Using Secure Email with PGP and SMIME
Author: Meenal Pant
This page describes the setup and usage of secure email with popular secure messaging schemes PGP and SMIME. The software package implementing PGP used here is available from the GnuPG website. Some products implementing SMime such as Microsoft Outlook and Mozilla Thunderbird are used. An implementation of SMIME software is also available from GnuPG.
Testbed Using GnuPG Using SMime Email Clients
The first step is to create a test bed for analyzing PGP and SMIME. The testbed consists of two machines, one running Windows XP and the other Linux Fedora core 3.
Windows XP: Setting up the Windows machine is pretty simple. I installed the proprietary email clients Microsoft Outlook and Eudora 6.2. The mail server was my local mail server at NCSA.
Linux FC3: This involves setting up an SMTP server ex: sendmail 8.13 and POP/IMAP to retrieve email collected on the server using a client ex: Mozilla Thunderbird.
Setting up the SMTP server:
I set up an SMTP server using sendmail. Sendmail usually comes with the Linux distribution. The sendmail.cf file is Sendmail's main configuration file. This file controls how sendmail handles smtp connections. It is a good idea to create a back up of this file before making any changes to it.
# cp /etc/mail/sendmail.cf /etc/mail/sendmail.cf.original
To create a new sendmail.cf we use the macro config file : /etc/mail/sendmail.mc. I edit two lines in sendmail.mc
Comment out the following line using dnl
Next I add my hostname to sendmail. By default this is set to "localhost.localdomain". I change this as follows.
To create sendmail.cf with these changes we now need to run the following commands:
# m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf
# /etc/init.d/sendmail restart
The next step is to edit the following files:
Insert the hostname into both of these files. As an example,
Now run make to update the access.db file.
Now to test the new setup run:
# /bin/netstat -na |grep ":25 "
The output should be something like:
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
I am now able to telnet to mymachine.ncsa.uiuc.edu on port 25.
The Linux machine is now ready to send and receive email.
Note : The authentication mechanism I am using currently is plain login with saslauthd as the password check method. This requires editing the /usr/lib/sasl2/Sendmail.conf and adding these two lines:
mech_list: login plain
Setting up POP / IMAP services on your SMTP server
To retrieve any emails that are waiting on the server, we need to configure
some service like POP or IMAP. One of the packages that does this is
dovecot, which handles POP and IMAP
mailboxes in clear text or with link encryption (POPS and IMAPS). This too
usually comes with the Linux installation.
Dovecot is relatively easy to configure, but backing up the config file is still important.
# cp /etc/dovecot.conf /etc/dovecot.conf.original
I use IMAP, so my configuration looks like:
login = imap
login_executable = /usr/libexec/dovecot/imap-login
Adding another user for email access only
The user of the machine is now configured to send and receive mails. However if one wants to add a user such that he/she only has email access and not system access in that machine, it is possible to do so with the following command:
# useradd -c "Alice Jones" -s /sbin/nologin alice
Starting Up the services
After setup the following commands will enable a user to receive and send emails using an email client (MUA) such as Mozilla Thunderbird.
# /etc/init.d/sendmail restart
# /etc/init.d/dovecot restart
# tail -f /var/log/messages
# tail -f /var/log/maillog
There is an excellent Linux HOWTO page which explains this setup in greater detail.
GnuPG or Gnu Privacy Guard is based on the Open PGP standard as described in RFC 2440. It can be used to encrypt data and digital signatures. With the above test bed set up, it is quite easy to use GnuPG as a secure communications tool. From a user point of view using GPG whether on command line or integrated with an email client is fairly easy to use. The command line allows a user to issue simple commands to generate public and private keys. The interface asks the user for information such as name, email address, key length, validity of key etc. The public key can be imported and published in a public domain. For the private key, GPG has a convenient method of setting up a secret quote or "pass phrase " to access the key from the database.
Using Command line GPG and data files as attachments in email clients:
Any email client should work for this method as Alice is sending encrypted data as a file attachment to Bob and vice versa.
gpg --help lists a number of useful gpg commands which can be used for generating keys, encrypting /decrypting data , deleting keys , etc. A typical usage scenario is depicted in the following figure.
As shown in the figure Alice and Bob the users at the two machines can communicate securely using GPG and the email clients with each other. They both first generate public and private keys using GPG on their respective machines using gpg gen-key . They publish their public keys in a public domain such as a webpage.
When Alice wants to communicate with Bob she sends him a digital signature, m1, signed with her private key KA encapsulated with the secret message, m2, signed with Bob's public key, PKB. An attacker can receive this message by sniffing the network, however only Bob can decrypt this message assuming he is the only one who has access to his private key, KB. Thus a secure communication channel is established between Alice and Bob using GPG.
Using Enigmail with Mozilla Thunderbird :
Enigmail is a plugin for Mozilla Thunderbird, which enables a user to encrypt and decrypt email right away from the GUI client. It is fairly easy to setup Enigmail. Here is a screenshot:
Using EudoraGPG with Qualcomm Eudora:
PGP is easily integrated into Eudora with the help of this plugin. It is easy to create the tool bar and Buttons for encrypt , decrypt , sign etc. Here is a screenshot.
One pitfall which I have experienced with this plugin so far is that in some cases after decryption the receiver does not see the decrypted secret message, which the sender has sent him. Instead all I see is a blank screen.
S/MIME or Secure MIME is a version of the MIME protocol that supports encryption of email messages and their contents using RSA's public-key encryption technology. S/MIME is supported on a number of email clients such as Microsoft Outlook, Mozilla Thunderbird, Mutt etc. A detailed description of the SMIME protocol is available here.
One difference between SMIME and GPG encryption methods is the use of digital certificates in SMIME. A digital certificate is issued by a Certificate Authority or CA. There are several CA's which issue digital certificates such as Verisign, Thawte etc. A personal email certificate is freely available from Thawte and can be used for signing and encrypting emails.
Typically the first signed email send across from one SMIME mail client to another results in exchange of public certificates. Alternatively one can obtain these certificates from some other trusted domain. In the following sections some screenshots of certificates are shown. The type and look depends on the kind of browser used, atleast when using personal email certificate service from Thawte.
Using Microsoft Outlook with SMIME:
The following figure shows an example of a public digital certificate issued by Thawte.
Here is an example of an encrypted email received using SMIME.
Using Mozilla Thunderbird with SMIME:
Here is a screenshot of a message signed using SMIME received by Thunderbird.
This figure shows an example of a public certificate issued by Thawte.
Here is a brief description of some popular secure email clients.
Proprietary Clients :
Eudora : Eudora is a popular email client for Windows and MAC OS. Eudora 7.0 comes with SMIME security plugin for signing and encrypting emails. Many plugins are available for using GPG with earlier versions of Eudora ex : Eudora PGP
Microsoft Outlook: Microsoft outlook comes with built in SMIME support for secure messaging.
Open Source Clients:
Internet Email /Web based email :
Several web based secure email programs are also available. Example: Hushmail , Mutemail etc. These allow a user to to communicate and access his/her email account from anywhere in the world using the Internet. For ex: When using these secure email applications, the user on creating an account creates public and private keys on his local machine. These keys are then encrypted with a secret pass phrase, known only to the user, and stored on the secure mail provider's mail server. Now the user can access his emails and communicate with other users by logging into his secret email account from any location.
Send your comments and feedback here.