96 lines
4.2 KiB
Text
96 lines
4.2 KiB
Text
How to add use mutt's S/MIME capabilities
|
|
|
|
- Add the contents of contrib/smime.rc to your .muttrc. Don't worry about
|
|
changing the smime_sign_as line at this point -- you'll change it later.
|
|
|
|
- Run 'smime_keys init'.
|
|
|
|
- Download and install OpenSSL.
|
|
|
|
- Get yourself a certificate. (You can get one for free from www.thawte.com,
|
|
or pay for one from VeriSign or one of its competitors) The way the
|
|
process generally works, the certificate will be installed "into" your web
|
|
browser. If you are asked what application you wish to use the
|
|
certificate with, select Netscape. Strangely enough, "mutt" is usually not
|
|
an option.
|
|
|
|
- Assuming you are using Mozilla, follow the instructions at
|
|
www.verisignlabs.com/Projects/smime_docs/linux.html to export the
|
|
certificate into a file called cert.p12. If you don't use Mozilla, you're
|
|
on your own.
|
|
|
|
- Run "smime_keys add_p12 cert.p12"
|
|
|
|
* When the script asks for the "Import password", enter the one you
|
|
provided when you exported the certificate.
|
|
|
|
* When it asks for a "PEM pass phrase", make up a new password. Every
|
|
time you sign or decrypt a message, mutt will ask for the PEM pass
|
|
phrase.
|
|
|
|
* Finally, when the script asks for a label, enter an easy-to-remember
|
|
name for the certificate, such as "me". The script output will include
|
|
a line like:
|
|
|
|
added private key: /home/raldi/.smime/keys/12345678.0 for raldi@verisignlabs.com
|
|
|
|
The number (including the ".0" at the end) is your keyid. You will
|
|
need this number in the next step.
|
|
|
|
- There is no more ca-bundle.crt file with the trusted roots to import shipped
|
|
in mutt. The user is encouraged to use ca-bundle.crt from ca-certificate
|
|
package. This makes you trust anything that was ultimately
|
|
signed by one of them. You can use "smime_keys add_root" to do so, or
|
|
just copy ca-bundle.crt into the place you point mutt's smime_ca_location
|
|
variable to.
|
|
|
|
|
|
|
|
Other notes
|
|
|
|
Key management is done in a way similar to OpenSSL's CA directory. Private
|
|
keys and certificates are stored in different directories, as OpenSSL
|
|
expects either to be supplied in a (distinct) file. Each directory contains
|
|
an unsorted file named '.index' wherein each line has several fields:
|
|
mailbox, keyid, label, id of the intermediate certificate and keyflags.
|
|
|
|
* Keyid is a hashvalue derived from the subject field of a certificate
|
|
and supplied by OpenSSL.
|
|
|
|
* The mailbox address is derived from either From or Sender field of the
|
|
message, and matched with the email field of the certificate. Non
|
|
matching address pairs get rejected, as get certificates not
|
|
containing a mailbox address at all. (These are security issues, that
|
|
perhaps should be configurable.)
|
|
|
|
* Label is set by the perl script (it will ask you to supply one), when
|
|
you add your keypair to the database. So are the remaining two fields.
|
|
|
|
* keyflags are set with certificate verification option of the perl
|
|
script. It may take as value one of the following: i: invalid
|
|
(verification failed), r: revoked, e: expired, u: unverified, v:
|
|
successfully verified and finally t: trusted, in case it was
|
|
successfully verified and you chose to trust the certificate (the
|
|
script will ask you). Mutt will not use invalid, revoked or expired
|
|
certificates for signing or encryption. It will ask for confirmation
|
|
before using unverified certificates, and finally it will issue a
|
|
warning before using successfully verified but untrusted certificates.
|
|
|
|
The purpose fields of a certificate do not get verified yet, also there is
|
|
no real check if the given file is a certificate at all.
|
|
|
|
Key retrieval is done obviously by searching the index file for a given
|
|
mailbox. If none is found, the user is presented a list of available keys
|
|
and asked to select one of those.
|
|
|
|
The certificate and key directories specified in muttrc have to exist. Mutt
|
|
will not create them. If you wish to sign messages yourself, note that this
|
|
mutt does not address any PKCS10 or PKCS12 issues (yet?); that is, you have
|
|
to get a valid certificate outside of mutt. (See above)
|
|
|
|
|
|
|
|
A certificate can be viewed by adding the following to your ~/.mailcap:
|
|
|
|
application/x-pkcs7-signature;openssl pkcs7 -in %s -inform der -noout \
|
|
-print_certs -text | less; needsterminal
|