt install the needed plugin in step 1 of the original guide above. Some day I’ll have the time and transfer the complete text to our antiX wiki, along with some impressive screenshots… 😉

    #57242
    Member
    Avatarskidoo

    Some day I’ll have the time

    wiki Table of Contents page
    ^-v
    (newly created page) Category:Tips -n- Tutorials for individual software applications
    ^–v
    (newly created page) Claws Mail email program
    https://antixlinuxfan.miraheze.org/wiki/Claws_Mail_(email_program)

    .
    _____________________

    howto (aka “how i dunnit today”):

    Open another browser tab, to: foliovision.com/seo-tools/pandoc-online
    then click browser “view-source” for this antixforum page
    then clipboard posts 1 and 3, pasting content into the converter form
    .
    Login to wiki site, create new page by editing ToC page
    :[[Tips -n- Tutorials for individual software applications]]
    save changes to ToC page, then visit the newly-created “Tips -n- Turorials” page.
    Click “edit”
    [[Claws Mail (email program)]]
    save, then visit the newly-created “Claws Mail” wiki page
    and paste the content from the pandoc-online converter page
    ( should proofread and tweak the content, but today I did not do so )

Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.