#725 ✓fixreleased
Matt Gray

S/MIME encrypted e-mails unreadable in iOS Mail

Reported by Matt Gray | April 21st, 2014 @ 06:53 PM

  • An S/MIME-encrypted message to myself sent from MailMate is not readable in iOS Mail.
  • An S/MIME-encrypted message to myself sent from iOS is readable in MailMate.
  • Anecdotally, co-workers report trouble opening S/MIME-encrypted messages from MailMate on Apple Mail as well as iOS (but I cannot reproduce).

Steps

  1. Ensure your S/MIME keys are installed on your desktop and an iOS device.
  2. Configure your iOS device to both sign and encrypt e-mails using S/MIME.
  3. Send yourself an S/MIME encrypted e-mail from iOS.
  4. Confirm that you can read the decrypted e-mail in MailMate.
  5. Confirm that you can read the decrypted e-mail on iOS.
  6. Send yourself an S/MIME encrypted e-mail from MailMate.
  7. Confirm that you can read the decrypted e-mail in MailMate.
  8. Attempt to read the decrypted e-mail on iOS.

    iOS Mail fails to decrypt the message.

Versions

  • MailMate/4097 MacBookPro11,3/x86_64/8/10.9.2
  • iOS 7.1 (11D167)

Attachments

  1. The error message shown when viewing a MailMate-encrypted message in iOS
  2. The relevant portion of the iOS 7 screenshot

Comments and changes to this ticket

  • benny

    benny April 22nd, 2014 @ 01:42 PM

    • State changed from “new” to “reproduced”

    Thanks for the detailed report. The error messages are a bit misleading (installing a profile), but I can reproduce the issue (not sure why it's not reported more often :-) ).

    After some testing (iOS 5), it appears the problem only appears with signed+encrypted messages. If I only sign or only encrypt then there is no problem. This matches the fact that MailMate handles sign+encrypt different than iOS Mail. Apple first signs and then encrypts the message while MailMate does both at once (using an Apple framework). I'm not going to claim that the bug is in iOS, but I don't know why they reject such messages. In any case, I would actually prefer if MailMate behaved like Apple Mail and that would probably fix the issue whether or not it's a MailMate bug.

    I'll assume for now that the Apple Mail problem is the same.

  • benny

    benny January 20th, 2017 @ 03:47 PM

    I'm not going to make any promises, but I've been looking at the issue the past hour or so. Mainly reproducing it again to allow me to do some experiments to see how hard it'll be to fix. The theory is still that the problem is that MailMate does not sign and encrypt in a 2-step process. If this theory is not correct then it might be hard to figure out what's going on, but I promise to at least attempt to fix it.

    And yes I was hoping the issue would be fixed on iOS. I still don't think it's a MailMate bug, but I also know that is irrelevant :)

  • benny

    benny January 20th, 2017 @ 04:01 PM

    Just a quick update: I already think I'm wrong about the 2-step sign and encrypt theory. If I'm right about that then the fix might not be so hard. It might be as simple as providing some (correct?) hints in the Content-Type header. If that is true then the age of this ticket is embarrassing. I might have been barking up the wrong tree (if that's the correct expression). I don't have more time right now, but I promise to look into the details of this soon – and then I'll update this ticket (days and not years)...

  • benny

    benny January 21st, 2017 @ 07:25 AM

    @Matt: I was probably a bit too fast. I've uploaded a new test version with a minor change, but I seriously doubt that'll make a difference. Unfortunately I cannot test it myself right now, because MailMate somehow got “locked” out of using the certificates in my keychain. Pretty sure this is a symptom of some Apple bug, but right now I don't really know how to fix it (and I don't have time before Monday). Hopefully resetting the keychain can help. Hold down ⌥ when clicking “Check Now” in the Software Update preferences pane.

  • benny

    benny January 23rd, 2017 @ 10:33 PM

    @Matt: Yeah, I must have done something wrong when I tested it. The good news is that I've now tested if making encryption and signing a two-step process makes a difference. I've now got a message on my iPhone (iOS 9) which is signed and encrypted by MailMate and it displays correctly as both signed and decrypted. Still no time frame on this (it's a crude hack for now), but I'm on the right track.

    For anyone curios about what I'm talking about then this is the problem: When both signing and encrypting a message then there is essentially two ways to do it.

    • Sign and encrypt in one go. It'll essentially look just like an encrypted message and the message structure is like this:

      application/pkcs7-mime

    When decrypted then the decrypted content is just whatever the original unencrypted message looked like. The signature is checked at the same time as the content is decrypted.

    • First sign and then encrypt. This looks just like an encrypted-only message except that when decrypted then the inner content is like a signed message:

      multipart/signed text/plain (assuming the content is a simple text message) application/pkcs7-signature

    The latter is nicer in the sense that it separates signing and encrypting. I don't mind going in this direction — even if it's because of a bug in iOS Mail.

  • benny

    benny January 24th, 2017 @ 02:45 PM

    • State changed from “reproduced” to “fixcommitted”

    Ok, the latest test release is my first shot at changing MailMate to do encrypted signed messages as a two-step process. My own testing shows that this makes it work on iOS, but I've made a lot of changes and it's not unlikely that I've also introduced bugs.

    Hold down ⌥ when clicking “Check Now” in the Software Update preferences pane and let me know whether or not it works for you.

    (My issue with Keychain Access was not resolved until I deleted the login keychain. I'm pretty sure this is some kind of Apple bug.)

  • benny

    benny January 24th, 2017 @ 02:46 PM

    I should also note that I've made this change for both S/MIME and OpenPGP.

  • benny

    benny February 9th, 2017 @ 01:20 PM

    • State changed from “fixcommitted” to “fixreleased”

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Mac OS X email client.

Shared Ticket Bins

People watching this ticket

Pages