nextcloud
S/MIME support
Is your feature request related to a problem? Please describe.
As a user I want to send email in the most secure and trustworthy way. One of the many ways to secure an email is S/MIME.
This standard can be used to
- Sign a message –
multipart/signed - Encrypt a message –
multipart/encrypted - Sign and encrypt a message
Right now the app supports inline encryption with the help of Mailvelope. This covers the PGP/INLINE standard.
In contrast to PGP/MIME https://github.com/nextcloud/mail/issues/3833 that uses a web of trust, s/mime uses a public key infrastructure. This makes key handling more practical for some environments.
Describe the solution you'd like
0. Key management
- CAs
- https://github.com/nextcloud/server/blob/master/resources/config/ca-bundle.crt
- Per domain/instance CA - SMIMEA
- Collect received public keys from signed messages
- Store private key securely
1. Verifying a signed message
Requires the sender's public key.
2. Encrypting messages
Requires the public keys of all recipients. Also requires the user's own public key if the message in Sent should be decryptable.
3. Signing messages
Requires the private key.
4. Decrypting a message
Requires the private key.
Describe alternatives you've considered
PGP/MIME - https://github.com/nextcloud/mail/issues/3833
Reference implementation
Google's hosted S/MIME
Encryption, decryption and signatures handled transparently at the cost of handing the private key to google.
https://support.google.com/a/answer/6374496 https://formsmarts.com/gmail-smime-encrypted-email
Mailpile
https://github.com/mailpile/Mailpile/issues/81
Interesting thought on key management: https://github.com/mailpile/Mailpile/issues/81#issuecomment-38500218
Mew
https://www.mew.org/en/feature/smime.html
Not a comparable application, but interesting usage of gpgsm as backend.
Horde
https://www.horde.org/apps/webmail/
- Supports S/MIME and PGP
- Component available in compatible license https://github.com/horde/Crypt/blob/master/lib/Horde/Crypt/Smime.php
- Only mentions RFC5751, the deprecated version 3.2 of S/MIME
- Requires
opensslPHP extension, which Nextcloud requires anyway https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation - ~~Not clear where/how they store and pass the private key (
privkey) through the application~~- Code search results https://github.com/search?p=2&q=org%3Ahorde+privkey&type=Code
- Key is stored in preferences https://github.com/horde/imp/blob/8d19f07d87a6320df5de6b293ec05a49502005ff/lib/Smime.php#L162-L181
Thunderbird
https://www.ssl.com/how-to/installing-an-s-mime-certificate-and-sending-secure-email-in-mozilla-thunderbird-on-windows-10/
Outlook web
https://support.microsoft.com/en-us/office/encrypt-messages-by-using-s-mime-in-outlook-web-app-2e57e4bd-4cc2-4531-9a39-426e7c873e26
Roundcube
Doesn't have it either yet, but there is a similar ticket: https://github.com/roundcube/roundcubemail/issues/4977.
Particularly interesting is the draft roadmap for implementation: https://github.com/roundcube/roundcubemail/issues/4977#issuecomment-328578573. It makes sense to start with the parts that do not require a private key. Those can be done on the backend without special measures.
PR for signed message verification: https://github.com/roundcube/roundcubemail/pull/6043
Zoho
https://www.zoho.com/mail/help/s-mime.html
Caveats
- Efail https://en.wikipedia.org/wiki/EFAIL
Additional context
Ref https://www.rfc-editor.org/rfc/rfc1847 Security Multiparts for MIME: Multipart/Signed and Multipart/Encrypted
Ref https://www.rfc-editor.org/rfc/rfc2633 S/MIME Version 3 Message Specification
Ref https://www.rfc-editor.org/rfc/rfc5751 Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2: Message Specification
Ref https://www.rfc-editor.org/rfc/rfc8551 Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 4.0: Message Specification
Ref https://proton.me/support/pgp-mime-pgp-inline
Ref https://github.com/nextcloud/mail/issues/3833
Ref https://help.nextcloud.com/t/any-plans-to-add-s-mime-support-to-one-of-the-webmail-apps/59061
