[TCLUG] exchanging encrypted emails with Outlook

Mon May 6 09:15:02 CDT 2002

Robert P. Goldman wrote:
>>>>>>"EE" == Eric Estabrooks <estabroo at talkware.net> writes:
>>>>>
> 
>     EE> Robert P. Goldman wrote:
>     >> Does anyone know if it's possible (and if so, how) to exchange
>     >> encrypted emails from Linux with folks who are using the 3DES
>     >> encryption that's built into outlook?  I'm corresponding with some
>     >> folks who are unlikely to learn and start using GPG just to please me,
>     >> but we'd like to exchange secure emails.  Any suggestions?  (Does
>     >> evolution do this by any chance?  Never used it.)
> 
>     EE> I believe outlook supports pkcs certs for email encrypting and signing. 
>     EE>   In which case you can just go to www.thawte.com and get free personal 
>     EE> email certs and import them.  It's very painless under netscape and they 
>     EE> have several microsoft options we you request cert types.
> 
> To clarify my earlier questions:
> 
> 0.  My contacts do use Thawte to get certs for outlook.  But....
> 
> 1.  What if one doesn't use Netscape or Outlook?  I'm perfectly happy
> with my MUA.  I'd just like to be able to exchange encrypted mail with
> outlook users.  I don't want to start to learn a whole new MUA.
> Especially not a sucky, bloated, GUI-laden one....

All you need to do is pipe the message through openssl using smime. 
It'll decode the message and return the body back to your mua.

The openssl decrypt command line would look something like this:
openssl smime -decrypt -recip cert.pk7 -in input_file

to verify the signature
openssl smime -verify -signer theircert.pk7 -in input_file

to pull out a new public cert from a message someone sent you:
openssl smime -pk7out -out theircert.pk7 -outform PEM -in input_file

Now all of the thawte certs I have gotten have been pkcs12 and openssl 
smime uses pkcs (netscape and outlook use the pkcs12, but sign in pkcs7 
format).  So you need to convert the pkcs12 to pkcs7 to do digital signing.

openssl pkcs12 -in orignal.p12 -out cert.pk7 -nodes -nokeys -clcerts

when you create a message with openssl and you want to sign and encrypt 
you have to do it as a two stage process (sign first encrypt second).

openssl smime -sign -in message.txt -signer yourcert.pk7 -text | openssl 
smime -encrypt -out mail.txt -to blah at blah -from blah at blah -subject 
"subject" -des3 theircert.pk7

or if you just want to encrypt without signing

openssl smime -encrypt -in message.txt -text -out mail.txt -to blah at blah 
-from blah at blah -subject "subject" -des3 theircert.pk7

The -text option is important.  It puts a mime header inside the 
encrypted body and netscape/mozilla won't display the message if you 
don't use this option.

If you leave out the -in or -out parameters then openssl smime uses 
stdin and stdout as appropriate.

Most of this is documented at http://www.openssl.org/docs/apps/

With regards to which MUAs support pkcs certs directly,  I don't know. 
I have used netscape and mozilla on linux with the certs just fine.  I 
had a modified version of elm, but that was a few years ago and I 
couldn't tell you were to look for it.  Any MUA that allows you to 
specify mime handlers should work (just specify openssl smime as the 
handler with the above options) though the cert specification for 
verifying might be a little ugly.

Hope this helps,

Eric