[gentoo-user] encrypted email (gentoo-windows)

[gentoo-user] encrypted email (gentoo-windows)

[James]

Hello,

Background:
I use Thunderbird as my email client,
but the mail servers of another (my isp).
What I want is an email setup that interoperates
with encrypted emails from various unix and 
windows based servers. (maybe dreaming here?)

So I'm research on interoperability
of eningmail, pgp, and such, but everything
I find is dated; citatiions appreciated.

Q1. Is there a method that will all me to set
up my email client(s) using various mail servers
as their smtp_host that start out with really good
encryption/dig-signatures and then auto fall back
down to lesser secure option with the last one
being ordinary email services?

Q2 Windows....
I'm not too versed in Windows. I try to avoid all
things windows. Unfortunately most of my activity
(emails etc) is with folks that like BG and the Redmonds.....
So what I thinking is there are few (MS)sites that actually
have some sort of auto-negotiations scheme to try for the
very best security between email servers (nix-doz) and then
fall back down the scale to a circa RFC822 type
of negotiated arrangement. But most MS sites are
brain-dead on there mail server and try hard to 
not be interoperable with *nix as with all things
Redmond?

At the very least, maybe there is a tool(script) to
run that will ferret out the offered secure email exchange
options with a given mail server, categorize them, and at
least use secure email correspondences with those mail servers
that have been flushed out? Dunno. I'd settle for secure
email with the majority of sites I regularly exchange
emails with.

It's been a while since I set up a mail server, but, 
if that (postfix) is what I need to do, then just tell 
how (overview) the packages you'd use, or is this part of postfix?


Q3 
Any documents, comments, or guidance is most welcome.


James

Re: [gentoo-user] encrypted email (gentoo-windows)

[Sebastian Beßler]

[-- Attachment #1: Type: text/plain, Size: 714 bytes --]

Am 25.03.2011 19:51, schrieb James:

> It's been a while since I set up a mail server, but, 
> if that (postfix) is what I need to do, then just tell 
> how (overview) the packages you'd use, or is this part of postfix?

Mail encryption is, as far as I know, something that works on the
client-side only. The mail server doesn't see the encryption, encrypted
mails contain only text, just like every other mail.

The only encryption that comes in mind on the server side is transport
encryption, aka SSL or TLS. But for that you don't need enigmail or gpg.

If may answer has nothing to do with your problem, please give me more
information what you have in mind.

Greetings

Sebastian Beßler


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 900 bytes --]

Re: [gentoo-user] encrypted email (gentoo-windows)

[Matt Harrison]

[-- Attachment #1: Type: text/plain, Size: 1030 bytes --]

On Fri, Mar 25, 2011 at 10:09:23PM +0100, Sebastian Be?ler wrote:
> Am 25.03.2011 19:51, schrieb James:
> 
> > It's been a while since I set up a mail server, but, 
> > if that (postfix) is what I need to do, then just tell 
> > how (overview) the packages you'd use, or is this part of postfix?
> 
> Mail encryption is, as far as I know, something that works on the
> client-side only. The mail server doesn't see the encryption, encrypted
> mails contain only text, just like every other mail.
> 
> The only encryption that comes in mind on the server side is transport
> encryption, aka SSL or TLS. But for that you don't need enigmail or gpg.
> 
> If may answer has nothing to do with your problem, please give me more
> information what you have in mind.
> 
> Greetings
> 
> Sebastian Be?ler
> 

amavis-new supports signing all outgoing mails with a gpg signature, not that I think
it's very relevant to the OP's question. I just wanted to chime in as I haven't posted
here in a while :)

Matt



[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] encrypted email (gentoo-windows)

[Sebastian Beßler]

[-- Attachment #1: Type: text/plain, Size: 785 bytes --]

Am 25.03.2011 22:13, schrieb Matt Harrison:
> On Fri, Mar 25, 2011 at 10:09:23PM +0100, Sebastian Be?ler wrote:

>> Mail encryption is, as far as I know, something that works on the 
>> client-side only. The mail server doesn't see the encryption, 
>> encrypted mails contain only text, just like every other mail.

> amavis-new supports signing all outgoing mails with a gpg signature, 
> not that I think it's very relevant to the OP's question. I just
> wanted to chime in asI haven't posted here in a while :)

As I said, as far as I know.
I haven't used amavis in years so that I was not aware of this.
But mail signing and mail encrypting are two absolutly differend pair of
shoes.

Greetings

Sebastian Beßler

PS: The key you use for signing is expired.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 900 bytes --]

Re: [gentoo-user] encrypted email (gentoo-windows)

[Matt Harrison]

[-- Attachment #1: Type: text/plain, Size: 1195 bytes --]

On Fri, Mar 25, 2011 at 10:26:24PM +0100, Sebastian Be?ler wrote:
> Am 25.03.2011 22:13, schrieb Matt Harrison:
> > On Fri, Mar 25, 2011 at 10:09:23PM +0100, Sebastian Be?ler wrote:
> 
> >> Mail encryption is, as far as I know, something that works on the 
> >> client-side only. The mail server doesn't see the encryption, 
> >> encrypted mails contain only text, just like every other mail.
> 
> > amavis-new supports signing all outgoing mails with a gpg signature, 
> > not that I think it's very relevant to the OP's question. I just
> > wanted to chime in asI haven't posted here in a while :)
> 
> As I said, as far as I know.
> I haven't used amavis in years so that I was not aware of this.
> But mail signing and mail encrypting are two absolutly differend pair of
> shoes.
> 
> Greetings
> 
> Sebastian Be?ler
> 
> PS: The key you use for signing is expired.
> 

I believe it can encrypt as well, as long as they keys are supplied previously for the
recipients. And thanks for pointing out my expired key, strangely mutt nor gpg
complained about using it for quite a while now. Even stranger, you're the first
person who has noticed or told me :o

Matt 

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-user] encrypted email (gentoo-windows)

[Sebastian Beßler]

[-- Attachment #1: Type: text/plain, Size: 504 bytes --]

Am 25.03.2011 22:48, schrieb Matt Harrison:

> I believe it can encrypt as well, as long as they keys are supplied previously for the
> recipients. 

That sounds interessting. I have to look into that.
Maybe that is something for the thread starter too.

> Even stranger, you're the first person who has noticed or told me :o

It was a pleasure to help. You a one of a hand full of people in my
inbox that use signing, so your expired key was eye-catching.

Greetings

Sebastian Beßler


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 900 bytes --]

[gentoo-user] Re: encrypted email (gentoo-windows)

[James]

Sebastian Beßler <sebastian <at> darkmetatron.de> writes:


> Mail encryption is, as far as I know, something that works on the
> client-side only. The mail server doesn't see the encryption, encrypted
> mails contain only text, just like every other mail.
>

OK let's ignore the mail server portion. Your basically implying
that encrypted mail handling from the server, does not matter if
it's an exchange server, or *nix, like postfix....

As an example.
Look at the situation where a person is using only MS technology
and has no access to support(input) on their client software nor the
MS exchange server (big corp for example that assumes the world
only uses MS software). Maybe they can make a few setting changes
only in Outlook to get encryption working between a MS (Outlook)
system and my Gentoo system using pgp and thunderbird? 


> If may answer has nothing to do with your problem, please give me more
> information what you have in mind.

I do not have a problem. I have assumed that encrypted mail between
a given client software on a gentoo system, will not work with windows.
Is this assumption incorrect?  

Or it's just install whatever I want (mail client on gentoo) and it will
auto-magically exchange encrypted mail with outlook on  a windows machine,
behind a MS Exchange server, regardless of what the MS admins
do on their side?

I assumed that is not that easy (my default experience with MS),
and things have to be coordinated, like most MS issues, to be 
able to exchange encrypted mail between a gentoo and MS workstation....

Nothing to it, or massive issues on the MS side? Obviously,
making changes on the gentoo workstation client, is easy....
What I would really like is to be able to exchange encrypted mail
with any MS user.  That, I'm sure with entail pointing them to 
documents on how to set up the software on the MS (outlook) side.
Links for MS help?

??? 
A general discussion at this point, not a specific solution.
My googling only reveals dated discussions along these lines
or information that is not useful.

James

Re: [gentoo-user] Re: encrypted email (gentoo-windows)

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 5503 bytes --]

On Sunday 27 March 2011 03:03:30 James wrote:
> Sebastian Beßler <sebastian <at> darkmetatron.de> writes:
> > Mail encryption is, as far as I know, something that works on the
> > client-side only. The mail server doesn't see the encryption, encrypted
> > mails contain only text, just like every other mail.
> 
> OK let's ignore the mail server portion. Your basically implying
> that encrypted mail handling from the server, does not matter if
> it's an exchange server, or *nix, like postfix....
> 
> As an example.
> Look at the situation where a person is using only MS technology
> and has no access to support(input) on their client software nor the
> MS exchange server (big corp for example that assumes the world
> only uses MS software). Maybe they can make a few setting changes
> only in Outlook to get encryption working between a MS (Outlook)
> system and my Gentoo system using pgp and thunderbird?

Depending on the MSWindows OS and email client versions your MS counterpart 
can try installing and running: 

http://www.gpg4win.org/about.html

Alternatively, instead of OpenPGP you can use S/MIME certificates - either 
self-signed or from a <aheam!> reputable Certification Authority.  I prefer 
the former where possible, although the average MSWindows user would struggle 
on their own to even click a (single) button, let alone generate 
public/private keys, configure a password and then negotiate with the 
MSWindows certificate manager to accept them.

gpg4win will also act as the front for managing the MSWindows S/MIME certs, 
although Outlook can manage these for SSL signing/encryption natively.

The SSL certificates offered by different CAs are mostly an expensive racket 
for big corporate clients.  Individual users are limited to a few available 
CAs (like CACert, Comodo, etc) who issue free certificates for personal 
(email) use, but only some of the browsers include them in their store of 
trusted CAs - hence the need for manual import of Root CA keys, etc in the 
user's browser/certificate store and of course the same with the recipients of 
their email messages.

Before you commit to a CA check which browsers and OS already included these 
in their trusted Root CA store.


> > If may answer has nothing to do with your problem, please give me more
> > information what you have in mind.
> 
> I do not have a problem. I have assumed that encrypted mail between
> a given client software on a gentoo system, will not work with windows.
> Is this assumption incorrect?

Yes, this is an incorrect assumption.  OpenPGP will not work with MSWindows 
natively without a 3rd party application (e.g. gpg4win), because OpenPGP does 
not satisfy the requirements of Microsoft's monopolistic business model.

However, SSL certificates will work natively with MSWindows and its Outlook 
email client.  As I said above you have a choice of obtaining such 
certificates:  self-signed or signed by trusted Root CAs (some of which are 
free for personal use).

Also, in the era of Cloud computing you have the choice of webmail 
applications (like Horde) which can use both PGP and S/MIME to 
sign/encrypt/decrypt messages, thus bypassing limitations of given OS or 
desktop based mail clients.

Finally, you have SaaS solutions for secure email, like 
http://www.hushmail.com/ but if one does not trust Root CAs why would he trust 
some hushmail company and its employees is beyond me.


> Or it's just install whatever I want (mail client on gentoo) and it will
> auto-magically exchange encrypted mail with outlook on  a windows machine,
> behind a MS Exchange server, regardless of what the MS admins
> do on their side?

Yes, as long as you manage encryption/decryption at the dekstop.  You need to 
note though that some corporate IM policies may prohibit the use of encrypted 
messages.  These can be filtered out by the corporate mail server and stopped.


> I assumed that is not that easy (my default experience with MS),
> and things have to be coordinated, like most MS issues, to be
> able to exchange encrypted mail between a gentoo and MS workstation....
> 
> Nothing to it, or massive issues on the MS side? Obviously,
> making changes on the gentoo workstation client, is easy....
> What I would really like is to be able to exchange encrypted mail
> with any MS user.  That, I'm sure with entail pointing them to
> documents on how to set up the software on the MS (outlook) side.
> Links for MS help?

They do not need to look at Internet links - just ask them look up digital 
signing or encryption in their Outlook help pages.

Configuring Outlook is the easy part.  The more confusing part might be 
obtaining an S/MIME certificate and importing the Root CA certificate if it is 
not already included in whatever Microsoft ships with.  I think that Comodo 
Root CA is already included (and the recently hacked Root CA certificate has 
not been recalled through last week's MSWindows update).


> ???
> A general discussion at this point, not a specific solution.
> My googling only reveals dated discussions along these lines
> or information that is not useful.

Google has many examples and step-by-step instructions for configuring Outlook 
to use SSL Certs (S/MIME), usually by the purveyors of all these expensive 
certificate services:

http://www.globalsign.com/support/personal-certificate/per_outlook07.html
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

[gentoo-user] Re: encrypted email (gentoo-windows)

[James]

Mick <michaelkintzios <at> gmail.com> writes:


> Google has many examples and step-by-step instructions for configuring Outlook 
> to use SSL Certs (S/MIME), usually by the purveyors of all these expensive 
> certificate services:

> http://www.globalsign.com/support/personal-certificate/per_outlook07.html

Hello Mick,

Exactly what I was looking for. Not just the part I included, but
your entire answer. Gmane get'[s fussy about including too much
previous text in responses. Sure, I've set up numerous email clients,
like Thunderbird and such on doze systems before (encryption or not); that's
a no-brainer. Outlook in a rigid corporate environment without the 
admin's help on that side..... interesting. If their spam filters
are too aggressive, it will most likely quarantine the incoming encrypted
files. A program of encryption, but makes files look like text to
spam filters, would be keen, but most likely crackable, due to the
limited char_set? Never tried this but hey, there is ALWAYS a way
to "skin the cat".......

But I have never tried to help an ordinary Outlook user get encryption working,
so as to exchange encrypted email, with their linux bretheran without their
Admin's involvement. Most admins at corps do not care, but they are understaffed
and only support what they support. So you have articulated some options where I
can help a generic corporate user setup and use encryption, without their
admin's involvement, which I guess is what I did not clearly explain in previous
posts, as the goal all along, using Outlook or other
MS based applications.

THANKS; for sharing your knowledge and view of the landscape.
I've got it from here.

James

Re: [gentoo-user] Re: encrypted email (gentoo-windows)

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 2525 bytes --]

On Sunday 27 March 2011 15:48:53 James wrote:
> Mick <michaelkintzios <at> gmail.com> writes:
> > Google has many examples and step-by-step instructions for configuring
> > Outlook to use SSL Certs (S/MIME), usually by the purveyors of all these
> > expensive certificate services:
> > 
> > http://www.globalsign.com/support/personal-certificate/per_outlook07.html
> 
> Hello Mick,
> 
> Exactly what I was looking for. Not just the part I included, but
> your entire answer. Gmane get'[s fussy about including too much
> previous text in responses. Sure, I've set up numerous email clients,
> like Thunderbird and such on doze systems before (encryption or not);
> that's a no-brainer. Outlook in a rigid corporate environment without the
> admin's help on that side..... interesting. If their spam filters
> are too aggressive, it will most likely quarantine the incoming encrypted
> files. A program of encryption, but makes files look like text to
> spam filters, would be keen, but most likely crackable, due to the
> limited char_set? Never tried this but hey, there is ALWAYS a way
> to "skin the cat".......
> 
> But I have never tried to help an ordinary Outlook user get encryption
> working, so as to exchange encrypted email, with their linux bretheran
> without their Admin's involvement. Most admins at corps do not care, but
> they are understaffed and only support what they support. So you have
> articulated some options where I can help a generic corporate user setup
> and use encryption, without their admin's involvement, which I guess is
> what I did not clearly explain in previous posts, as the goal all along,
> using Outlook or other
> MS based applications.
> 
> THANKS; for sharing your knowledge and view of the landscape.
> I've got it from here.

Glad I could help James.  :-)

Before you start helping remotely MSWindows users I recommend you install 
MSWindows in a virtual machine (e.g. virtualbox-bin will take only a few 
minutes) and configure the OS and mail client to send and receive 
signed/encrypted messages as preferred.  Otherwise, you may quickly run 
aground when the corporate users technical knowledge stops them configuring 
their machines as necessary.

PS.  Some corporate set ups will have the MS Windows SSL certificate store 
settings access blocked for normal users.  In that case only MSWindows 
recognised S/MIME Root CAs will be usable without warnings.  As far as I 
recall Comodo is recognised.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

Re: [gentoo-user] Re: encrypted email (gentoo-windows)

[JM]

[-- Attachment #1: Type: text/plain, Size: 3894 bytes --]

Hi - if you want to be able to send encrypted email from a linux machine
that a person using a windows machine can de-crypt and read securely, the
simplest way is to use the Gpg4win (for the windows machine) which
incorporates Claws Mail (a port of a linux email client which is also
available on Gentoo). Claws mail is in Portage. So at the simplest level, if
you install the Claws email on your linux box, along with a pgp encryption
tool (I think it's called Gpg, not 100% sure what the Portage package is,
but any pgp encryption tool will probably work, it may already be built in
to Claws), then advise your windows recipients to install Gpg4win (google
it) which is a windows package which includes Claws mail, you will be able
to exchange encrypted emails securely between linux and windows recipients.
On the windows machine, the Gpg4win package will encrypt & decrypt email,
you will only need to find a gpg related tool for the linux machine in order
to encrypt your emails on it before sending them. I'm not really sure what
gpg uses, it may well use pgp encryption which is standard and there will be
a tool in Portage which can encrypt and decrypt email using pgp (or at least
one to encrypt and decrypt any file which can then be forwarded by email).

TBH - the encryption side of it is really OS independent, but using Gpg4win
on windows and any linux email client which supports pgp encryption /
signing should give you what you are looking for (Gpg=Gnu Privacy Guard).
You will just need to double check that whatever you use on the linux side,
is compatible with Gpg.


On 27 March 2011 03:03, James <wireless@tampabay.rr.com> wrote:

> Sebastian Beßler <sebastian <at> darkmetatron.de> writes:
>
>
> > Mail encryption is, as far as I know, something that works on the
> > client-side only. The mail server doesn't see the encryption, encrypted
> > mails contain only text, just like every other mail.
> >
>
> OK let's ignore the mail server portion. Your basically implying
> that encrypted mail handling from the server, does not matter if
> it's an exchange server, or *nix, like postfix....
>
> As an example.
> Look at the situation where a person is using only MS technology
> and has no access to support(input) on their client software nor the
> MS exchange server (big corp for example that assumes the world
> only uses MS software). Maybe they can make a few setting changes
> only in Outlook to get encryption working between a MS (Outlook)
> system and my Gentoo system using pgp and thunderbird?
>
>
> > If may answer has nothing to do with your problem, please give me more
> > information what you have in mind.
>
> I do not have a problem. I have assumed that encrypted mail between
> a given client software on a gentoo system, will not work with windows.
> Is this assumption incorrect?
>
> Or it's just install whatever I want (mail client on gentoo) and it will
> auto-magically exchange encrypted mail with outlook on  a windows machine,
> behind a MS Exchange server, regardless of what the MS admins
> do on their side?
>
> I assumed that is not that easy (my default experience with MS),
> and things have to be coordinated, like most MS issues, to be
> able to exchange encrypted mail between a gentoo and MS workstation....
>
> Nothing to it, or massive issues on the MS side? Obviously,
> making changes on the gentoo workstation client, is easy....
> What I would really like is to be able to exchange encrypted mail
> with any MS user.  That, I'm sure with entail pointing them to
> documents on how to set up the software on the MS (outlook) side.
> Links for MS help?
>
> ???
> A general discussion at this point, not a specific solution.
> My googling only reveals dated discussions along these lines
> or information that is not useful.
>
> James
>
>
>
>
>
>

[-- Attachment #2: Type: text/html, Size: 4422 bytes --]