HowTo: e-Mail Client Software

See also ImportRootCert | FAQ/BrowserClients

This HowTo tells you how you can manually import the CAcert Root Certificate, and *.p12 / *.pfx files containing your client certificates with your corresponding private keys), in your e-mail client software.

Expected Result: You can use S/MIME or PGP/GPG siganture and encryption using CAcert-issued certificates.

Android

DJIGZO

DJIGZO has two separate key stores: "Certificates & Keys" for your personal keys (and intermediary certificates). But CA root certificates go into "Root certificates". So when your CA certificate is a (self-signed) root certificate, you have to add it to "Root certificates", choosing "Store to import to: root". This is in contrast to your (intermediary or end-user) certificates which are signed by a CA; they go into "Certificates & Keys" by choosing "Store to import to: certificates".

see also here: https://lists.cacert.org/wws/arc/cacert/2012-12/msg00009.html

R2Mail2

For S/MIME encryption and/or signing, there is the Android app R2Mail2, which is a fully functional e-mail client. Unfortunately, it costs 4,80 Euros (for the license; otherwise you only see 5 messages per folder for demo). R2Mail2 is still being developed and further improved. I already find it much better than the default Android mail client. It does not have as many features as K-9 mail, but it fully supports S/MIME (and to some more limited degree also PGP).

see also here: https://lists.cacert.org/wws/arc/cacert/2012-12/msg00009.html

FairEmail

This client is available on Google Play and is able to sign and encrypt messages. The program supports both S/MIME and PGP. PGP encryption is for free.

The client needs you to install your certificate with the corresponding private key, preferably from the backup file *.p12 / *.pfx (file icon: fingerprint) and, certainly, to install CAcert root certificates (these may also be in the same file).

Installing these files into the Android system of higher versions (5+) is described elsewhere; links are presented at the beginning of this article. If you receive mail from the same source on multiple devices, you must ensure that your *.p12 / *.pfx file contains the same private key and the corresponding certificate you are using in email clients elsewhere. Certificate and private key are installed automatically, when you download or open the file. If you have more than one (private key & certificate) in Android system installed, you will need to select, which one the client should use to encrypt a message to send.

To decrypt the received message, you may need to press the lock icon in the header.

As with other email clients, it is also necessary to receive one unencrypted, but signed message from the person with whom you want to exchange encrypted messages. Signature (Scribar Icon) is marked in the message header and the client saves it automatically. After pressing the icon, FairEmail shows you who signed the message and other details.

iOS (iPhone, iPad)

The advantage of S/MIME is that it's built into Mail in iOS. To enable this feature, you have to go into the Settings > Account > Advanced for each e-mail account, and then enable S/MIME.

PGP/GPG in (Apple) Mail

Česky | Dansk | Deutsch | EnglishEspanolFrançais | Nederlands | Polski | Portugês

Linux

PGP/GPG in Thunderbird

S/MIME in Thunderbird

see: http://luxsci.com/blog/installing-smime-and-pgp-encryption-certificates-into-major-email-clients.html

MacOS (Macintosh)

Mac OS X includes Keychain, a built-in key and password manager, which stores user passwords, user and server certificates, and keys. Certain applications use this centralized Keychain for storing and retrieving certificate information in lieu of maintaining their own, separate certificate repositories.

The advantage of S/MIME is that it's built into Mail on the Mac.

To import your certificate-key pair:

Once imported, your certificate-key pair will appear under both the Certificates and Keys categories in the Keychain Access utility.

Apple Mail

Deutsche Anleitung

S/MIME in (Apple) Mail

see: http://luxsci.com/blog/installing-smime-and-pgp-encryption-certificates-into-major-email-clients.html

S/MIME in Entourage

see: http://luxsci.com/blog/installing-smime-and-pgp-encryption-certificates-into-major-email-clients.html

Thunderbird

see Linux

Outlook for OS X

Windows

S/MIME in Outlook 2003

see: http://luxsci.com/blog/installing-smime-and-pgp-encryption-certificates-into-major-email-clients.html

S/MIME in Outlook 2007

see: http://luxsci.com/blog/installing-smime-and-pgp-encryption-certificates-into-major-email-clients.html

S/MIME in Outlook 2010

see: HowToDocuments/Outlook 2010

S/MIME in Outlook 2016 & 2019

Prerequisites:

  1. Both participants are using Outlook 2016 or 2019.
  2. Each participant has their email certificate and corresponding private key installed in Outlook. Ideally, import from a backup P12 (.p12, .pfx) file. (I recommend that the file be labeled with a name containing the email address for which the certificate is issued and the certificate serial number.)
  3. In Security Center, File - Options - (dialog) - Security Center panel - Security Center Settings - (dialog) - in the "Email Security" panel, you need to open under S/MIME "Default Settings", the Settings... button. (in the next dialog) select the signing certificate and hash algorithm (e.g. SHA256), then the encryption certificate and encryption algorithm (e.g. AES 128-bit) - the maximum for the certificate. The certificate can be the same for both functions. Note that when selecting, the certificate you select will not be shown, but the first one that the system has "in line", and you can select another (or the first one) by clicking on the "More options" link. Finally, close all the dialogs one by one with about three OKs.
  4. /!\ This complexity, discouraging the use of encryption, is probably there on purpose by MS! /!\

Procedure:

One of the participants (let's call her Alice) initiates the encrypted connection by sending a message to her partner (Bob) signed with her public key (Alice's entire certificate is also sent). The message should include, in addition to explanatory or other text, a cryptographic fingerprint of Alice's public certificate.

The other participant (Bob) receives this message, his Outlook checks for integrity and saves the certificate. Now it is his (Bob's) turn to send Alice a similar signed message with his public certificate.

For complete (paranoid) security, they should both validate each other's cryptographic fingerprints of their certificates, intended for email message exchange, using another channel (e.g., telephone).

Now Alice can continue the conversation by replying to Bob's signed message. The reply needs to be opened in a separate window (not just the "Concept" from the received message preview), where under the "Options" header she selects both the message encryption and the message signature.

Bob receives the message and his Outlook decrypts it, again it is better to open it in a separate window. The conversation can then continue in the same way.

New Start

If a participant is starting another encrypted conversation after a long pause, the recipient should be selected from the address book or confirm "whisper". If you use an entry directly in the To: field or even an insertion from the mailbox, the encryption will fail and report an error. (The recipient's certificate was not retrieved; this may also be an Outlook error.)

When this happens, find the unencrypted signed message again (or request one again and check the cryptographic fingerprint) and reply to it encrypted.

Thunderbird

see also Linux

Thunderbird v.78.12.0

Prerequisites:

  1. Certificates with their private keys are installed in the program: hamburger icon - Options - Privacy and Security - last in the panel - Certificates - Manage certificates - (dialog) - Personal - Import. Since Thunderbird has its own certificate store, you need to ensure that CAcert root certificates are installed under "Authorities". Importing under Authorities requires PEM (.crt) and other files, importing client certificates under Personal requires P12 (.p12, .pfx) format files.
  2. The encryption system settings are done for each account (email address) separately. Click on the account name to get a series of links in the top right panel. Use "End-to-end Encryption". The settings dialog will open. The top part is for openPGP, the bottom for S/MIME. At the very bottom is the setting of the preferred encryption technique.
  3. Under S/MIME you can first of all select the appropriate certificates for digital signature and for encryption (you can select the same certificate for both functions). You can also choose to encrypt messages by default. The Certificate Manager can be started directly. Neither the hashing nor the encryption algorithm is set.
  4. For openPGP, a suitable pre-generated key must be selected (AddKey button). You can also directly start the OpenPGP Key Manager.

Procedure:

For S/MIME it is similar to Outlook, just without the complications of selecting the recipient or the separate window.

One of the participants (let's call her Alice) initiates the encrypted connection by sending a message to her partner (Bob) signed with her public key (Alice's entire certificate is also sent). The message should include, in addition to explanatory or other text, a cryptographic fingerprint of Alice's public certificate.

The other participant (Bob) receives this message, his Thunderbird checks for integrity, and saves the Alice's certificate. Now it is his (Bob's) turn to send Alice a similar signed message with his certificate. For complete (paranoid) security, they should both validate each other's cryptographic fingerprints of their certificates, intended for email message exchange, using another channel (e.g., telephone).

Now Alice can continue the conversation by replying to Bob's signed message. In the message header under "Options", she selects the message encryption, the encryption type (PGP or S/MIME) and the message signature.

Bob accepts the message and his Thunderbird decrypts it. The conversation can then continue in the same way.

Of course, it is possible for each of the partners - the participants in the encrypted conversation - to have a different email client, provided that they agree on the type of encryption and that both client programs handle the agreed encryption type.

New Start

There are no problems with Thunderbird starting a new conversation.


CategoryCommunity CategoryConfiguration CategoryGuide CategorySoftware CategorySupport

FAQ/eMailClients (last edited 2021-08-18 15:47:38 by AlesKastner)