Setting up encrypted mails using s/mime with mutt


Encrypted communications are necessary to protect our privacy. There are many ways to achieve the desired privacy. One of those ways are securing our email communications.

There are two methods for securing email communications. The first is using "Pretty Good Privacy" software, such as gnupg or openpgp. The second is using S/MIME, which is based on Public Key Infrastructure, by using certificate issued by trusted certificate authority instead of self-generated gpg key.

No matter which method to use, as long as the desired privacy level is achieved, it is no problem. PGP is good to build trust between community. S/MIME, which is based on public key infrastructure, has its advantage of a trusted certificate authority. An encryption choice is a matter of preference and compatibility between clients. On Unix/Linux based systems, PGP is easy to set up, whereas on Windows based system, S/MIME has its advantage of easy to use. It's possible to use both encryption method on every platform, so that PGP and S/MIME should be compatible for most platform.

Another advantage of using S/MIME to sign and encrypt messages is no need to worry about signature exchange. As long as your S/MIME certificate is issued by a trusted certificate authority, you are trusted. No need to worry about gpg signing exchange party. Your level of trust is the same as the certificate authority that issued your certificate.

Here, I'll focus on setting up a curses-based mail user agent (MUA). It's Mutt, a simple text-based interface mail client. It's resource friendly and available for most platform, including Linux and Windows (via Cygwin), although I focus on Linux - which is the main OS on the Blinkenshell.

Setting Up Client Certificate

It's possible to generate self-signed certificate for use with encrypting mails, although there will be some problems such as untrusted certificates. I don't talk much about self generated certificates. Instead, I'll use a Comodo-generated personal certificate, which is free for personal usage and trusted by many mail clients.

Go to Comodo free email certificate sign up. Fill in the available forms. Check your inbox and follow the given instruction. I recommend using Firefox browser to retrieve the generated certificate.

When the certificate has been retrieved, export it. Go to Firefox menu, hit preferences button. Navigate to advanced tab, and click on certificates. Navigate to personal certificates and click export. Choose a strong password and save the pkcs12 key on a safe location, which is readable only by yourself.

Transferring PKCS12 to server

Now, transfer the pkcs12 key to your remote server. You may skip this step if you have mutt installed locally. Launch a terminal emulator and type the following command to transfer the key to your server, in this case is Blinkenshell server.

rsync -e 'ssh -p443' -chavP ~/mycert.p12

Enter your ssh login credentials if prompted

S/MIME Configuration

Congratulations. You have a pkcs12 available on your home directory. Now, prepare SMIME setup to store the certificate so that Mutt can make use of the certificate.


Make sure you have installed mutt with ssl-enabled. If you don't have installed, read my previous post about compiling mutt. Launch the following command to initiate SMIME working directory.

smime_keys init

This command will create two files.


Configuring Mutt for S/MIME encryption

Create ~/.mutt directory if it does'n exist

if [ -d ~/.mutt ]; then
echo '.mutt is available';
mkdir ~/.mutt

Copy S/MIME configuration example from your shared documents. If you followed my previous guide and installed mutt on your home directory, you should be able to find S/MIME configuration on ~/share/doc/mutt/samples/smime.rc.

cp ~/share/doc/mutt/samples/smime.rc ~/.mutt

If you use mutt installed from your distribution package/port manager, you should find smime.rc file on /usr/share/doc/mutt/samples or /usr/share/doc/mutt/examples directory. Make necessary changes according to the example file location.

Edit ~/.muttrc file with your favorite text editor, for example with vim or nano. Add the following lines to refer to S/MIME database path.

set smime_certificates=~/.smime/certificates
set smime_keys=~/.smime/keys
set smime_ca_file_path=/etc/ssl/certs/ca-certificates.crt
source ~/.mutt/smime.rc

Save the file and quit the editor. Then you are ready to import your private key and certificate to S/MIME database.

Importing the certificate to SMIME database

Now, it's time to import the pkcs12 certificate to SMIME database. Mutt uses this database for SMIME function, such as signing, encrypting, and decrypting messages. Launch the following command to achieve the goal.

smime_keys add_p12 ~/mycert.p12

Insert your backup password when asked and create a new password for storing pem certificate on the database. You may use your backup passphrase if you wish. Give it a label indicating that it's a mail certificate, for example whirlpool_at_blinkenshell to show that the certificate is used for s/mime cryptography with my email address at Blinkenshell.

Configuring default signature for use with S/MIME

This step is not really necessary. You'll be asked for which signature to use if you skip this step.

Check your secret key id for use with S/MIME

smime_keys list

You should be able to find your key id in format 123456789.0. Make a note for this key id as it will be added to smime.rc configuration later.

Edit your ~/.mutt/smime.rc file. Replace the default_key with correct key id

set smime_default_key=123456789.0

Add sign as your default key to smime.rc configuration

set sign_as=123456789.0

Save the file and quit the editor. Now, you are ready to test mutt to send and receive S/MIME messages

Testing mutt for working S/MIME configuration

Launch mutt. Compose mail to yourself, by pressing 'm'. Specify the recipient address as yourself. When you've finished editing the mail, press 'S' to show the S/MIME preferences. Choose 'b' to sign and encrypt the mail. Type your S/MIME passphrase when you're asked to do. Type your smtp password when asked.

Wait a few minutes and check your inbox for new message. You should be able to decrypt and verify your own mail. Openssl output should say 'verification finished'. Now you are ready to send a S/MIME signed message

Sending your first s/mime signed message

If you have sent your mail successfully, why don't you send me an S/MIME encrypted mail? Some setup is necessary, but it's okay.

You need to import my public key. First, download my smime public key. Save it as ~/whirlpool.crt or whatever name you choose. Remember to do this on your server.

wget -O ~/whirlpool.crt ''

Now, import my public key to S/MIME database.

smime_keys add_cert ~/whirlpool.crt

Give it a label, for example whirlpool_blinkenshell_pubkey to make it easier to remember my email address.

Now, launch mutt. Compose a new mail, by pressing 'm'. Specify my email address whirlpool at as the recipient. Feel free to choose your own subject.

When you are finished editing, save and quit the editor. Press 'S' to show S/MIME preferences. Select 'b' to both sign and encrypting the mail. Select 'w' to choose an encryption algorithm. I recommend using aes256, although other encryption method will be fine.

Send your message by pressing 'y' button. Enter your secret key passphrase when asked. If you entered wrong passphrase, just press 'ctrl + f' to make mutt forget the passphrase. Enter your smtp credential if asked.

Congratulations. Your S/MIME encrypted message has been sent. Wait for my reply then.

Importing public key from S/MIME signed messages

If you receive an S/MIME encrypted message and you want to encrypt your reply, you need to extract S/MIME signature from the message part. The signature usually found as smime.p7s. Press 'v' to view the attached files. Select the digital signature part. Press 's' to save the attachment to your home directory.

Now, try to identify the smime.p7s file.

file ~/smime.p7s

If the output says "data", it's a DER-encoded PKCS7 public key. If the output says "ASCII text", it's a PEM-encoded PKCS7 public key. You need to convert DER-encoded key to PEM encoded key before you can import it.

openssl smime -inform DES -in ~/smime.p7s -pk7out > smime.crt

If it's a PEM encoded key, just import it using smime_keys script.

smime_keys add_cert ~/smime.p7s

Now, open ~/smime.crt with your text editor. Remove unnecessary part of signature. The important part of signature contains subject=/emailAddress. You can use my S/MIME public key as an example for it.

When you are done removing unnecessary part of the key, now it's time to import the key. Launch the following command to do the task.

smime_keys add_cert ~/smime.crt

Give it a good label indicating the person who own the key. Now, you can send an S/MIME encrypted mail to the person by choosing the right S/MIME public key.

Congratulations. You are ready for S/MIME encrypted communications.