Image of the glider from the Game of Life by John Conway
Skip to content

Setting Up Mutt With S/MIME And PGP/MIME

If you have two accounts that you use with Mutt, and one of them you would like to use your OpenPGP key for signing mail (PGP/MIME), and the other you would like to use an OpenSSL certificate for doing the same (S/MIME), then this post is for you. Before beginning, however, you need to have the development version of Mutt (1.5.x) and it needs to have S/MIME support compiled in (which is the default for Debian/Ubuntu).

In my "~/.muttrc", I have my accounts separated into two files, so I can set specific options for each account that don't affect the other. As a result, here is the relevant parts of my ~/.muttrc:

# ~/.muttrc
folder-hook "personal.mail.tld" "source ~/.mutt/personal.rc"
folder-hook "work.mail.tld" "source ~/.mutt/work.rc"
source ~/.mutt/personal.rc # use this as the default account when Mutt executes

So, I have two accounts: "personal.mail.tld" and "work.mail.tld" (those are actual URLs to your accounts, whether they be GMail, Yahoo!, or whatever. Change as necessary). So, let's take a loot at the relevant parts of "~/.mutt/personal.rc" and "~/.mutt/work.rc":

# ~/.mutt/personal.rc
source ~/.mutt/gpg.rc
# ~/.mutt/work.rc
source ~/.mutt/smime.rc

Obviously, I'm sourcing external files. The personal account sources the gpg.rc config, while the work account sources the smime.rc config. Both of these configs can be found as example files in "/etc/Muttrc.d/" on Debian. From there, I made my edits.

Obviously, for both configs, I will have needed to setup cryptographic keys. For GnuPG, I will need to generate and save off my public key pair. There is a wealth of documentation on the internet that discusses this, so I won't cover that here. I'll just assume you have it created already.

For S/MIME, you will need to generate an OpenSSL certificate, signed by a centralized certificate authority. For myself, I chose Comodo. It was easy and quick. I had my SSL cert in less than 5 minutes, and it's good for a full year, and it was free.

Once you get the email about the certificate, when you click the link to open it in your browser, it will install your certificate in the browser. No big deal. Just navigate to the certificate using your browser's menu, and backup the certificate (both the private and public keys) to some local directory on your machine. It should have ".p12" as its extension. Then, copy the certificate to the machine that will be running Mutt.

On the machine that you will be running Mutt from, you will need to issue a few commands to get your environment setup correctly before you can start using the certificate. You will need OpenSSL installed before you can begin:

$ smime_keys init

This should create "~/.smime/", "~/.smime/certificates/" and "~/.smime/keys/". After which, you will need to copy "ca-bundle.crt" to "~/.smime/". "ca-bundle.crt" is provided by a number of packages, and you can find it on the internet should it not already be installed. After that is copied, type the following:

$ smime_keys add_p12 /path/to/your-backed-up-cert.p12

You will be asked for the passphrase for the private key in the .p12 file, as well as a new passphrase for encrypting the key in your database. It doesn't matter if you use the same passphrase both times. This passphrase is not recoverable, so make sure you remember it. You will also be asked what you want to call the certificate; it makes no difference to anyone what you call it, but you can't have two certificates with the same nickname.

Make note of the hash of your key. You can retrieve this hash from the line "added private key" followed by a path and a hexadecimal number ending in ".0". Find the line in your .muttrc that says:

# ~/.mutt/smime.rc
set smime_default_key="12345678.0"

and change "12345678.0" to the hash for your key that you took note of. The only thing left to do is to install the Comodo root certificates. These are already installed on your system in "/etc/ssl/certs/Comodo*" and "/etc/ssl/certs/COMODO*". For each of those root certs (I'm actually not sure which is needed for your personal cert), you need to issue the following command:

$ smime_keys add_root /etc/ssl/certs/Comodo_Secure_Services_root.pem

You have now successfully setup your environment to use S/MIME with Mutt. Now let's look at the configs. For the gpg.rc config, I kept everything default except for the following:

# ~/.mutt/gpg.rc
set pgp_good_sign="^gpg: Good signature from"
set crypt_autosign="yes"
set crypt_replysign="yes"
set crypt_replysignencrypted="yes"
set pgp_auto_decode="yes"
unset smime_is_default

For the smime.rc config, again I kept everything default except for the following:

# ~/.mutt/smime.rc
set smime_is_default="yes"
set crypt_autosmime="yes"
set pgp_autosign="no"
set smime_timeout="300"
set crypt_autosign="yes"
set crypt_replyencrypt="yes"
set crypt_replysign="yes"
set crypt_replysignencrypted="yes"
set crypt_verify_sig="yes"
set smime_default_key="12345678.0" # you should have already changed this

You are now ready to roll. When you change to your personal account, it should use PGP/MIME by default, and when you change to your work account, it should use S/MIME by default.

{ 3 } Comments

  1. Leo Bicknell using Safari 534.53.10 on Mac OS | February 18, 2012 at 1:49 am | Permalink

    Is it possible to both PGP/MIME and S/MIME sign a single message? I realize this probably wouldn't work with encryption, but I'd like to send a single text e-mail with both a PGP and S/MIME signature that verify in most clients. Can it be done?

  2. Aaron Toponce using Debian IceWeasel 10.0 on GNU/Linux 64 bits | February 18, 2012 at 2:29 pm | Permalink

    Possible? Yes. Practical? No. One would have to be wrapped inside the other. So, either you PGP/MIME your email first, then S/MIME it, or vice versa. Regardless, the recipient will have to verify the outer layer first, strip it, then verify the inner layer. It's hard enough getting people to just do one or the other, let alone work that hard at both. You're best off just picking one of them, and sticking to it.

  3. Joseph Ishac using Firefox 25.0 on Ubuntu 64 bits | November 25, 2013 at 12:57 pm | Permalink

    Any thoughts on how to handle expired certs? I've been using smime for mail when needed, but due to policy my key expires and I'm issued a new one. As such my id of "12345678.0" becomes "12345678.1" .2 .3 and so on as I import the new certs into my keyring. If I update smime_default_key everything works for the new cert but I can't seem to decrypt my older messages without first modifying this line so that mutt uses the right cert. This becomes rather tedious. Any ideas on how to manage both the current and expired certs or at least have mutt use the appropriate one?

Post a Comment

Your email is never published nor shared.

Switch to our mobile site