mutt -- Trying to setup S/MIME PKI encrypted emails -- problem with smime_keys

christr · 07-11-2019, 09:57 AM

I'm need to setup the ability to send PKI encrypted emails from the command line. From everything I've read Mutt seems to be the only solution for this, but correct me if I'm wrong.

So far the most promising article I've found on how to do this is here.

The first thing this and other articles I've found discuss is to run the "smime_keys init" command to build the required directories it will need under ~/.smime. I've tried this on multiple distributions including Debian, Red Hat, and CentOS. I even compiled a version of mutt directly from the source. No matter what I try it always comes back with an error as shown below.

Code:

-bash-4.2$ smime_keys init
smime_keys is not set in mutt's configuration file at /usr/bin/smime_keys line 62.
-bash-4.2$

I'm not a perl guru by any means, but I'm strong with other scripting languages. I've read through the smime_keys script that's included with mutt several times, but I'm not finding what's wrong. Any suggestions would be appreciated.

scasey · 07-12-2019, 07:39 PM

From the link you posted:

Quote:

Make sure you have installed mutt with ssl-enabled.

I suspect that is not the case.

christr · 07-13-2019, 09:56 AM

How do you do this? I haven’t been able to find instructions on how.

scasey · 07-13-2019, 04:26 PM

Again, from the link you posted

Quote:

Preparation

Make sure you have installed mutt with ssl-enabled. If you don't have installed, read my previous post about compiling mutt.

I found the previous post here.

I presume the relevant section on that page is the one headed
Compiling mutt with support for tls, sasl, imap, and gpgme -- but I haven't read it.

christr · 07-13-2019, 06:09 PM

Thank you for the response, but I’ve exhausted all of my know research options. Hopefully someone will know the answer to this, or has done it before.

scasey · 07-13-2019, 07:42 PM

Research done. The link in #4 is by the same person whose instructions you were following.
Are those compile instructions not clear? What don't you get?

christr · 07-13-2019, 09:39 PM

That’s for GPG. All I’ve been finding is articles on GPG/PGP. I need x.509 / PKI certificate based encryption in mutt.

scasey · 07-13-2019, 09:45 PM

Have you done the compile following those instructions?

And did you then still get the error?

christr · 07-24-2019, 12:30 PM

I tried, but unfortunately no luck. Same "keys is not set in mutt's configuration file."

DearRoboto · 09-16-2020, 01:45 AM

A solution for me was to indeed add `smime` options to `~/.muttrc`, so it has the following options

~/.muttrc

Code:

set smime_keys = "~/.smime/keys"
set smime_certificates = "~/.smime/certificates"
set smime_ca_location = "~/.smime/ca"

After this, `smime_keys init` should create that directory for you so you can store the keys.

Also, from `man muttrc`

Quote:

smime_keys
Type: path
Default: “”

Since for S/MIME there is no pubring/secring as with PGP, mutt has to handle storage and re‐
trieval of keys/certs by itself. This is very basic right now, and stores keys and certifi‐
cates in two different directories, both named as the hash-value retrieved from OpenSSL. There
is an index file which contains mailbox-address keyid pair, and which can be manually edited.
This option points to the location of the private keys. (S/MIME only)

christr · 09-16-2020, 01:07 PM

I actually figured this out a long while back. I thought I had actually posted what I ultimately did to accomplish this. I didn't need to do this through mutt after all. I wrote a script that automates the work by pulling the certificates down automatically when someone puts an email address in. I added a lot of features to it as well, including the ability to add attachments. The script I wrote is specific to my company, so I can't include all of it here. However, I've included a few excerpts below that might help others.

First off I needed to set the header depending on if the person wants to do an HTML or ASCII email. I wrote this small function below to handle that, which is determined by a command option when calling the script.

Code:

function f_header {
content=plain
if [ "$html" -eq "0" ];then
        content=html
fi
cat << EOF
To: ${to}
From: ${from}
Subject: ${subject}
MIME-Version: 1.0
Content-Type: text/${content}; charset=utf-8

EOF
}

The rest is then accomplished via openssl and using the public certificates I temporarily pull down off our LDAP server for each recipient. They're handled via the ${cert_list} variable.

Code:

f_header > ${tmpEncPrep}
cat "${body}" >> ${tmpEncPrep}
f_attachment ### Function call for if file attachments were included. It appends the uuencoding of the file to the bottom of the ${tmpEncPrep}
openssl cms -encrypt -in "${tmpEncPrep}" -out "${tmpEncBody}" -from ${from} -to ${to} -subject "${subject}" -aes256 ${cert_list}
cat "${tmpEncBody}" | sendmail -f ${from} ${to}

Hopefully this helps others looking for a solution here later on.