#658 new
jachin

Unable to encrypt messages with S/MIME

Reported by jachin | March 4th, 2014 @ 11:15 PM

hi there

When I try to send an encrypted message (with S/MIME) I get the following error.

Unknown format in import. Error code: -25257

OpenGPG encryption seems to work fine. I can sign messages with S/MIME fine.

I tried turning on the logging by following the instructions here.
http://manual.mailmate-app.com/hidden_preferences

I set the following but I might have done it wrong.

defaults write com.freron.MailMate LoggingEnabled -bool YES
defaults write com.freron.MailMate MmDebugSecurity -bool YES

I looked at /tmp/mailmate_logs/mailmate_parser_problems.log but nothing showed up.

Do I need to run those "defaults write" command in particular directory or can I just run them from anywhere?

Any help in figuring out what's would on would be great.

Thanks.

-jachin

Comments and changes to this ticket

  • Matthias Hofherr

    Matthias Hofherr March 17th, 2014 @ 01:46 PM

    Hi Jachin,

    were you able to solve your problem? I have exactly the same problem with Mailmate.
    I verified that my certificates are not the problem, since I can send encrypted mails with the Mail-App just fine.

    Best

    Matthias

  • benny

    benny March 17th, 2014 @ 01:59 PM

    @jachin: Sorry for the late reply. (I'm quite a bit behind on answering emails and some fall between the cracks.)

    Do not use LoggingEnabled:

    defaults write com.freron.MailMate LoggingEnabled -bool NO  
    defaults write com.freron.MailMate MmDebugSecurity -bool YES
    

    To answer your other question, it does not matter where you are when you use the defaults commands. It writes values to ~/Library/Preferences/com.freron.MailMate.plist in any case.

    Then launch MailMate from the Terminal:

    /Applications/MailMate.app/Contents/MacOS/MailMate
    
  • Matthias Hofherr

    Matthias Hofherr March 17th, 2014 @ 02:56 PM

    Hi Benny,

    since I have exactly the same problem, here my debug output from mailmate, following the steps from your message above:

    Searching for certificate for <target email>  
     Found 1 candidate(s)
      Certificate has 2 email address(es)
      Comparing '<target email>' with '<target email>'
      Found match
    Searching for certificate for <my email>  
     Found 2 candidate(s)
      Certificate has 2 email address(es)
      Comparing '<my email>' with '<my email>'
      Found match
     Addresses found: 0x0, 0xf5cef30
     CMSEncode
    S/MIME verify/decrypt  
     Data (1031)
     CMSDecoderCreate
     Detail: Unknown format in import. Error code: -25257
     Result: Failure
     Detail: Unknown format in import. Error code: -25257
    

    Best

    Matthias

  • jachin

    jachin March 26th, 2014 @ 01:29 AM

    Cool, yeah I'm getting the same error message as Matthias.

    S/MIME sign/encrypt
     Sign for address: <my email>
     Encrypt for address: <target email>
     Encrypt for address: <my email>
     Input string (36): "Content-Type: text/plain\r\n\r\ntest"
    Searching for certificate for <target email>
     Found 1 candidate(s)
      Certificate has 1 email address(es)
      Comparing '<target email>' with '<target email>'
      Found match
    Searching for certificate for <my email>
     Found 2 candidate(s)
      Certificate has 1 email address(es)
      Comparing '<my email>' with '<my email>'
      Found match
     Addresses found: 0x2b1c0a10, 0x203f7d10
     CMSEncode
    S/MIME verify/decrypt
     Verify for address: <my email>
     Data (5267)
     CMSDecoderCreate
     Detail: Unknown format in import. Error code: -25257
     Result: Failure
     Detail: Unknown format in import. Error code: -25257
    
  • benny

    benny March 26th, 2014 @ 03:19 PM

    I haven't been able to look into the details of this problem yet. Is there any chance that MailMate picks up the wrong S/MIME certificate? That is, does any of you have more than 1 certificate for any of the given email addresses (both sender and recipient). I believe it would fail as you have described if MailMate can access the public key, but then cannot locate the private key of the certificate.

  • jachin

    jachin March 26th, 2014 @ 04:33 PM

    I don't think I have more then one key for either the recipient or the sender. I just looked in the "Keychain Access" app and searched for the email addresses.

    I doubt it would be relevant but I do have (other) GPG keys for both recipient or the sender (my company recently switched from GPG to S/MIME).

  • Matthias Hofherr

    Matthias Hofherr April 1st, 2014 @ 04:59 PM

    No, I do not have multiple S/MIME certificates / keys as well.
    I tried with the standard mail-app of MAC OS X, which uses the same certificates as mailmate. Works without a problem.

  • Nikolaj R

    Nikolaj R June 4th, 2014 @ 09:10 PM

    Hi Benny,

    I get this for two different S/MIME certs (from others) that are in my keychain with 'Always Approve':

    S/MIME verify/decrypt
     Verify for address: <sender email which matches the cert>
     Data (63477)
     CMSDecoderCreate
     Detail: Unknown format in import. Error code: -25257
    2014-06-04 22:55:34.412 MailMate[7931:507] Warning: Unknown security problem (Unknown): unknown
    
    /MIME verify/decrypt
     Verify for address: <sender email which matches the cert>
     Data (67489)
     CMSDecoderCreate
     Detail: Unknown format in import. Error code: -25257
    2014-06-04 22:56:38.720 MailMate[7931:507] Warning: Unknown security problem (S/MIME): unknown
    

    I also get this when I try to sign an email:

    S/MIME sign/encrypt
     Sign for address: <my address, also the one in the cert>
     Input string (32): "Content-Type: text/plain\r\n\r\n"
     Result: Failure
     Detail: Failed to find identity to sign for <my address, also the one in the cert>
     Detail: The specified item could not be found in the keychain. Error code: -25300
    Warning: Decoding empty text body for id 64887
    2014-06-04 22:57:53.224 MailMate[7931:507] Warning: Unknown security problem (S/MIME): unknown
    2014-06-04 22:57:53.249 MailMate[7931:507] Warning: Unknown security problem (S/MIME): unknown
    2014-06-04 22:57:53.280 MailMate[7931:507] Warning: Unknown security problem (S/MIME): unknown
    

    Finally I got this from trying to encrypt an email:

    S/MIME verify/decrypt
     Verify for address: <my address, also the one in the cert>
     Data (0)
     Input string (32): "Content-Type: text/plain\r\n\r\n"
     CMSDecoderCreate
     CMSDecoderUpdateMessage
     Output string (3): "�"
     Detail: Unknown format in import. Error code: -25257
    2014-06-04 22:58:16.166 MailMate[7931:507] Warning: Unknown security problem (S/MIME): unknown
    

    I should mention, that it does not work in Mail app either. My own certificate is a NemID :)

    Kind regards,
    Nikolaj

  • Nikolaj R

    Nikolaj R June 5th, 2014 @ 12:47 PM

    Is there something I can do, possibly with the security command, that will eliminate Mailmate as an error source?

  • Keith Royster

    Keith Royster June 9th, 2014 @ 01:20 PM

    Just wanted to throw my hat in as having the same problem. I can sign, but I can't encrypt. I get the same "Unknown format in import. Error code: -25257". Oddly, I think it was working correctly when I first setup MailMail, but then started failing a couple days into my free trial. I seem to recall sending a couple of successfully encrypted test messages - but I can't be certain.

    Is PGP or GPG a common factor here that might be causing a conflict? I have GPGTools installed for command-line utils, but it is unchecked in MailMate preferences. At one time a while ago I also had it's mail helper installed for Mail.app, but have since disabled it. Could there be some remnant causing a conflict with S/MIME? ( And why does MailMail complain about someone's mismatched PGP signature if I have PGP disabled in the prefs? Is that another clue, or normal behavior to check sigs regardless of that setting? )

  • benny

    benny June 9th, 2014 @ 01:56 PM

    No, I definitely do not think GPGTools plays any role in this. I use two completely different “API”'s and GPGTools does not store its keys in the OS X keychain.

    I suggest you all fetch the latest test version (hold down ⌥ when clicking “Check Now” in the Software Update preferences pane). The only change is that I now output the serial number of the certificates found. This provides an extra way to check that the correct certificate is used.

    Also, it seems the problem might be related to specific certificates. I would appreciate if one of you could send me a public key for which encryption fails. Just so I can check if I can reproduce the issue. Use “Help ▸ Send Feedback” for that.

  • Keith Royster

    Keith Royster June 9th, 2014 @ 05:00 PM

    Upgrading to build 4307 did not fix it. I use S/MIME almost exclusively for inter-office email, and we use certs from Comodo. I do recall having to install a trusted CA certificate on my iphone to use it, but that was only on my iphone - the default CA certs on OS X worked fine for the Comodo certs.

    Test email sent....

  • Nikolaj R

    Nikolaj R June 27th, 2014 @ 01:38 PM

    I've updated to Version 1.8 (4214) and I still have the problem. I'll verify the serials next.

  • jachin

    jachin July 21st, 2014 @ 11:12 PM

    Just to add one more wrinkle in all this...

    I recently had some trouble getting a new S/MIME cert. I ended up trying a lot of different things. When I was done, encryption worked for me.

    I'm afraid I don't really know exactly what I did that fixed it, but I suspect it was one of 2 things.

    1. I updated to the latest beta release. Version 1.8 (4387)
    2. I got a new S/MIME cert.

    So I'm not longer having this issue but I did run into #527.

  • MikeC

    MikeC March 8th, 2015 @ 12:14 PM

    I also get the error:

    Failed to find identity to sign for user@domain.com [that is, me]. The specified item could not be found in the keychain. Error code: -25300

    Also, attempt to enable debugging failed. I tried combinations like:

    150 3/8/2015 04:58 defaults write com.freron.MailMate LoggingEnabled -bool NO 151 3/8/2015 04:58 defaults write com.freron.MailMate MmDebugSecurity -bool YES 166 3/8/2015 05:05 defaults write com.freron.MailMate LoggingEnabled -bool YES 167 3/8/2015 05:05 defaults write com.freron.MailMate MmDebugScripts -bool YES 168 3/8/2015 05:05 defaults write com.freron.MailMate MmDebugSecurity -bool YES

    And still I only see /tmp/mailmate_logs/mailmate_parser_problems.log (I don't see other files in /tmp) which doesn't reflect the actual S/MIME errors I got. Before setting up MailMate I had an expired personal S/MIME certificate as well as a current one, with Identity Preference pointing to the active one such that Mail.app works fine. Originally, MailMate was choosing the older one. So I deleted the older personal certificates from my keychain and restarted. Now I get the error above. I believe that the identity preference is the way to designate the active intended certificate pertaining to an email address. I also don't see any MailMate logs in a standard place like ~/Library/Logs so I'm not sure what other information I can submit.

  • fnurl

    fnurl June 1st, 2015 @ 12:19 PM

    Hi, I was getting the same problem as @MikeC. I have not been able to sign my messages for some time, but now I took another look at the problem. The problem was that my private key was missing from my Keychain for some reason. I am guessing it disappeared during my Yosemite upgrade - migrated from a Time Machine, or during some other iCloud sync process.

    I had already tried downloading my certificate again, but that did not work, what I had to do was to use the password protected .p12 file I had on my secure backup (which I googled and found out contains both the certificate and the private key).

    Now signing and encryption in MailMate works again!

  • Philip Kizer

    Philip Kizer September 4th, 2015 @ 10:48 PM

    Though I had X509/SMIME working previously I'm now having this problem as well. The problem only exists for one of my key+cert pairs, though.

    This is on: Version 1.9.2 (5107)

    In an effort to rule things out I went all the way to removing any/all keys and certs for my primary e-mail address from the Keychain (searching for the address in Keychain did return the cert initially and after deletion now only returns unrelated jabber application passwords, no remaining certs).

    And to make sure MailMate wasn't caching anything I then quit and re-started it (via the command-line with MmDebugSecurity turned on as above).

    Even with Keychain returning zero cert entries for that e-mail address, I get the following Debug output:

    2015-09-04 16:34:52.147 MailMate[62159:7733217] Warning: Unknown security problem (S/MIME): unknown
    S/MIME sign/encrypt
    Encrypt for address: [my-address] Encrypt for address: [my-address] Input string (58): "Content-Type: text/plain\r\n\r\nhi me #3\r\n\r\n\r\n-p\r\n" Searching for certificate for [my-address]
    Found 6 candidate(s) Certificate has 1 email address(es) Comparing '[my-address]' with '[my-address]' Found match (Serial: 0x3A225944D7E8103125A1A3F2441E0208) Searching for certificate for [my-address]
    Found 6 candidate(s) Certificate has 1 email address(es) Comparing '[my-address]' with '[my-address]' Found match (Serial: 0x3A225944D7E8103125A1A3F2441E0208) Addresses found: 0x0, 0x7fe8a168f9d0 CMSEncode S/MIME verify/decrypt
    Data (927) CMSDecoderCreate Detail: Unknown format in import. Error code: -25257 Unable to decrypt/verify the encrypted data. Result: Failure Detail: Unknown format in import. Error code: -25257 2015-09-04 16:35:19.039 MailMate[62159:7733217] Warning: Unknown security problem (S/MIME): unknown

    If the Keychain has no certificates for my address, where is it finding those 2 candidates that have matching addresses (or could it be seeing the 2 jabber application password items as possibilities)?

    I then went a little further and did the following:

    1: Deleted all Key+Cert pairs for that address,
    2: Signed in with Mail.app and tried composing mail to encrypt/sign,
    3: Verified Mail.app didn't think there was any matching key/cert for that address,
    4: Quit Mail.app and restored the Key+Cert,
    5: Restarted Mail.app and saw that it saw the Key+Cert and sent myself a message signed and encrypted with my own x509 data,
    6: Connected with MailMate.app and was able to decrypt the message and verify the signature,
    7: Tried replying to the message keeping sign+encrypt turned on and got the "Error code: -25257" problem again.

    From Keychain and manually looking at the certificate with 'openssl x509 -noout -serial' the correct serial number should be:

    serial=0E8E18

    After returning the proper Key+Cert to the Keychain, the output is a bit different:

    Comparing: [other-address-1]
    Comparing: [other-address-2]
    Comparing: [other-address-3]/expired
    Comparing: [other-address-3]
    Comparing: [my-address]
    Searching for certificate for [my-address]
    Found 7 candidate(s) Certificate has 1 email address(es) Comparing '[my-address]' with '[my-address]' Found match (Serial: 0x3A225944D7E8103125A1A3F2441E0208) Searching for certificate for [my-address]
    Found 7 candidate(s) Certificate has 1 email address(es) Comparing '[my-address]' with '[my-address]' Found match (Serial: 0x3A225944D7E8103125A1A3F2441E0208) Addresses found: 0x7fe8a2946400, 0x7fe8a1e6e890 CMSEncode S/MIME verify/decrypt
    Verify for address: [my-address] Data (2905) CMSDecoderCreate Detail: Unknown format in import. Error code: -25257

    And I have verified I can send signed and encrypted messages both from and to my other-address-1 and other-address-3.

    Then things got even weirder. I found I can't sign+encrypt to a friend's e-mail address, but I could send signed and receive encrypted.

    I then did the full mesh and found I could sign+encrypt:

    [other-address-1] to and from [other-address-1] [other-address-1] to and from [other-address-2] [other-address-1] to and from [other-address-3] [other-address-2] to and from [other-address-2] [other-address-2] to and from [other-address-3] [other-address-3] to and from [other-address-3] [other-address-1] to and from [my-address] [other-address-2] to and from [my-address] [other-address-3] to and from [my-address]

    I can't seem to sign+encrypt [my-address] to/from [my-address] or two friend's addresses who don't mind receiving such test messages from me (if it were to work), and I haven't had a chance to check many other destinations yet.

    If there is anything else I can do to help debug I'll be happy to help.

  • Paul

    Paul November 2nd, 2015 @ 06:42 AM

    I have the same problem (error -25257) and I hope it can be fixed RSN. The inability to encrypt is a serious problem for me.

    Thanks,

    Paul.

  • benny

    benny November 2nd, 2015 @ 01:49 PM

    @Paul: This happens when encrypting for a specific recipient? Or for any recipient?

    @Philip: Sorry about the late response. If I understand correctly then this happens when encrypting for a specific recipient?

    For both of you, I would assume that I should be able to reproduce the issue if you provide me with the public certificate for one of these recipients and the email address you are trying to send to (I won't send anything to them). You can send that to me using “Help ▸ Send Feedback” within MailMate.

  • TomEck

    TomEck August 29th, 2016 @ 03:46 PM

    Hi Benny,

    Is this problem still existing or fixed? Today I have encounterd a problem with S/MIME encryption and MM shows the error message:

    Unknown format in import. Error code: -25257

    Btw, I can not encrypt the message with Mail and ioSMAil as well.

    Thanks,

    Thomas

  • benny

    benny September 16th, 2016 @ 08:11 AM

    @TomEck: Sorry about the late reply. As discussed by email then in your case it appears the problem is that OS X does not know the intermediate certificate needed to verify the certificate of the recipient. In this particular case, it could be located here and added to the keychain to resolve the issue. I found the information needed by viewing the certificate and then noting the “Issued by” part at the top of the certificate. This might also be helpful for other users in this ticket.

  • _tnull

    _tnull June 13th, 2017 @ 11:11 AM

    [deleted - PEBKAC]

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Mac OS X email client.

Shared Ticket Bins

People watching this ticket

Referenced by

Pages