S/MIME Encryption

I tried eM Client for mail encryption and found the following

My setup:

  • two mail accounts A nd B with an email certificate for S/MIME encryption
  • two identical virtual machines A and B with Windows 10
  • public keys have been sent to each other and were imported; the dialog “Certificate and Keys” shows both certificates

Before an encrypted message can be sent the Root CA of the email certificate has to be imported to the Windows certificate store. This can be also done visiting the web page of the CA if Edge or other browsers are used which relies on this certificate store. It would be nice if such an advice is shown.

Sending and receiving encrypted messages work well but I found the following note " /!\ Encryption has Problems" on the mails in the sent folder:

To get rid of this message I had to import the PFX file including the private key from B to the cert store located on the instance A. In my opinion it should be sufficient to have the public key imported to eM Client.

Yes, in order to send an encrypted message to someone, you need their public key.

Now, in order to view the encrypted message in your Sent folder, you need a way to access it. For that it will use your own private key to open the message, because otherwise you cannot decrypt the message with the receivers public key.

Hope that makes sense.

1 Like

I really appreciate your support here in the forum. :grinning:. What I want to say that there should be a bug or a minor flaw in the program. Functionality isn’t affected. Messages are encrypted and decrypted as expected. I can also read the sent messages. I think the program tries to decrypt the sent messages like it does when the message is received.

A encrypt with A’s private and B’s public key --> sent to B --> B decrypt with with A’s public and B’s private key. But what is with the messages in A’s sent box? What is needed to read them? And I assume the software tries to use A’s public - which is available - and B’s private key which usually shouldn’t be present at A’s PC. When I import B’s private key into the Windows certificate store the warning message disappears. This also happens when I import B’s key pair via eM Client’s certificate mechanism. Does eM Client use the Windows certificate store to deal with the certificates? I assume this.

If you like you can reproduce this easily and you can open a bug. I’ve finished all my tests and I’ll recommend eM Client to the company I’m consulting.

And as last topic I have a feature request: LDAP support. It’s OK o have this only in the professional version.

A and B do not have each other’s private keys.

A encrypts with B’s public key and sends it to B. B decrypts with B’s private key. That is all.

If A needs to read the encrypted message in A’s Sent folder, it uses A’s private key to view it.

RSA isn’t symmetric, you can’t use A’s private key for decryption:
A: clear text --> encryption with A’s private and B’s public key --> A’s sent folder == B’s inbox

The message in the A’s sent folder is the same as in B’s inbox.
Which keys are needed to decrypt?

A can use his own private key to view messages in his Sent folder that he has encrypted using another’s public key.

You can test is very easily. Send someone an encrypted message, and then remove your private key from eM Client. Try and open the sent message.

Thank you very much. I’ll try it tomorrow.