• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Sending encrypted/digitally signed mail in Thunderbird... utilizing Identity/Reply

M

Meractik

Golden Member
I currently utilize the latest Mozilla Thunderbird with 3 separate "Identities" setup to send mail as utilizing the SMTP server from my host.

I recently researched and decided to employ using COMODO's Secure Mail Encryption/Digital Signature certificates but am receiving an error if I try to send mail out as anyone of the 3 identities. *Error Below*

9677512281_d25666ccb1.jpg


If I select "Yes" it takes me to...

9677512173_4c9f91cbec.jpg


I have noticed that If I simply attempt to send mail out as the original account email address (from host) and not one of the identities it will allow me to successfully use the certificate and implement encryption/digitally sign via the security button on new messages. I do not use this email account to send messages though, and prefer sending as identities setup on this account (as my domain email host does not allow me to host the identity addresses directly via their MX Server setup, I have to utilize forwarding through the main e-mail address & setup identities and folders to sort....)
 
I'm not familiar with Thunderbird, and I have very limited exposure, in practice, to the type of email encryption and signing that you're trying to set up (assuming that you're trying to configure/use S/MIME). However, based on the information that you have supplied, I suspect that the problem you are encountering is because you are trying to use the same certificate for all of the different email accounts. Did you get a separate cert for each email address?
 
Short answer:

Using a certificate signed for one account on multiple different accounts is not a good idea. However Thunderbird will allow you too send email with certificates signed for identity (or email address if you really want too).

1. Open account settings
2. Click the account you want to change
3. Click manage identities
4. Click the identity you want to manage
5. Select the security tab
6. Add the email certificate to the identity.

It's not enough to have just selected a certificate for the entire account. It must be set both for the account (for the primary user) and on each individual identity.

Long Answer:

Digital Certificates (For email, code signing ect..) work by using a certificate which is signed by a Certificate Authority who guarantees to a certain extent (depending on how much you pay) the validity of the certificate. This is the same for SSL/TLS certificates.

Validity meaning that you are who you say you are. Or to anyone else, That the sender is who they say they are.

So when you apply for a digital certificate through Comodo you would have signed up with an email address. For example user@mydomain.com.

Comodo will then sign a certificate for use with that domain and user - user@mydomain.com.

Whenever you send email as user@mydomain.com and use your certificate to sign and/or encrypt the email the person receiving your email should be confident that the email is legitimate and hasn't been tampered with.

So say you send an email to me which is signed or encrypted or both, my email client will do the following:

What do people/email clients look for
-Check who the email is from = user@mydomain.com
-Check which email is verified by the CA in the certificate = user@mydomain.com
-Check the hash of the email and certificate to validate that it hasn't been tampered since it was sent

Problems
-If the sending email isn't the same as the email on the certificate then it's possible that the certificate has been stolen from the owner and is used to forge authenticated email - Authentication will fail

-If the hash is wrong then the certificate validity or the message contents cannot be verified - Authentication will fail

So if you want to send email from multiple email accounts you will have to apply for a certificate for each of your identities/accounts as sending email as boss@mydomain.com with a certificate authenticated for use with user@mydomain.com will fail every time. You can send, but it won't be authenticated and then the whole meaning with signing the email is gone.

However Thunderbird will allow you too do it (Short answer)

I'd be suspicious if an email in my inbox was from tommy@mydomain.com signed by user@mydomain.com.
 
Last edited:
seepy83 said:
I'm not familiar with Thunderbird, and I have very limited exposure, in practice, to the type of email encryption and signing that you're trying to set up (assuming that you're trying to configure/use S/MIME). However, based on the information that you have supplied, I suspect that the problem you are encountering is because you are trying to use the same certificate for all of the different email accounts. Did you get a separate cert for each email address?
Click to expand...

My plans are to get separate certs for each e-mail address, however... I must get 1 to work first. The same cert can be applied as both a Encryption & Digital signature (from what I have read?)
 
smakme7757 said:
Short answer:

Using a certificate signed for one account on multiple different accounts is not a good idea. However Thunderbird will allow you too send email with certificates signed for identity (or email address if you really want too).

1. Open account settings
2. Click the account you want to change
3. Click manage identities
4. Click the identity you want to manage
5. Select the security tab
6. Add the email certificate to the identity.

It's not enough to have just selected a certificate for the entire account. It must be set both for the account (for the primary user) and on each individual identity.

Long Answer:

Digital Certificates (For email, code signing ect..) work by using a certificate which is signed by a Certificate Authority who guarantees to a certain extent (depending on how much you pay) the validity of the certificate. This is the same for SSL/TLS certificates.

Validity meaning that you are who you say you are. Or to anyone else, That the sender is who they say they are.

So when you apply for a digital certificate through Comodo you would have signed up with an email address. For example user@mydomain.com.

Comodo will then sign a certificate for use with that domain and user - user@mydomain.com.

Whenever you send email as user@mydomain.com and use your certificate to sign and/or encrypt the email the person receiving your email should be confident that the email is legitimate and hasn't been tampered with.

So say you send an email to me which is signed or encrypted or both, my email client will do the following:

What do people/email clients look for
-Check who the email is from = user@mydomain.com
-Check which email is verified by the CA in the certificate = user@mydomain.com
-Check the hash of the email and certificate to validate that it hasn't been tampered since it was sent

Problems
-If the sending email isn't the same as the email on the certificate then it's possible that the certificate has been stolen from the owner and is used to forge authenticated email - Authentication will fail

-If the hash is wrong then the certificate validity or the message contents cannot be verified - Authentication will fail

So if you want to send email from multiple email accounts you will have to apply for a certificate for each of your identities/accounts as sending email as boss@mydomain.com with a certificate authenticated for use with user@mydomain.com will fail every time. You can send, but it won't be authenticated and then the whole meaning with signing the email is gone.

However Thunderbird will allow you too do it (Short answer)

I'd be suspicious if an email in my inbox was from tommy@mydomain.com signed by user@mydomain.com.
Click to expand...


I get what you're saying, and while I agree with it, im just trying to make this work and be secure for most people that wouldn't notice. I wish my domain host enabled me to setup each of my emails on my domain with their own MX Exchange entry, they have instructed me the only way to use these aliases (identities) is to use them as forwards under my originally supplied domain account. :/ I didn't have this problem with lavabit! 🙁

Thank you for the information, I will attempt to set this all up later today with the information you've provided to see if I can get it to work. I appreciate your reply. Thanks!
 
Meractik said:
I get what you're saying, and while I agree with it, im just trying to make this work and be secure for most people that wouldn't notice. I wish my domain host enabled me to setup each of my emails on my domain with their own MX Exchange entry, they have instructed me the only way to use these aliases (identities) is to use them as forwards under my originally supplied domain account. :/ I didn't have this problem with lavabit! 🙁

Thank you for the information, I will attempt to set this all up later today with the information you've provided to see if I can get it to work. I appreciate your reply. Thanks!
Click to expand...
You can't really hide the fact that an email is signed with a certificate authorized for a different username or domain. The client (Outlook, thunderbird) will usually have a graphical element that will notify the user that there is an inconsistency. Like a red cross, or a question mark or something like that.

If you're running your own mail server can't you just setup aliases in Postfix or whatever MTA you're using?

You don't need to create MX records for aliases. You create MX records for machines that will send and receive email or maybe I've misunderstood what you're trying to do? 😛.

Also, yes a single cert will allow you to both Encrypt and Sign email.
 
Meractik said:
My plans are to get separate certs for each e-mail address, however... I must get 1 to work first.
Click to expand...

Meractik said:
I have noticed that If I simply attempt to send mail out as the original account email address (from host) and not one of the identities it will allow me to successfully use the certificate and implement encryption/digitally sign via the security button on new messages.
Click to expand...

It looks like you already got your certificate to work with one account...the original account that (i'm assuming) matches the information on the cert that you have.

Regardless, I'm going to defer to smakme7757 to help you with the details on this one since it seems like he has experience with Thunderbird. But you absolutely want to get a cert that's valid for each address you will be sending from. I'm actually surprised that Thunderbird even lets you use one that doesn't match...that practice does a lot to undermine the intent of signing/encrypting messages.
 
Last edited:
smakme7757 said:
You can't really hide the fact that an email is signed with a certificate authorized for a different username or domain. The client (Outlook, thunderbird) will usually have a graphical element that will notify the user that there is an inconsistency. Like a red cross, or a question mark or something like that.

If you're running your own mail server can't you just setup aliases in Postfix or whatever MTA you're using?

You don't need to create MX records for aliases. You create MX records for machines that will send and receive email or maybe I've misunderstood what you're trying to do? 😛.

Also, yes a single cert will allow you to both Encrypt and Sign email.
Click to expand...

You sound a lot more in the know than I. Here is what I am currently doing and what I am attempting to try and do.

Currently I have my domain email hosted by my website provider. I do not "host" a website but I utilize the domain name for email purposes aka ME@MYDOMAIN.COM.

However, upon signing up for a package that includes domain registrant, website hosting, & email the provider automatically assigned me a username to access my cPanel online login to manipulate all my settings A.K.A PREASSIGNEDUSERNAME@MYDOMAIN.COM - I do not "like" this username and want to utilize e-mail that easier to remember thus I setup extra e-mail accounts on my domain which I use regularly - we'll call these email1@mydomain.com and email2@mydomain.com. Previously I would provide these two email addresses to lavabit.com as my host and they simply had me change my Mail MX Record in my domain setup and I could go into thunderbird setup a new account point to email1@mydomain.com input credentials and wham, im in..

Upon speaking to my host now that I switched back to them from Lavabit (since they went out of business) I have been instructed that simply changing back the MX Record won't be enough. I currently have to setup a new account for e-mail utilizing PREASSIGNEDUSERNAME@MYDOMAIN.COM and then setup within my cPanel mail config for my email1@mydomain.com & email2@mydomain.com to forward to e-mail address PREASSIGNEDUSERNAME@MYDOMAIN.COM. THerefore, I am utilizing Identities so I can send mail via my addresses I actually use - email1@mydomain.com & email2@mydomain.com although they both go through e-mail account PREASSIGNEDUSERNAME@MYDOMAIN.COM

I want to setup encryption & digital signatures for email1@mydomain.com & email2@mydomain.com - currently although I haven't tried your suggestions earlier to manipulate identities its only letting me set this up per my screenshots from email address PREASSIGNEDUSERNAME@MYDOMAIN.COM


*** Hopefully what I wrote above is easily understandable, I tried to explain to the best of my ability... *** If anyone has any questions or needs further clarification feel free to ask.


Seepy83: I do have two certs one for email1@mydomain.com and one generated for email2@mydomain.com - I am simply trying to accomplish the above at the moment with e-mail address email1@mydomain.com once that is successful I will do email2@mydomain.com -- I do not care if PREASSIGNEDUSERNAME@MYDOMAIN.COM has any certs because I do not actively provide this e-mail to anyone (except maybe passively through routing via e-mail headers... since both email1@mydomain.com and email2@mydomain.com currently filter messages through preassignedusername@mydomain.com)
 
Last edited:
smackme7757:

So I performed your "short instructions" and it appears to correctly allow me to do what I want, with the exception of the encryption b/c in order to test it I need to have the de-cryption key from the recievers e-mail? or something like that..... which I do not have assigned in my address book... but looks like currently the digital signature is working as designed.

I only worry about the fact that these messages are being sent via forwarded means, I am testing by sending to myself and it shows with the signature per design that the message hasn't been altered since it was sent (which is great!) but I still get this error when trying to encrypt... (its expected I think, since I do not have the recipients decryption key assigned to my address book?)

9688734921_0115dd596b.jpg


in any event, is all of what I am doing now assigning to identities pretty much unless? given the fact that these messages are being forwarded through the original preassignedusername@mydomain.com as described above? (which may seem strange to some.......)
 
I'm actually on my way out, so I'll answer your question about email encryption first then i can answer you longer question above later if no one else does before i get the chance.

Email encryption uses something called PKI or Public Key Infrastructure.

Your Email certificate has two parts:
*Public Key - Which you can openly post on the internet for everyone to see
*Private Key - Which you MUST keep a secret.

When you sign your email as you have done you are also sending a copy of your Public Key to the receiver.

The receiver can then save your Public Key* for later use. Then to encrypt a message to you the receiver will use your Public Key to encrypt an email they are sending to you. You can only encrypt email for the intended receipt (email listed in the public key).

When you receive the message you will use your Private Key to decrypt the message.

So anything encrypted with your Public Key can only be decrypted by your private key (Which only you have so it's for privacy).

Anything encrypted with your Private Key can be decrypted by your Public Key, so the information can be read by everyone with your public key. THis is good to for verifying the sender. Because only the sender will have had access to the secret Private Key.

So if you want to test how it works you can download my public key from here: https://jackkb.net/Downloads/PUB_JackBrennan.zip

and try to send me an encrypted email. If you also sign the encrypted email i will be able to reply with encryption as well.

Good Luck!






*In Thunderbird you do this by saving the person as a contact and the key should automatically be imported. Or by right clocking the graphical image which represents a sign message and importing the certificate into your certificate store on your computer. Outlook works the same way from memory
 
smakme7757 said:
I'm actually on my way out, so I'll answer your question about email encryption first then i can answer you longer question above later if no one else does before i get the chance.

Email encryption uses something called PKI or Public Key Infrastructure.

Your Email certificate has two parts:
*Public Key - Which you can openly post on the internet for everyone to see
*Private Key - Which you MUST keep a secret.

When you sign your email as you have done you are also sending a copy of your Public Key to the receiver.

The receiver can then save your Public Key* for later use. Then to encrypt a message to you the receiver will use your Public Key to encrypt an email they are sending to you. You can only encrypt email for the intended receipt (email listed in the public key).

When you receive the message you will use your Private Key to decrypt the message.

So anything encrypted with your Public Key can only be decrypted by your private key (Which only you have so it's for privacy).

Anything encrypted with your Private Key can be decrypted by your Public Key, so the information can be read by everyone with your public key. THis is good to for verifying the sender. Because only the sender will have had access to the secret Private Key.

So if you want to test how it works you can download my public key from here: https://jackkb.net/Downloads/PUB_JackBrennan.zip

and try to send me an encrypted email. If you also sign the encrypted email i will be able to reply with encryption as well.

Good Luck!






*In Thunderbird you do this by saving the person as a contact and the key should automatically be imported. Or by right clocking the graphical image which represents a sign message and importing the certificate into your certificate store on your computer. Outlook works the same way from memory
Click to expand...

Thank you for taking the time to provide further clarification. Just to make sure I understand this right, the COMODO E-mail certificate I obtained gives me a *.p12 file for each e-mail address that I register. According to what you state this file itself contains BOTH the PUBLIC & PRIVATE key?

How would I make sure that only my public key is seen by recipients of encrypted messages ? Would it be correct from what you said to believe that all that is needed to facilitate encryption is two people first at a minimum send e-mails to each other that are Digitally Signed? (so they exchange keys?)

Hence, the sending of the certificate would not be required?

(but I realize you posted yours simply to facilitate helping me to configure and test *since you do not know my email...*) Did I understand all of that correctly?

D=

If my understanding above is right, I am assuming that the reason I get the error message posted in Post #11 is because I have yet to exchange at a minimum a 'Digitally Signed' message with that address.... right?
 
That's right. You would first send a signed Email to someone which would then give the other person a copy of your Public Key. They can then reply to that email and select the encrypt button if they wish. Or save the certificate for later use.

An easy way to get a copy of your public key is to send a signed email to yourself. Open the email and right click the GUI image of your certificate in your email program and click export.

So to send encrypted messages to another person you need their Public key, because you will be encrypting the email with their Public Key. Then they use their Private Key to decrypt the message.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top