Re: [MlMt] S/MIME Encryption
On 17 Feb 2017, at 10:16, Robert M. Münch wrote: No, but when you sign a message then the recipient gains the ability to encrypt messages to you if they add your certificate to the keychain. I think in S/MIME exist different types of certificates as I own one for signing but that can't be used for encryption. Not sure how this is handled. This is not a problem when signing, but when encrypting then the message also needs to be encrypted for you (since otherwise you cannot view the message later on). MailMate cannot do this without a certificate available for doing encryption. What is strange is this: I received an email where MM stated that it was successfully S/MIME decrypted. But I don't have any S/MIME encrypting certificate. Your signing certificate must have been used to encrypt the message by the sender (I don't think this is technically a problem, but I don't think it is strictly correct behavior). MailMate has also not been very good at checking whether or not certificates were marked for use for signing/encryption, but *I think* the latest releases do respect this. So I'm wondering why MM displays this message. Further I don't have a clue how the one who send me the email would have gained access to my S/MIME certificates. They get your certificate if you have sent a signed message to him/her. I think this happens automatically in Apple Mail. In MailMate you have to explicitly add it to the keychain. How do I add this to the keychain? Can I access the certificate anyhow? Click on “Show Details” and then “Add to Keychain”. 2. Answering the email with encryption & signing doesn't work. I get: "Failed to find valid certificate to encrypt for xyz@abc.com. The specified item could not be found in the keychain. Error code: -25300" (Note: This text is shown twice). But I can see the certificate for the recipient in one of my keychains. The error code means that it couldn't find a valid certificate. For whom? For me or the guy I'm going to send an email to? For the one with the email address `xyz@abc.com`. S/MIME and OpenPGP users should update to the latest test release (r5346). I've made several changes which I would like to have tested including an important bug fix for S/MIME (which I would like to release soon). Ok, will do. Thanks! -- Benny ___ mailmate mailing list mailmate@lists.freron.com https://lists.freron.com/listinfo/mailmate
Re: [MlMt] S/MIME Encryption
On 16 Feb 2017, at 11:29, Benny Kjær Nielsen wrote: >> 1. I'm wondering how this works as I can't remember to send my S/MIME >> certificate. Is there something like a key-server for S/MIME as well? > > No, but when you sign a message then the recipient gains the ability to > encrypt messages to you if they add your certificate to the keychain. I think in S/MIME exist different types of certificates as I own one for signing but that can't be used for encryption. Not sure how this is handled. What is strange is this: I received an email where MM stated that it was successfully S/MIME decrypted. But I don't have any S/MIME encrypting certificate. So I'm wondering why MM displays this message. Further I don't have a clue how the one who send me the email would have gained access to my S/MIME certificates. > I think this happens automatically in Apple Mail. In MailMate you have to > explicitly add it to the keychain. How do I add this to the keychain? Can I access the certificate anyhow? >> 2. Answering the email with encryption & signing doesn't work. I get: >> "Failed to find valid certificate to encrypt for xyz@abc.com. The >> specified item could not be found in the keychain. Error code: -25300" >> (Note: This text is shown twice). But I can see the certificate for the >> recipient in one of my keychains. > > The error code means that it couldn't find a valid certificate. For whom? For me or the guy I'm going to send an email to? > Have you checked that it's not expired or otherwise not trusted (view it in > Keychain Access)? Yes, and I think it's correct. > For debugging, you can send me the certificate off list and I can try > creating a message myself. Done. >> 3. When trying to send the email I need to enter the password for a signing >> certificate I own. This is the first keychain in the keychain app. But this >> certificate is not for encryption. Could it be that MM just access the first >> keychain and doesn't search through all of them? > > MailMate doesn't specify a specific keychain when doing certificate searches, > but I think the system library looks in the login keychain first. I see the "Signing" and "Email Encryption" certificate there. > When signing then MailMate only looks for certificates which can be used for > signing. Which seems to work as I'm asked to enter the password for the USB token. > S/MIME and OpenPGP users should update to the latest test release (r5346). > I've made several changes which I would like to have tested including an > important bug fix for S/MIME (which I would like to release soon). Ok, will do. -- Robert M. Münch, CEO M: +41 79 65 11 49 6 Saphirion AG smarter | better | faster http://www.saphirion.com http://www.nlpp.ch signature.asc Description: OpenPGP digital signature ___ mailmate mailing list mailmate@lists.freron.com https://lists.freron.com/listinfo/mailmate
Re: [MlMt] S/MIME Encryption
On 13 Feb 2017, at 11:27, Robert M. Münch wrote: Hi, I received an encrypted S/MIME message which was successfully decrypted. At least that's what MM shows. 1. I'm wondering how this works as I can't remember to send my S/MIME certificate. Is there something like a key-server for S/MIME as well? No, but when you sign a message then the recipient gains the ability to encrypt messages to you if they add your certificate to the keychain. I think this happens automatically in Apple Mail. In MailMate you have to explicitly add it to the keychain. 2. Answering the email with encryption & signing doesn't work. I get: "Failed to find valid certificate to encrypt for xyz@abc.com. The specified item could not be found in the keychain. Error code: -25300" (Note: This text is shown twice). But I can see the certificate for the recipient in one of my keychains. The error code means that it couldn't find a valid certificate. Have you checked that it's not expired or otherwise not trusted (view it in Keychain Access)? For debugging, you can send me the certificate off list and I can try creating a message myself. 3. When trying to send the email I need to enter the password for a signing certificate I own. This is the first keychain in the keychain app. But this certificate is not for encryption. Could it be that MM just access the first keychain and doesn't search through all of them? MailMate doesn't specify a specific keychain when doing certificate searches, but I think the system library looks in the login keychain first. When signing then MailMate only looks for certificates which can be used for signing. If you need to then you can force an explicit binding between an email address and a certificate using a [hidden preference](https://manual.mailmate-app.com/hidden_preferences#security). S/MIME and OpenPGP users should update to the latest test release (r5346). I've made several changes which I would like to have tested including an important bug fix for S/MIME (which I would like to release soon). -- Benny ___ mailmate mailing list mailmate@lists.freron.com https://lists.freron.com/listinfo/mailmate
