Using Secure Email with PGP and SMIME

Author: Meenal Pant

This page describes the setup and usage of secure email with popular secure messaging schemes PGP and SMIME.  The software package implementing PGP used here is available from the GnuPG website. Some products implementing SMime such as Microsoft Outlook and Mozilla Thunderbird are used. An implementation of SMIME software is also available from GnuPG.

 

 Testbed       Using GnuPG       Using SMime      Email Clients  

Testbed

The first step is to create a test bed for analyzing PGP and SMIME. The testbed consists of  two machines, one running Windows XP and the other Linux Fedora core 3. 

Windows XP: Setting up the Windows machine is pretty simple. I installed the proprietary email clients Microsoft Outlook and Eudora 6.2. The mail server was my local mail server at NCSA.

Linux FC3This involves setting up an SMTP server ex: sendmail 8.13  and POP/IMAP to retrieve email collected on the server using a client ex: Mozilla Thunderbird.

Setting up the SMTP server:

I set up an SMTP server using sendmail. Sendmail usually comes with the Linux distribution. The sendmail.cf  file is Sendmail's main configuration file. This file controls how sendmail handles smtp connections. It is a good idea to create a back up of this file before making any changes to it.

# cp /etc/mail/sendmail.cf  /etc/mail/sendmail.cf.original

To create a new sendmail.cf we use the macro config file : /etc/mail/sendmail.mc.  I edit two lines in sendmail.mc

Comment out the following line using dnl

dnl DAEMON_OPTIONS('Port=smtp,Addr=127.0.0.1,Name='MTA')

Next I add my hostname to sendmail. By default this is set to "localhost.localdomain". I change this as follows.

mymachiename.ncsa.uiuc.edu

To create sendmail.cf with these changes we now need to run the following commands:

# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

# /etc/init.d/sendmail restart

The next step is to edit the following files:
/etc/mail/local-host-names
/etc/mail/access

Insert the hostname into both of these files. As an example,

Now run make to update the access.db file.

Now to test the new setup run:

# /bin/netstat -na |grep ":25 "

The output should be something like:

tcp     0   0 0.0.0.0:25      0.0.0.0:*     LISTEN 

I am now able to telnet to mymachine.ncsa.uiuc.edu on port 25.

The Linux machine is now ready to send and receive email.

Note : The authentication mechanism I am using currently is plain login with saslauthd as the password check method. This requires editing the  /usr/lib/sasl2/Sendmail.conf and adding these two lines:

pwcheck_method: saslauthd

mech_list: login plain

Setting up POP / IMAP services on your SMTP server

To retrieve any emails that are waiting on the server, we need to configure some service like POP or IMAP. One of the packages that does this is dovecot, which handles POP and IMAP mailboxes in clear text or with link encryption (POPS and IMAPS). This too usually comes with the Linux installation.

Dovecot is relatively easy to configure, but backing up the config file is still important.

# cp /etc/dovecot.conf /etc/dovecot.conf.original

I use IMAP, so my configuration looks like:

login = imap
login_executable = /usr/libexec/dovecot/imap-login

Adding another user for email access only

The user of the machine is now configured to send and receive mails. However if one wants to add a user such that he/she only has email access and not system access in that machine, it is possible to do so with the following command:

#  useradd -c "Alice Jones" -s /sbin/nologin alice

Starting Up the services

After setup the following commands will enable a user to receive and send emails using an email client (MUA) such as  Mozilla Thunderbird.

#  /etc/init.d/sendmail restart
#  /etc/init.d/dovecot restart
#  tail -f  /var/log/messages
#  tail -f  /var/log/maillog

There is an excellent Linux HOWTO page which explains this setup in greater detail.

Using GnuPG

GnuPG  or Gnu Privacy Guard is based on the Open PGP standard as described in RFC 2440. It can be used to encrypt data and digital signatures. With the above test bed set up, it is quite easy to use GnuPG as a secure communications tool. From a user point of view using GPG whether on command line or integrated with an email client is fairly easy to use. The command line allows a user to issue simple commands to  generate public and private keys. The interface asks the user for  information such as name, email address, key length, validity of key etc.  The public key can be imported and published in a public domain. For the private key, GPG has a convenient method of setting up a secret quote or "pass phrase " to access the key from the database.

Using Command line GPG and data files as attachments in email clients:

Any email client should work for this method as Alice is sending encrypted data as a file attachment to Bob and vice versa.

gpg --help  lists a number of useful gpg commands which can be used for generating keys, encrypting /decrypting data , deleting keys , etc.  A typical usage scenario is depicted in the following figure.

As shown in the figure Alice and Bob the users at the two machines can communicate securely using GPG and the email clients with each other. They both first generate public and private keys using GPG on their respective machines using  gpg gen-key . They publish their public keys in a public domain such as a webpage.

When Alice wants to communicate with Bob she sends him a digital signature, m1, signed with her private key KA encapsulated with the secret message, m2, signed with Bob's public key, PKB. An attacker can receive this message by sniffing the network, however only Bob can decrypt this message assuming he is the only one who has access to his private key, KB. Thus a secure communication channel is established between Alice and Bob using GPG.

Using Enigmail with Mozilla Thunderbird :

Enigmail is a plugin for Mozilla Thunderbird, which enables a user to encrypt and decrypt email right away from the GUI client. It is fairly easy to setup Enigmail. Here is a screenshot:

 

Using EudoraGPG with Qualcomm Eudora:

PGP is easily integrated into Eudora with the help of this plugin. It is easy to create the tool bar and Buttons for encrypt , decrypt , sign etc. Here is a screenshot.

One pitfall which I have experienced with this plugin so far is that in some cases after decryption the receiver does not see the decrypted secret message, which the sender has sent him. Instead all I see is a blank screen.

Using SMime

S/MIME or Secure MIME is a version of the MIME protocol that supports encryption of email messages and their contents using  RSA's public-key encryption technology. S/MIME is supported  on a number of email clients such as Microsoft Outlook, Mozilla Thunderbird, Mutt etc. A detailed description of the SMIME protocol is available here.

One difference between SMIME and GPG encryption methods is the use of digital certificates in SMIME. A digital certificate is issued by a Certificate Authority or CA. There are several CA's which issue digital certificates such as Verisign, Thawte etc. A personal email certificate is freely available from Thawte and can be used for signing and encrypting emails.

Typically the first signed email send across from one SMIME mail client to another results in exchange of public certificates. Alternatively one can obtain these certificates from some other trusted domain. In the following sections some screenshots of certificates are shown. The type and look depends on the kind of browser used,  atleast when using  personal email certificate service from Thawte.

Using Microsoft Outlook with SMIME:

The following figure shows an example of a public digital certificate issued by Thawte.

Here is an example of an encrypted email received using SMIME.

Using Mozilla Thunderbird with SMIME:

Here is a screenshot of a message signed using SMIME received by Thunderbird.

This figure shows an example of a public certificate issued by Thawte.

 

Email Clients

Here is a brief description of some popular secure email clients.

Proprietary Clients :

Open Source Clients:

Internet Email /Web based email :

Several web based secure email programs are also available. Example:  Hushmail  , Mutemail etc. These allow a user to to communicate and access his/her email account from anywhere in the world using the Internet. For ex: When using these secure email applications, the user on creating an account creates public and private keys on his local machine. These keys are then encrypted with a secret pass phrase, known only to the user,  and stored on the secure mail provider's mail server. Now the user can access his emails and communicate with other users by logging into his secret email account from any location. 

 

Send your comments and feedback here.