#725 ✓fixreleased
Matt Gray

S/MIME encrypted e-mails unreadable in iOS Mail

Reported by Matt Gray | April 21st, 2014 @ 06:53 PM

  • An S/MIME-encrypted message to myself sent from MailMate is not readable in iOS Mail.
  • An S/MIME-encrypted message to myself sent from iOS is readable in MailMate.
  • Anecdotally, co-workers report trouble opening S/MIME-encrypted messages from MailMate on Apple Mail as well as iOS (but I cannot reproduce).

Steps

  1. Ensure your S/MIME keys are installed on your desktop and an iOS device.
  2. Configure your iOS device to both sign and encrypt e-mails using S/MIME.
  3. Send yourself an S/MIME encrypted e-mail from iOS.
  4. Confirm that you can read the decrypted e-mail in MailMate.
  5. Confirm that you can read the decrypted e-mail on iOS.
  6. Send yourself an S/MIME encrypted e-mail from MailMate.
  7. Confirm that you can read the decrypted e-mail in MailMate.
  8. Attempt to read the decrypted e-mail on iOS.

    iOS Mail fails to decrypt the message.

Versions

  • MailMate/4097 MacBookPro11,3/x86_64/8/10.9.2
  • iOS 7.1 (11D167)

Attachments

  1. The error message shown when viewing a MailMate-encrypted message in iOS
  2. The relevant portion of the iOS 7 screenshot

Comments and changes to this ticket

  • benny

    benny April 22nd, 2014 @ 01:42 PM

    • State changed from “new” to “reproduced”

    Thanks for the detailed report. The error messages are a bit misleading (installing a profile), but I can reproduce the issue (not sure why it's not reported more often :-) ).

    After some testing (iOS 5), it appears the problem only appears with signed+encrypted messages. If I only sign or only encrypt then there is no problem. This matches the fact that MailMate handles sign+encrypt different than iOS Mail. Apple first signs and then encrypts the message while MailMate does both at once (using an Apple framework). I'm not going to claim that the bug is in iOS, but I don't know why they reject such messages. In any case, I would actually prefer if MailMate behaved like Apple Mail and that would probably fix the issue whether or not it's a MailMate bug.

    I'll assume for now that the Apple Mail problem is the same.

  • juwalter

    juwalter November 16th, 2014 @ 08:46 PM

    bump - here is another report :)

    I have exactly the same problem- (thanks @Matt Gray for the fantastic bug report); and the same "solution" - ie not signing, only encrypting the message, makes it decryptable on iOS.

    I would also prefer (maybe to have an option) if you could change mailmate in this regard to behave like Apple Mail does, ie first sign, then encrypt?

    Thanks, Jürgen

  • 失败是成功之母

    失败是成功之母 April 7th, 2015 @ 11:56 AM

    bump, with MailMate 1.9.1 (5084)
    still the same with iOS 8.2 (12D508)

    Outlook for Mac 2016 (15.8.2, OS X v10.10.2) faces the same issue: "The security of this message cannot be verified because of an error." To read such an E-mail, I have to drag and drop it from Outlook to Apple Mail. The same happens for all previous versions of Outlook for Mac and Microsoft Entourage. By the way, normally, I am an Outlook for Mac user. One of my recipients replied on a signed/encrypted E-mail via MailMate. I installed MailMate just to debug this issue and find the culprit.

    Microsoft Outlook 2013 (15.0.4701.1002; Windows 8.1) does not show the message content either: "Untitled attachment xxxxx.dat". Furthermore, when I view an unencrypted but signed E-mail sent from MailMate, Outlook » (Icon) Signer » Signer » Description » … was signed at 02:00:00 01.01.1601. If the E-mail comes from Apple Mail or Outlook for Mac, the description shows the correct date/timestamp.

    Mozilla Thunderbird (31.6.0) displays the message content, but shows: "Message Has No Digital Signature".

    With OpenSSL (0.9.8), I tried to decrypt the received E-mail message from MailMate manually:
    openssl smime -decrypt -out decrypted.p7m -in message.eml -inkey myKey.pem
    This gives the plain message, the signature, and the certificate of the signer. For example, Apple Mail sends multipart/signed as MIME media type with the certificate in not in binary but Base64:
    openssl smime -verify -signer signer.pem -in decrypted.p7m
    With MailMate, I get a binary message, a ASN.1 sequence of two objects:
    openssl asn1parse -inform DER -in decrypted.p7m
    which I am not able to parse even if I specify -inform DER or go for OpenSSL 1.0.1/CMS, because it does not start with a structure for a/the content type: pkcs7-signedData (OID 1.2.840.113549.1.7.2).

  • 失败是成功之母

    失败是成功之母 April 13th, 2015 @ 08:52 AM

    Sony Xperia (Google Android 4.4.4) is able to display a signed+encrypted message from MailMate. However, the ASN.1 stuff (before and after the message) is shown as binary (garbled). Therefore, the signature is not verified.

    Furthermore, Sony Xperia is not able even to verify a signed-only message from MailMate! Can only guess why: Looking at the PKCS#7 data, MailMate sends the intermediate certificates first, then the entity certificate. All other apps I inspected do the other way around. Perhaps, while looking at this issue, you have the chance to get a Sony Xperia mobile phone and double-check with its built-in S/MIME capable E-mail client. Encrypted-only works, as it does in all my other clients.

  • Matt Gray

    Matt Gray April 17th, 2015 @ 03:00 AM

    • Tag set to encryption, smime
  • Matt Gray

    Matt Gray November 18th, 2015 @ 10:38 PM

    I'd like to bump this. This is a daily annoyance to me, as MailMate doesn't offer an "encrypt but do not sign" default. That means I must remember to always disable signing in order for my colleagues to read any of my encrypted communications; I've also lost the ability for my colleagues to verify the authenticity of my messages.

    Can you provide an update, please?

  • Lars

    Lars June 16th, 2016 @ 06:16 PM

    I am experiencing this issue as well on iOS 9.3.2 while using MailMate v5249.
    It is either signing or encryption, but not both at the same time.

    Any hope of a fix?

  • Matt Gray

    Matt Gray June 16th, 2016 @ 06:23 PM

    I, too, would love a fix. I have to stay vigilant and never, ever sign my encrypted messages for iOS compatibility reasons, which is far from ideal.

  • ari tikka

    ari tikka August 12th, 2016 @ 05:42 AM

    I am running to this problem and face peer pressure to move to Thunderbird. I have not thoroughly checked which other clients are able to exchange encrypted messages with mailmate, but it was not many.

  • hadmob

    hadmob January 20th, 2017 @ 10:34 AM

    I've got the same problem. S/MIME-encrypted mails from MailMate can be decrypted in MailMate and desktop Apple Mail, but NOT in iOS Apple Mail.

    When sending encrypted mail from Apple Mail, it can be decrypted in both desktop and iOS Apple Mail.

    It's very important for me to be able to rely on encrypted e-mails from me to be readable on all devices. Can you please have a look into that?

    My system: MailMate/5319 MacBookPro13,2/x86_64/4/10.12.2

  • Matt Gray

    Matt Gray January 20th, 2017 @ 03:26 PM

    It's been nearly three years since we've heard from @benny on this ticket.

    @benny, as a MailMate Patron and a rabid fan of your product, I would like an update on when we can expect interoperable S/MIME signing + encryption. iOS has gone through many, many revisions since I opened this ticket, so I don't think the problem is going away without your intervention.

    Please don't let this ticket languish - thank you!

  • benny

    benny January 20th, 2017 @ 03:47 PM

    I'm not going to make any promises, but I've been looking at the issue the past hour or so. Mainly reproducing it again to allow me to do some experiments to see how hard it'll be to fix. The theory is still that the problem is that MailMate does not sign and encrypt in a 2-step process. If this theory is not correct then it might be hard to figure out what's going on, but I promise to at least attempt to fix it.

    And yes I was hoping the issue would be fixed on iOS. I still don't think it's a MailMate bug, but I also know that is irrelevant :)

  • benny

    benny January 20th, 2017 @ 04:01 PM

    Just a quick update: I already think I'm wrong about the 2-step sign and encrypt theory. If I'm right about that then the fix might not be so hard. It might be as simple as providing some (correct?) hints in the Content-Type header. If that is true then the age of this ticket is embarrassing. I might have been barking up the wrong tree (if that's the correct expression). I don't have more time right now, but I promise to look into the details of this soon – and then I'll update this ticket (days and not years)...

  • Matt Gray
  • benny

    benny January 21st, 2017 @ 07:25 AM

    @Matt: I was probably a bit too fast. I've uploaded a new test version with a minor change, but I seriously doubt that'll make a difference. Unfortunately I cannot test it myself right now, because MailMate somehow got “locked” out of using the certificates in my keychain. Pretty sure this is a symptom of some Apple bug, but right now I don't really know how to fix it (and I don't have time before Monday). Hopefully resetting the keychain can help. Hold down ⌥ when clicking “Check Now” in the Software Update preferences pane.

  • Matt Gray

    Matt Gray January 23rd, 2017 @ 07:28 PM

    @benny: It did not make a difference, unfortunately.

  • benny

    benny January 23rd, 2017 @ 10:33 PM

    @Matt: Yeah, I must have done something wrong when I tested it. The good news is that I've now tested if making encryption and signing a two-step process makes a difference. I've now got a message on my iPhone (iOS 9) which is signed and encrypted by MailMate and it displays correctly as both signed and decrypted. Still no time frame on this (it's a crude hack for now), but I'm on the right track.

    For anyone curios about what I'm talking about then this is the problem: When both signing and encrypting a message then there is essentially two ways to do it.

    • Sign and encrypt in one go. It'll essentially look just like an encrypted message and the message structure is like this:

      application/pkcs7-mime

    When decrypted then the decrypted content is just whatever the original unencrypted message looked like. The signature is checked at the same time as the content is decrypted.

    • First sign and then encrypt. This looks just like an encrypted-only message except that when decrypted then the inner content is like a signed message:

      multipart/signed text/plain (assuming the content is a simple text message) application/pkcs7-signature

    The latter is nicer in the sense that it separates signing and encrypting. I don't mind going in this direction — even if it's because of a bug in iOS Mail.

  • benny

    benny January 24th, 2017 @ 02:45 PM

    • State changed from “reproduced” to “fixcommitted”

    Ok, the latest test release is my first shot at changing MailMate to do encrypted signed messages as a two-step process. My own testing shows that this makes it work on iOS, but I've made a lot of changes and it's not unlikely that I've also introduced bugs.

    Hold down ⌥ when clicking “Check Now” in the Software Update preferences pane and let me know whether or not it works for you.

    (My issue with Keychain Access was not resolved until I deleted the login keychain. I'm pretty sure this is some kind of Apple bug.)

  • benny

    benny January 24th, 2017 @ 02:46 PM

    I should also note that I've made this change for both S/MIME and OpenPGP.

  • Matt Gray

    Matt Gray January 24th, 2017 @ 03:05 PM

    The common case is working great for me!

    👏👏👏

    Thanks, @Benny! Sign + Encrypt, Encrypt, and Sign only are all readable on iOS for me. Hooray!!

  • benny

    benny February 9th, 2017 @ 01:20 PM

    • State changed from “fixcommitted” to “fixreleased”
  • Lars

    Lars February 10th, 2017 @ 11:39 AM

    Great stuff, thanks a lot for getting around to this fix! Feels much better to sign + encrypt :-)

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Mac OS X email client.

Shared Ticket Bins

Pages