1 |
On Sunday 27 March 2011 03:03:30 James wrote: |
2 |
> Sebastian Beßler <sebastian <at> darkmetatron.de> writes: |
3 |
> > Mail encryption is, as far as I know, something that works on the |
4 |
> > client-side only. The mail server doesn't see the encryption, encrypted |
5 |
> > mails contain only text, just like every other mail. |
6 |
> |
7 |
> OK let's ignore the mail server portion. Your basically implying |
8 |
> that encrypted mail handling from the server, does not matter if |
9 |
> it's an exchange server, or *nix, like postfix.... |
10 |
> |
11 |
> As an example. |
12 |
> Look at the situation where a person is using only MS technology |
13 |
> and has no access to support(input) on their client software nor the |
14 |
> MS exchange server (big corp for example that assumes the world |
15 |
> only uses MS software). Maybe they can make a few setting changes |
16 |
> only in Outlook to get encryption working between a MS (Outlook) |
17 |
> system and my Gentoo system using pgp and thunderbird? |
18 |
|
19 |
Depending on the MSWindows OS and email client versions your MS counterpart |
20 |
can try installing and running: |
21 |
|
22 |
http://www.gpg4win.org/about.html |
23 |
|
24 |
Alternatively, instead of OpenPGP you can use S/MIME certificates - either |
25 |
self-signed or from a <aheam!> reputable Certification Authority. I prefer |
26 |
the former where possible, although the average MSWindows user would struggle |
27 |
on their own to even click a (single) button, let alone generate |
28 |
public/private keys, configure a password and then negotiate with the |
29 |
MSWindows certificate manager to accept them. |
30 |
|
31 |
gpg4win will also act as the front for managing the MSWindows S/MIME certs, |
32 |
although Outlook can manage these for SSL signing/encryption natively. |
33 |
|
34 |
The SSL certificates offered by different CAs are mostly an expensive racket |
35 |
for big corporate clients. Individual users are limited to a few available |
36 |
CAs (like CACert, Comodo, etc) who issue free certificates for personal |
37 |
(email) use, but only some of the browsers include them in their store of |
38 |
trusted CAs - hence the need for manual import of Root CA keys, etc in the |
39 |
user's browser/certificate store and of course the same with the recipients of |
40 |
their email messages. |
41 |
|
42 |
Before you commit to a CA check which browsers and OS already included these |
43 |
in their trusted Root CA store. |
44 |
|
45 |
|
46 |
> > If may answer has nothing to do with your problem, please give me more |
47 |
> > information what you have in mind. |
48 |
> |
49 |
> I do not have a problem. I have assumed that encrypted mail between |
50 |
> a given client software on a gentoo system, will not work with windows. |
51 |
> Is this assumption incorrect? |
52 |
|
53 |
Yes, this is an incorrect assumption. OpenPGP will not work with MSWindows |
54 |
natively without a 3rd party application (e.g. gpg4win), because OpenPGP does |
55 |
not satisfy the requirements of Microsoft's monopolistic business model. |
56 |
|
57 |
However, SSL certificates will work natively with MSWindows and its Outlook |
58 |
email client. As I said above you have a choice of obtaining such |
59 |
certificates: self-signed or signed by trusted Root CAs (some of which are |
60 |
free for personal use). |
61 |
|
62 |
Also, in the era of Cloud computing you have the choice of webmail |
63 |
applications (like Horde) which can use both PGP and S/MIME to |
64 |
sign/encrypt/decrypt messages, thus bypassing limitations of given OS or |
65 |
desktop based mail clients. |
66 |
|
67 |
Finally, you have SaaS solutions for secure email, like |
68 |
http://www.hushmail.com/ but if one does not trust Root CAs why would he trust |
69 |
some hushmail company and its employees is beyond me. |
70 |
|
71 |
|
72 |
> Or it's just install whatever I want (mail client on gentoo) and it will |
73 |
> auto-magically exchange encrypted mail with outlook on a windows machine, |
74 |
> behind a MS Exchange server, regardless of what the MS admins |
75 |
> do on their side? |
76 |
|
77 |
Yes, as long as you manage encryption/decryption at the dekstop. You need to |
78 |
note though that some corporate IM policies may prohibit the use of encrypted |
79 |
messages. These can be filtered out by the corporate mail server and stopped. |
80 |
|
81 |
|
82 |
> I assumed that is not that easy (my default experience with MS), |
83 |
> and things have to be coordinated, like most MS issues, to be |
84 |
> able to exchange encrypted mail between a gentoo and MS workstation.... |
85 |
> |
86 |
> Nothing to it, or massive issues on the MS side? Obviously, |
87 |
> making changes on the gentoo workstation client, is easy.... |
88 |
> What I would really like is to be able to exchange encrypted mail |
89 |
> with any MS user. That, I'm sure with entail pointing them to |
90 |
> documents on how to set up the software on the MS (outlook) side. |
91 |
> Links for MS help? |
92 |
|
93 |
They do not need to look at Internet links - just ask them look up digital |
94 |
signing or encryption in their Outlook help pages. |
95 |
|
96 |
Configuring Outlook is the easy part. The more confusing part might be |
97 |
obtaining an S/MIME certificate and importing the Root CA certificate if it is |
98 |
not already included in whatever Microsoft ships with. I think that Comodo |
99 |
Root CA is already included (and the recently hacked Root CA certificate has |
100 |
not been recalled through last week's MSWindows update). |
101 |
|
102 |
|
103 |
> ??? |
104 |
> A general discussion at this point, not a specific solution. |
105 |
> My googling only reveals dated discussions along these lines |
106 |
> or information that is not useful. |
107 |
|
108 |
Google has many examples and step-by-step instructions for configuring Outlook |
109 |
to use SSL Certs (S/MIME), usually by the purveyors of all these expensive |
110 |
certificate services: |
111 |
|
112 |
http://www.globalsign.com/support/personal-certificate/per_outlook07.html |
113 |
-- |
114 |
Regards, |
115 |
Mick |