14 Replies Latest reply: Dec 12, 2008 8:40 PM by biovizier
NeilT6 Level 1 (0 points)
I've been trying to get e-mail encryption to work between my MacBook and an iMac (Also running 10.5.4), but I can't seem to get it to work. The MacBook is using a MobileMe address, and the iMac is using a Gmail address. As per the vague instructions in Mail Help (Please fix this apple) I created self signed certificates on both computers using Keychain Access and exchanged signed e-mails between the two computers so as to exchange certificates. At first, both computers stated that they were unable to verify the e-mails, but after I checked the box to trust the certificates, they recognized all future e-mails as signed and verified. However, even though the certificates are visible and trusted in Keychain Access, I can't send encrypted messages, only signed messages. The encrypt button remains grayed out... I've tryed everything, I even created my own certificate authority and used it to issue a certificate with no success. I also tryed enabling .Mac E-mail Signing and .Mac E-mail Encryption, but that didn't work either. As I sayed, signatures work fine so certificate e-mail discrepancies are not the problem. As a side note, Address Book displays the signed symbol (check marked gear) beside the e-mail address of both computers on both computers so I'm sure the certificates are installed.

2.16GHz MacBook, Mac OS X (10.5.4), 4GB RAM Upgrade
  • Mulder Level 6 (8,980 points)
    Mail doesn't include encryption, so that's something you have to add, or you can use an encrypted disk image and email that, as long as your recipient has the passcode to allow decryption. I've never hear of MobileMe having encryption built-in, either. It may support the use of encryption in some way, but since I don't use it I couldn't tell you if that was true or how it's accomplished.

  • j.v. Level 5 (4,155 points)
    Are you comfortable with using GPG? And does your email circle use GPG or PGP? There is a "beta" GPG Mail plugin for Leopard that works quite well, in my experience.
  • NeilT6 Level 1 (0 points)
    Yes it does, it's had S/MIME encryption since 10.3, that's the point of the lock button beside the sign button. You can read about it (Sort of...) in Mail Help under the section of e-mail security. It's one of the features that pop up when you install a personal s/mime certificate. Also, the feature doesn't really have anything to do with MobileMe, it's a feature of the mail client.
  • Mulder Level 6 (8,980 points)
    No, it supports the S/MIME standard, but encryption is not a feature of Mail. If you want true encryption, you'd have to use PGP or GnuPG, which work quite nicely.

  • NeilT6 Level 1 (0 points)
    Thank you, I am comfortable with using GPG as I'm coming from a linux background, but I'd like to keep everything as built-in as possible. I try to avoid external plugins as much as I can, especially if they do the same thing as something I already have. In this case, Mail already supports S/MIME I just can't get it to work right... Actually, I found another thread by accident while trying to check on this one, and according to it the problem may be that I'm using a self-signed certificate. Thawte's free certificates fixed it for that guy, so I'll try to get one of those...
  • Mulder Level 6 (8,980 points)
    In which case you should refer to this tutorial: http://www.joar.com/certificates/body.html

  • NeilT6 Level 1 (0 points)
    I was under the impression that S/MIME encryption used an asymmetric RSA cipher to encrypt and decrypt the message body and any attachments on either end, which is why you can only exchange encrypted e-mails with people from whom you've received a certificate, which contains their public key. At least, that's what all of my research points to, as does the Apple Mail help. Not to mention I fixed the issue by getting a Thawte certificate, and have exchanged several encrypted e-mails between the 2 computers. Neither the message, nor the attachments were readable in the webmail clients.
  • NeilT6 Level 1 (0 points)
    Thanks, but I read that one before I posted the question. I finally got a certificate from Thawte and now everything works! It seems self-signed certificates work fine for signed e-mails, providing the other party chooses to trust the certificate, but won't work for e-mail encryption for some reason. Apple should put together a Thawte S/MIME Tool for Certificate Assistant that takes in all your information and submits it to Thawte in one click, then places an icon on the menu bar showing the status of the request. When the request is complete, it installs the certificate automatically, notifies the user, and removes the icon. If they wanted to they could also build a completely automated system which also notifies the user of expiring certificates and offers an automated way to renew or revoke them. S/MIME might catch on faster if there's an easy way to enable it.
  • NeilT6 Level 1 (0 points)
    Encryption won't work with self-signed certificates, get a certificate from Thawte, they work better.
  • Robert Nikander Level 1 (5 points)
    OS X Mail can do encryption with a self signed certificate, but you have to check the right things when you create the certificate in the Keychain Access app. When the "Certificate Assistant" dialog pops up there is a checkbox "Let me override the defaults". Check this, and then a few steps later in the assistant you get a screen called "Key Usage Extension", and you'll see that only "Signature" is checked by default. I checked all the other ones, and then I could encrypt mail. You probably don't have to check them all.

    I also had to select the certificate, "Get Info" and change the trust to "Always Trust", and restart Mail.app to get the signing and encryption buttons.

  • DSY Level 1 (0 points)
    I confirm with Robert Nikander, after I follow his hints, I'm now able to encrypt and decrypt emails in Mail.app.

    Thanks Robert
  • Christiaan Level 3 (525 points)
    So why does it say this in the Help files:

    Sending an encrypted message (which includes any attachments) offers a higher level of security than a signed message. To send an encrypted message, you must have a personal certificate and the certificate of each recipient in your keychain.
  • Khurt Williams Level 1 (10 points)
    Apple Mail absolutely DOES support encrypted email communication. I've been using it since I bought my first Mac ( 2006 ). You simply need to obtain a digital certificate from a Certificate Authority. Mulder, please don't give advice outside your area of knowledge or expertise.

    Read more here: http://oreilly.com/pub/a/mac/2003/01/20/mail.html?page=last&x-maxdepth=0
  • biovizier Level 5 (7,925 points)
    I agree - some serious misinformation in this thread.

    A little bit off-topic, but people who have happily been using encryption in "Mail.app" should be aware that if IMAP is being used and the option to store drafts on the server is selected, the message will be stored unencrypted on the server, even though the "lock" in the composition window is closed indicating that the message is encrypted, i.e. gmail sees your stuff.