Using either mutt (1.13.2, installed via Ubuntu 20.04) or Outlook on my
windows laptop, I can successfully send a signed email to myself or most people
in the world.
I can't, however, send a signed email from my mutt client to anyone
using a University of Washington (uw.edu) email address. This has failed for
three different email addresses, while sending from Outlook has worked.
The error I get in the bounced email message is:
Deferred: 403 4.7.0 TLS handshake failed.
I don't have a strong understanding of things like S/MIME, TLS, PKCS7,
etc. I would be grateful for your advice about what might be different between
how my Outlook application is signing outgoing email vs. how my mutt
application is signing outgoing email that might help explain why the uw.edu
server is having a problem receiving my email.
Here are some hopefully relevant headers from a signed email sent from
Outlook and another one sent from mutt:
(from Outlook)
; Content-Type: multipart/signed;
protocol="application/x-pkcs7-signature";
micalg=SHA1;
boundary="----=_NextPart_000_0005_01D7C724.88FFBB10"
; ------=_NextPart_000_0005_01D7C724.88FFBB10
; Content-Type: application/pkcs7-signature;
name="smime.p7s"
; Content-Transfer-Encoding: base64
; Content-Disposition: attachment;
filename="smime.p7s"
(from mutt)
; Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=sha-256; boundary="RnlQjJ0d97Da+TV1"
; --RnlQjJ0d97Da+TV1
; Content-Type: application/x-pkcs7-signature
; Content-Disposition: attachment; filename="smime.p7s"
; Content-Transfer-Encoding: base64
I see two differences:
1) micalg is different, with the older SHA1 used by Outlook and
the newer sha-256 used by mutt.
2) The Content-Type of the signed portion of the email is different,
with Outlook using application/pkcs7-signature while mutt uses
application/x-pkcs7-signature
For both of the above, my understanding is that mutt is actually using
a more modern and/or secure and/or standard version than Outlook is.
I also used openssl to take a look at what the uw.edu server might be
expecting in terms of TLS as compared to my own university's mail server, but
found no obvious differences. I may not have known where to look though. In
case it's helpful, here's what I tried:
openssl s_client -starttls smtp -connect uw.edu:25
...
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
openssl s_client -starttls smtp -connect mail-relay.iu.edu:25
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Also, in case it's relevant, here are the parameters in my smime.rc
file used by my mutt client to sign outgoing emails:
# Sction B: Outgoing messages
# Algorithm to use for encryption.
# valid choices are rc2-40, rc2-64, rc2-128, des, des3
set smime_encrypt_with="des3"
# Encrypt a message. Input file is a MIME entity.
set smime_encrypt_command="openssl smime -encrypt -%a -outform DER -in %f %c"
# Sign.
set smime_sign_command="openssl smime -sign -signer %c -inkey %k -passin stdin
-in %f -certfile %i -outform DER"
Since my signed emails don't seem to fail when being sent anywhere
else, my guess is that there's some sort of problem at the uw.edu end, but I
have failed, so far, to get ahold of anyone there to discuss this. I'm hoping
to learn enough that I could either fix something on my end or offer a
suggestion to the mail server admins at uw.edu about what they might change.
Andy
--
Andrew D. Arenson (he/him) H 317.964.0493
arenson (at) spatzel.net C 317.679.4669
