Using either mutt (1.13.2, installed via Ubuntu 20.04) or Outlook on my 
windows laptop, I can successfully send a signed email to myself or most people 
in the world.

        I can't, however, send a signed email from my mutt client to anyone 
using a University of Washington (uw.edu) email address. This has failed for 
three different email addresses, while sending from Outlook has worked.

        The error I get in the bounced email message is:

        Deferred: 403 4.7.0 TLS handshake failed.

        I don't have a strong understanding of things like S/MIME, TLS, PKCS7, 
etc. I would be grateful for your advice about what might be different between 
how my Outlook application is signing outgoing email vs. how my mutt 
application is signing outgoing email that might help explain why the uw.edu 
server is having a problem receiving my email.

        Here are some hopefully relevant headers from a signed email sent from 
Outlook and another one sent from mutt:

(from Outlook)
; Content-Type: multipart/signed;
        protocol="application/x-pkcs7-signature";
        micalg=SHA1;
        boundary="----=_NextPart_000_0005_01D7C724.88FFBB10"

; ------=_NextPart_000_0005_01D7C724.88FFBB10
; Content-Type: application/pkcs7-signature;
        name="smime.p7s"
; Content-Transfer-Encoding: base64
; Content-Disposition: attachment;
        filename="smime.p7s"

(from mutt)
; Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
        micalg=sha-256; boundary="RnlQjJ0d97Da+TV1"

; --RnlQjJ0d97Da+TV1
; Content-Type: application/x-pkcs7-signature
; Content-Disposition: attachment; filename="smime.p7s"
; Content-Transfer-Encoding: base64

        I see two differences:

        1) micalg is different, with the older SHA1 used by Outlook and
           the newer sha-256 used by mutt.

        2) The Content-Type of the signed portion of the email is different,
           with Outlook using application/pkcs7-signature while mutt uses
           application/x-pkcs7-signature

        For both of the above, my understanding is that mutt is actually using 
a more modern and/or secure and/or standard version than Outlook is.


        I also used openssl to take a look at what the uw.edu server might be 
expecting in terms of TLS as compared to my own university's mail server, but 
found no obvious differences. I may not have known where to look though. In 
case it's helpful, here's what I tried:

openssl s_client -starttls smtp -connect uw.edu:25

...
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384


openssl s_client -starttls smtp -connect mail-relay.iu.edu:25

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384


        Also, in case it's relevant, here are the parameters in my smime.rc 
file used by my mutt client to sign outgoing emails:

# Sction B: Outgoing messages

# Algorithm to use for encryption.
# valid choices are rc2-40, rc2-64, rc2-128, des, des3
set smime_encrypt_with="des3"

# Encrypt a message. Input file is a MIME entity.
set smime_encrypt_command="openssl smime -encrypt -%a -outform DER -in %f %c"

# Sign.
set smime_sign_command="openssl smime -sign -signer %c -inkey %k -passin stdin 
-in %f -certfile %i -outform DER"


        Since my signed emails don't seem to fail when being sent anywhere 
else, my guess is that there's some sort of problem at the uw.edu end, but I 
have failed, so far, to get ahold of anyone there to discuss this. I'm hoping 
to learn enough that I could either fix something on my end or offer a 
suggestion to the mail server admins at uw.edu about what they might change.

Andy



-- 
Andrew D. Arenson (he/him)                              H 317.964.0493
arenson (at) spatzel.net                                C 317.679.4669

Reply via email to