Image of the glider from the Game of Life by John Conway
Skip to content

Setting Up Mutt With S/MIME And PGP/MIME

If you have two accounts that you use with Mutt, and one of them you would like to use your OpenPGP key for signing mail (PGP/MIME), and the other you would like to use an OpenSSL certificate for doing the same (S/MIME), then this post is for you. Before beginning, however, you need to have the development version of Mutt (1.5.x) and it needs to have S/MIME support compiled in (which is the default for Debian/Ubuntu).

In my "~/.muttrc", I have my accounts separated into two files, so I can set specific options for each account that don't affect the other. As a result, here is the relevant parts of my ~/.muttrc:

# ~/.muttrc
folder-hook "personal.mail.tld" "source ~/.mutt/personal.rc"
folder-hook "work.mail.tld" "source ~/.mutt/work.rc"
source ~/.mutt/personal.rc # use this as the default account when Mutt executes

So, I have two accounts: "personal.mail.tld" and "work.mail.tld" (those are actual URLs to your accounts, whether they be GMail, Yahoo!, or whatever. Change as necessary). So, let's take a loot at the relevant parts of "~/.mutt/personal.rc" and "~/.mutt/work.rc":

# ~/.mutt/personal.rc
source ~/.mutt/gpg.rc
# ~/.mutt/work.rc
source ~/.mutt/smime.rc

Obviously, I'm sourcing external files. The personal account sources the gpg.rc config, while the work account sources the smime.rc config. Both of these configs can be found as example files in "/etc/Muttrc.d/" on Debian. From there, I made my edits.

Obviously, for both configs, I will have needed to setup cryptographic keys. For GnuPG, I will need to generate and save off my public key pair. There is a wealth of documentation on the internet that discusses this, so I won't cover that here. I'll just assume you have it created already.

For S/MIME, you will need to generate an OpenSSL certificate, signed by a centralized certificate authority. For myself, I chose Comodo. It was easy and quick. I had my SSL cert in less than 5 minutes, and it's good for a full year, and it was free.

Once you get the email about the certificate, when you click the link to open it in your browser, it will install your certificate in the browser. No big deal. Just navigate to the certificate using your browser's menu, and backup the certificate (both the private and public keys) to some local directory on your machine. It should have ".p12" as its extension. Then, copy the certificate to the machine that will be running Mutt.

On the machine that you will be running Mutt from, you will need to issue a few commands to get your environment setup correctly before you can start using the certificate. You will need OpenSSL installed before you can begin:

$ smime_keys init

This should create "~/.smime/", "~/.smime/certificates/" and "~/.smime/keys/". After which, you will need to copy "ca-bundle.crt" to "~/.smime/". "ca-bundle.crt" is provided by a number of packages, and you can find it on the internet should it not already be installed. After that is copied, type the following:

$ smime_keys add_p12 /path/to/your-backed-up-cert.p12

You will be asked for the passphrase for the private key in the .p12 file, as well as a new passphrase for encrypting the key in your database. It doesn't matter if you use the same passphrase both times. This passphrase is not recoverable, so make sure you remember it. You will also be asked what you want to call the certificate; it makes no difference to anyone what you call it, but you can't have two certificates with the same nickname.

Make note of the hash of your key. You can retrieve this hash from the line "added private key" followed by a path and a hexadecimal number ending in ".0". Find the line in your .muttrc that says:

# ~/.mutt/smime.rc
set smime_default_key="12345678.0"

and change "12345678.0" to the hash for your key that you took note of. The only thing left to do is to install the Comodo root certificates. These are already installed on your system in "/etc/ssl/certs/Comodo*" and "/etc/ssl/certs/COMODO*". For each of those root certs (I'm actually not sure which is needed for your personal cert), you need to issue the following command:

$ smime_keys add_root /etc/ssl/certs/Comodo_Secure_Services_root.pem

You have now successfully setup your environment to use S/MIME with Mutt. Now let's look at the configs. For the gpg.rc config, I kept everything default except for the following:

# ~/.mutt/gpg.rc
set pgp_good_sign="^gpg: Good signature from"
set crypt_autosign="yes"
set crypt_replysign="yes"
set crypt_replysignencrypted="yes"
set pgp_auto_decode="yes"
unset smime_is_default

For the smime.rc config, again I kept everything default except for the following:

# ~/.mutt/smime.rc
set smime_is_default="yes"
set crypt_autosmime="yes"
set pgp_autosign="no"
set smime_timeout="300"
set crypt_autosign="yes"
set crypt_replyencrypt="yes"
set crypt_replysign="yes"
set crypt_replysignencrypted="yes"
set crypt_verify_sig="yes"
set smime_default_key="12345678.0" # you should have already changed this

You are now ready to roll. When you change to your personal account, it should use PGP/MIME by default, and when you change to your work account, it should use S/MIME by default.

{ 3 } Comments