Claws Mail & S/MIME plugin howto
Recently there were many requests on the mailing list on how to configure the S/MIME plugin to work properly. It is not a trivial task as the GUI doesn't provide any configuration options and everything needs to be done in the console.
I've had a "half-working" setup but always failed on some point when importing S/MIME certificates. I now managed to have a working config and hopefully this howto will give an insight on how to achieve it.
This howto is based on Gentoo but should be working fine on every other distribution if adjusting it accordingly :)
- recent Claws Mail version
- recent S/MIME plugin (I'm using 0.5.7cvs2 which fixes some decryption bugs)
- S/MIME certificate (this howto is based on Thawte Freemail certs)
- pinentry, gnupg, gpgme, ca-certificates (and openssl) in recent versions
Those are the versions I'm using:
# emerge -p pinentry gnupg gpgme ca-certificates [ebuild R ] app-crypt/pinentry-0.7.2-r3 USE="gtk ncurses qt3 -caps" 390 kB [ebuild R ] app-crypt/gnupg-2.0.1-r1 USE="X bzip2 ldap nls -caps -doc -openct -pcsc-lite (-selinux) -smartcard" 0 kB [ebuild R ] app-crypt/gpgme-1.1.2-r1 0 kB [ebuild R ] app-misc/ca-certificates-20050804 92 kB
- running gpg-agent for caching the passphrase
I'm using keychain to start gpg-agent. Choose what you like, here are somes howtos:
Importing S/MIME certificates into gpgsm
First one has to obtain the Thawte Freemail certificate and install it into Firefox/Thunderbird. Export the certificate from Firefox/Thunderbird e.g. to "certbundle.p12" file and remember the passphrase.
Convert the file into PEM format:
$ openssl pkcs12 -in certbundle.p12 -out certbundle.pem -nodes
(use the export passphrase)
Extract the key:
$ openssl pkcs12 -in certbundle.pem -export -out certkey.p12 -nocerts -nodes
Import the key into gpgsm:
$ gpgsm --call-protect-tool --p12-import --store certkey.p12
Now one has to add the issuers certificate (Thawte) into gpgsm, you can use the certs included in the Freemail cert, but I did the following:
$ gpgsm --import /usr/share/ca-certificates/mozilla/Thawte*
(Thawte_Personal_Basic_CA.crt, Thawte_Personal_Premium_CA.crt, Thawte_Server_CA.crt, Thawte_Personal_Freemail_CA.crt, Thawte_Premium_Server_CA.crt, Thawte_Time_Stamping_CA.crt)
Check if your key has been added:
$ gpgsm --list-secret-keys
If this doesn't show a secret key, you may have to import the three certificates from certbundle.pem: separate them to three files (starting with "--- BEGIN CERTIFICATE ---" and ending with "--- END CERTIFICATE ---"), then run
$ gpgsm --import cert1.pem cert2.pem cert3.pem
You need to create the file (if it doesn't exist) "$HOME/.gnupg/trustlist.txt" to add Thawte to the trusted key list. This makes it possible to verify/sign/.../ with your Thawte certificate. Add the following lines which contain the fingerprint (not serial number!) of the key and the letter S at the end:
# 1.2.840.113522.214.171.124=#706572736F6E616C2D667265656D61696C407468617774652E636F6D,CN=Thawte # Personal Freemail CA,OU=Certification Services Division,O=Thawte # Consulting,L=Cape Town,ST=Western Cape,C=ZA 209900B63D955728140CD13622D8C687A4EB0085 S
This is my "$HOME/.gnupg/gpgsm.conf":
disable-crl-checks disable-policy-checks auto-issuer-key-retrieve debug-level basic
gpg-agent is only necessary for caching the passphrase: "$HOME/.gnupg/gpg-agent.conf"
pinentry-program /usr/bin/pinentry-qt default-cache-ttl 86400 # be aware that the passphrases will be cached for 86400 seconds! set accordingly to your need max-cache-ttl 86400 disable-scdaemon allow-mark-trusted
Working with S/MIME plugin and problems/bugs
I think because few people managed to get it to work properly there weren't many bug reports yet :) There are some things I encountered which don't work fine, e.g. keep in mind:
from the README: WARNING: This plugin doesn't handle sign+encrypt and encryption of multipart messages very well (yet).
- That means if you encrypt and sign a message you get some header stuff in the body of the message and it will be a lot more garbage if you have attached files. Encrypting alone (without attachments) or signing alone (with or without attachments) works fine.
- I always have to choose my key twice in the "Select Keys" dialog when encrypting? It seems the "Trust key" dialog doesn't show the name of the key, e.g. "The key of ' ' is not fully trusted".
CM first asks for the key of the recipient and then asks for the sender's key because CM can't extract it properly: "No exact match for 'email@address'; please select the key." (guess that is because I have two certs..).
If I send an email to a friend and include myself (To:), CM will ask me three times for the correct keys.
- Although I added my own fingerprint to trustlist.txt CM always says that the recipient is not fully trusted when I send encrypted/signed emails.
- As of now the "Select Keys" dialog when encrypting emails is a bit awkward to use if you have more than one key (e.g. one additional key that is expired and you still want to keep it to be able to decrypt older emails). It only shows the Key ID and no info about the date which makes it more difficult to choose the correct one.