127 lines
4.3 KiB
Text
127 lines
4.3 KiB
Text
# -*-muttrc-*-
|
|
## The following options are only available if you have
|
|
## compiled in S/MIME support
|
|
|
|
# If you compiled mutt with support for both PGP and S/MIME, PGP
|
|
# will be the default method unless the following option is set
|
|
# set smime_is_default
|
|
|
|
# Uncomment this if you don't want to set labels for certificates you add.
|
|
# unset smime_ask_cert_label
|
|
|
|
# Passphrase expiration
|
|
# set smime_timeout=300
|
|
|
|
# Global crypto options -- these affect PGP operations as well.
|
|
# set crypt_autosign = yes
|
|
# set crypt_replyencrypt = yes
|
|
# set crypt_replysign = yes
|
|
# set crypt_replysignencrypted = yes
|
|
# set crypt_verify_sig = yes
|
|
|
|
|
|
# Section A: Key Management
|
|
|
|
# The default keyfile for encryption (used by $smime_self_encrypt and
|
|
# $postpone_encrypt).
|
|
#
|
|
# It will also be used for decryption unless
|
|
# $smime_decrypt_use_default_key is unset.
|
|
#
|
|
# It will additionally be used for signing unless $smime_sign_as is
|
|
# set to a key.
|
|
#
|
|
# Unless your key does not have encryption capability, uncomment this
|
|
# line and replace the keyid with your own.
|
|
#
|
|
# set smime_default_key="12345678.0"
|
|
|
|
# If you have a separate signing key, or your key _only_ has signing
|
|
# capability, uncomment this line and replace the keyid with your
|
|
# signing keyid.
|
|
#
|
|
# set smime_sign_as="87654321.0"
|
|
|
|
# Uncomment to make mutt ask what key to use when trying to decrypt a message.
|
|
# It will use the default key above (if that was set) else.
|
|
# unset smime_decrypt_use_default_key
|
|
|
|
# Path to a file or directory with trusted certificates
|
|
set smime_ca_location="~/.smime/ca-bundle.crt"
|
|
|
|
# Path to where all known certificates go. (must exist!)
|
|
set smime_certificates="~/.smime/certificates"
|
|
|
|
# Path to where all private keys go. (must exist!)
|
|
set smime_keys="~/.smime/keys"
|
|
|
|
# These are used to extract a certificate from a message.
|
|
# First generate a PKCS#7 structure from the message.
|
|
set smime_pk7out_command="openssl smime -verify -in %f -noverify -pk7out"
|
|
|
|
# Extract the included certificate(s) from a PKCS#7 structure.
|
|
set smime_get_cert_command="openssl pkcs7 -print_certs -in %f"
|
|
|
|
# Extract the signer's certificate only from a S/MIME signature (sender verification)
|
|
set smime_get_signer_cert_command="openssl smime -verify -in %f -noverify -signer %c -out /dev/null"
|
|
|
|
# This is used to get the email address the certificate was issued to.
|
|
set smime_get_cert_email_command="openssl x509 -in %f -noout -email"
|
|
|
|
# Add a certificate to the database using smime_keys.
|
|
set smime_import_cert_command="smime_keys add_cert %f"
|
|
|
|
|
|
|
|
# Section B: Outgoing messages
|
|
|
|
# Algorithm to use for encryption.
|
|
# valid choices are aes128, aes192, aes256, rc2-40, rc2-64, rc2-128, des, des3
|
|
set smime_encrypt_with="aes256"
|
|
|
|
# Encrypt a message. Input file is a MIME entity.
|
|
set smime_encrypt_command="openssl cms -encrypt -%a -outform DER -in %f %c"
|
|
|
|
# Algorithm for the signature message digest.
|
|
# Valid choices are md5, sha1, sha224, sha256, sha384, sha512.
|
|
set smime_sign_digest_alg="sha256"
|
|
|
|
# Sign.
|
|
set smime_sign_command="openssl smime -sign -md %d -signer %c -inkey %k -passin stdin -in %f -certfile %i -outform DER"
|
|
|
|
|
|
|
|
# Section C: Incoming messages
|
|
|
|
# Decrypt a message. Output is a MIME entity.
|
|
set smime_decrypt_command="openssl cms -decrypt -passin stdin -inform DER -in %f -inkey %k -recip %c"
|
|
|
|
# Verify a signature of type multipart/signed
|
|
set smime_verify_command="openssl smime -verify -inform DER -in %s %C -content %f"
|
|
|
|
# Verify a signature of type application/x-pkcs7-mime
|
|
set smime_verify_opaque_command="\
|
|
openssl smime -verify -inform DER -in %s %C || \
|
|
openssl smime -verify -inform DER -in %s -noverify 2>/dev/null"
|
|
|
|
# application/pkcs7-mime ".p7m" messages should have a smime-type
|
|
# parameter to tell Mutt whether it's signed or encrypted data.
|
|
#
|
|
# If the parameter is missing, Mutt by default assumes it's SignedData.
|
|
# This can be used to change Mutt's assumption to EnvelopedData (encrypted).
|
|
#
|
|
# set smime_pkcs7_default_smime_type="enveloped"
|
|
|
|
|
|
|
|
# Section D: Alternatives
|
|
|
|
# Sign. If you wish to NOT include the certificate your CA used in signing
|
|
# your public key, use this command instead.
|
|
# set smime_sign_command="openssl smime -sign -md %d -signer %c -inkey %k -passin stdin -in %f -outform DER"
|
|
#
|
|
# In order to verify the signature only and skip checking the certificate chain:
|
|
#
|
|
# set smime_verify_command="openssl smime -verify -inform DER -in %s -content %f -noverify"
|
|
# set smime_verify_opaque_command="openssl smime -verify -inform DER -in %s -noverify"
|
|
#
|