nmh-workers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: super-mime-encoded..

From: George Michaelson
Subject: Re: super-mime-encoded..
Date: Thu, 16 Dec 2021 13:32:04 +1000 
thanks for this Ken. That's quite a recipe. Heuristic. Kabbalistic
incantation...

-G

On Thu, Dec 16, 2021 at 1:12 PM Ken Hornstein <kenh@pobox.com> wrote:
>
> >I have some mails which appear to be PKCS7 SMIME bodypart..
> >containing... PKCS7 SMIME bodypart.
>
> In my $DAYJOB, I deal with a lot of these as you can imagine.  My
> reading of the relevant specs is that the first encapsulation is
> encryption, and the second is signing.  The encryption is what I care
> about, since in our environment that's typically encrypted using a
> key on a smartcard.
>
> >It's like some emailers have to super-encode things. I haven't done
> >much debug, and I know this is being super-lazy, but even the Mail.app
> >on OSX barfs on it. I suspect its O365 which is sending it.
>
> Well, it depends what you're talking about.
>
> As far as I know, Mail.app works fine as long as it's "vanilla" S/MIME,
> including the double signing/encryption.  What messes things up is
> if Microsoft products generate a TNEF-format file, which is their
> proprietary MIME-like format.  Mail.app cannot handle that, unfortunately.
> In theory Microsoft products aren't supposed to be doing that when sending
> external email, but it happens.
>
> >So.. is there a trick to get NMH to know to unwrap-the-unwrap?
>
> Yes.  You mentioned OS X, so I'll tell you what I do:
>
> - mhstore the first S/MIME part, which will probably end up a file called
>   smime.p7s (or something close to that)
> - Use the MacOS X command "security cms -D < smime.p7s > output" to decode
>   the signed data.  If the outer part is signed you don't need a private
>   key at this point.
> - Edit "output" and convert it to Unix-style line endings to deal with a bug
>   in nmh (fixed in current).
> - Use "mhstore -file output" to store the raw S/MIME data; you can also
>   use "mhlist -file output" to see the MIME parts (but in this case there
>   is typically only one).
> - Use the same "security" command again to decrypt the data.  At this point
>   you will need the appropriate certificate/private key in your keychain
>   or on a smartcard (you can specify it, but if there is an associated
>   certificate the security command usually can find it).
>
> I have a plan to eventually add S/MIME support to nmh, but ... so little
> time.
>
> --Ken
reply via email to
[Prev in Thread] Current Thread [Next in Thread]