S/Mime and Digital Signatures

[Nov 21, 2008 9:49] Login issues with the Central Mail Service have now been resolved.

Mulberry offers S/MIME support which enables the ability to digitally sign messages, and the ability to encrypt messages. 

Table of Contents

S/MIME Support

Mulberry (version 3.1.6) supports S/MIME cryptography, a secure version of MIME, S/MIME (Secure/Multipurpose Internet Mail Extensions) which supports sender authentication with digital signatures and added privacy with encryption.

S/MIME support is added by a separate "crypto plug-in" that is wrapped into ITC's Mulberry installer; see below for instructions on how to install a personal certificate and use the plug-in.

Using a Personal Certificate with Mulberry

The ability to use Mulberry's S/MIME feature requires a personal certificate. Follow the steps below to set up a personal certificate for Mulberry.

  1. Download a personal certificate
  2. Import the certificate into Mulberry
  3. Change Email Address in Mulberry to Match Certificate
  • Download a personal certificate
    You can download a personal certificate from ITC to your desktop.
    • Macintosh users: It is not possible to export the certificate from the Mac OS X Keychain.
    • Windows users: when downloading your personal certificate,
      in PKI - UVa Standard Assurance - Cert Request - Windows Internet Explorer window, Click advanced
      Select (exportable) Microsoft Enhanced Cryptographic Provider v1.0
  • Import the certificate into Mulberry
    1. In Mulberry, choose Preferences…
      • Macintosh: from the Mulberry menu.
      • Windows: from the File menu.
    2. Select the Advanced radio button.
    3. Select the Security tab.
    4. After Preferred, select S/MIME.
    5. Click the Manage Certificates button.
    6. Select the Personal tab.
    7. Click the Import button.
    8. Browse to your Desktop and select the certificate file saved in the download step.
    9. When prompted for your Private key passphrase (the password used when requesting the certificate from the web), enter your passphrase.
    10. Click OK.
    11. Your certificate will appear in the list of Personal certificates as yourID@virginia.edu (example: mst3k@virginia.edu).
    12. Click OK on each of the dialog boxes to close these windows.
  • Change Email Address in Mulberry to Match Certificate
    1. In Mulberry, choose Preferences…
      • Macintosh: from the Mulberry menu.
      • Windows: from the File menu.
    2. Select the Simple radio button.
    3. Change your email address from the full local address (for example, mst3k@cms.mail.virginia.edu) to the abbreviated form of your address (as in mst3k@virginia.edu).
    4. Click OK to save the change and close Preferences.

Digitally Signed Messages

What do signed messages mean for you?

Digitally signed messages ensure both the identity of the sender and authenticity of a message.

How do you sign messages?

After installing the S/MIME plug in and importing your personal certificate, you may digitally sign new messages you compose.

Note: The From: line of a digitally signed message must match your root certificate ID in the form of your_email_ID@virginia.edu. This can be

  • changed manually for each message you sign, or
  • a global change can made to the Email Address field:
    • In Mulberry, choose Preferences…
      • Macintosh: from the Mulberry menu.
      • Windows: from the File menu.
    • Select the Simple radio button
    • Make the change to the Email Address: line
    • Click OK to save the change

To digitally sign your message:

  1. Click the Sign button on the Draft window toolbar.
  2. You will be prompted to enter the passphrase for your private key (this is the password you created when you imported your personal certificate).
  3. Enter your password and click OK to sign and send your message.

Be aware that signatures will add several kilobytes to the size of your message.

How do you receive digitally signed messages?

When you install the crypto plug-in with Mulberry, you also install UVa's root certificate that enables Mulberry to verify signatures of those who send signed messages to you.

  1. Signed messages are denoted with a pencil icon "" in the Attachments column of the Items pane.
  2. Highlighting a signed message in the Items pane will check the signature of the signed message and display a message box to notify you that the signature has been verified as good.
  3. Click OK to close the message box and view the message.
  4. In the Message window, a Signature bar appears just above the body of the message that indicates the status of the signature and by whom the message was signed.
  5. The signature is attached as an application/pkcs7-signature part to the message visible in the Parts section of the message window.

Encrypting and Decrypting Messages

Mulberry 3.1.6 supports message encryption.

Warning: If you lose the private key of your personal certificate, download a new personal certificate (and delete the old certificate), or forget your certificate passphrase, you will no longer be able to read encrypted messages that you have sent (i.e., messages saved in your sent mail folder) or have received from others. Your important documents could then be inaccessible. Private keys may be deleted by accident or due to a rebuild of your computer. For this reason, we urge you to exercise caution when considering whether to encrypt messages.

To encrypt a message:

  1. In Mulberry, click the Draft button to compose a new message.
  2. Due to identification requirements of UVa's root certificate, email addresses must match the root certificate ID format. For this reason, you may need to modify the email address(es) in the To: line of the message to match the abbreviated form of the recipient email address, as in mst3k@virginia.edu.
  3. Click the Encrypt button on the Compose window toolbar to enable message encryption.
  4. Click the Send button to send the message.

Note: You can only encrypt messages to those for whom you have a locally stored public key. Mulberry acquires and stores a public key when you receive and verify a digitally signed message from an individual.

To decrypt a message, you must have:

  • A personal certificate that contains your private key.
    When you install the crypto plug-in with Mulberry, you also install UVa's root certificate that enables Mulberry to decrypt messages you receive.
  • A stored local copy of the sender's public key.
    Obtained when you receive and verify a digitally signed message from the sender.
  • The Mulberry 3.1.6 email application with the S/MIME plugin or another email application that supports S/MIME.
  1. Encrypted messages are denoted with a padlock icon ""in the Attachments column of the Items pane.
  2. Highlighting an encrypted message in the Items pane of your Inbox will trigger Mulberry to prompt you for your passphrase. Enter your passphrase and click OK to decrypt and view the contents of the message.
  3. Above the message body window, a message status bar indicates that message decryption was successful.

Decryption Failure

Should you cancel the action to decrypt a message or enter an incorrect passphrase when prompted, Mulberry will display the following notice in the message window:

This message does not contain any parts that Mulberry can display.The parts list above shows all the parts in this message, and these can be saved to disk and viewed externally if so desired.

The message status bar will also indicate decryption failure.

Mailman List Issues

Disable Mailman List Message Footer

Mailman mailing lists are configured by default to add an extra footer to the body of messages distributed to a list, thus modifying the original message. Modifying the body of a digitally signed message breaks the digital signature.

To ensure the integrity of a digitally signed message sent to a Mailman mailing list, the list administrator must disable the extra footer feature for their list(s).

Consult ITC's Mailman documentation to disable the extra footer.

About Message Encryption and Mailman Lists

It is not possible to send an encrypted message to members of a mailing list because the mailing list itself does not have the key to decrypt it.

© 2008 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.