Klaus Knopper answers your Linux questions

Adding Encryption to Thunderbird

How can I add encryption and signature capabilities to the Thunderbird mail program?

Because they are part of the Mozilla suite, the procedure of importing certificates and keys is the same for the Firefox browser (Iceweasel in Debian) and the Thunderbird mail client (Icedove in Debian).

In theory, you could just import the keys.p12 private/public keypair combo file that was created in the answer to the previous question, into Firefox and Thunderbird using the Import function in the Preferences | Advanced | View Certificates section. But not yet! Before you start the actual import, you have to tell Firefox that the self-signed public key contained in the file is trustworthy and acceptable for encryption and signature verification. The "trust" principle is very important in SSL; attackers could easily trick you into accepting wrong keys by just creating a certificate with a given name, if you were not required to verify and accept a new contact certificate manually.

To do this, import the public.pem file (created previously) as Certificate Authority. Firefox will display a dialog asking about trust options; you should at least select Trust this CA to identify email users (Figure 3). Next, you can import the file keys.p12 into Your Certificates to install the private key in Firefox (Figures 4 and**5) as well.

Figure 3: The imported, now trusted, public key as signer certificate.
Figure 4: Importing the pkcs12 file with private and public keys.
Figure 5: The imported personal key.

The Details dialog shows the key's fingerprint and gives you access to the content of the certificate, in case someone asks for verification of your public key data (Figure 6). The fingerprint (or checksum) is a reliable criterion for the authenticity of a certificate, other than the name or mail address, which can just be entered by the user during certificate creation. The fingerprint cannot easily be faked, because it must match the cryptographic key as well as the human-readable, personal data associated with it.

Figure 6: Public key short description and fingerprint (note that this is just an example).

The import procedure is the same for Thunderbird, Firefox, and Chrome/Chromium, as well as proprietary mail clients like MS Outlook/Exchange on other operating systems (Figure 7).

Figure 7: Thunderbird/Icedove security settings after importing the key.

Back to Thunderbird; you can now digitally sign messages using your personal SSL key and read encrypted messages sent by friends who have your SSL public key (remember, the file was public.pem in the example), which is automatically attached when you send a signed email (Figure 8).

Figure 8: Writing email to myself, so I can use my own public key for encryption, and my secret key for signing.

Safety Check

How can I be sure that my mail program does not send email or mail access passwords over an insecure network with no encryption?

Go into your mail program's Account settings and check both the incoming message and outgoing message servers and protocols. For encrypted transfer of access passwords, as well as encrypted mail transport, the protocol for receiving messages should be "IMAPS" (usually port 993 on the server) or "POP3S" (usually port 995 on the server).

For sending email, TLS and/or SSL should be required. Some mailers use the standard mail port 25 for switching to transport layer security only if the mail client explicitly asks for it, but the standard port for SMPTS running in SSL-enabled mode is 465, which you should use if your mail provider offers this service.

Once TLS or SSL are enabled, your mail program should ask you a question to verify validity of the presented SSL certificate's fingerprint and content. You should check whether the certificate verifies against a trusted certificate authority (most mailers have a built-in list).

If in doubt, contact the technical administrator of the mail server and verify the certificate's fingerprint. After this one-time verification, your mail traffic will be point-to-point encrypted between you and the mail server.

Apart from the secured transport layer, confidential email should always be encrypted by itself so that only the holder(s) of the secret key(s), namely the designated recipients, can read it.

Adding Encryption to Mutt

How can I add encryption and signature capabilities to the text-based Mutt mailer program?

Make sure you have the OpenSSL package installed and add the lines shown in Listing 1 to your .muttrc configuration file.

Listing 1

Settings for Handling S/MIME Attachments


To create the public key infrastructure for Mutt – in directory $HOME/.smime in this example – you need the smime_keys command, which is part of the SSL-enabled Mutt package. The command

smime_keys add_cert public.pem

imports your self-signed public key from the previous examples and

smime add_p12 keys.p12

adds your secret key for signing and decrypting messages.

From Mutt's Send dialog, you can type S to get into the S/MIME options to encrypt or sign a message before sending.

Decryption and signature verification of received mail containing S/MIME attachments work automatically once you have the corresponding public and secret keys installed.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More