Freescout: PGP / SMIME encrpyted / signed mail handling

Created on 4 Mar 2021  路  20Comments  路  Source: freescout-helpdesk/freescout

Most helpful comment

Thanks for the report. We will see what can be done.

All 20 comments

Should signing be configured on a per mailbox basis? or same keys/certs for all mailboxes?

Is signing needed only for emails sent to customers or also for email notifications to users?

Should signing be configured on a per mailbox basis? or same keys/certs for all mailboxes?

There are no wildcard S/MIME certificates so it will be per mailbox basis. For testing/private usage you'll get a S/MIME for free at: https://www.actalis.it/en/certificates-for-secure-electronic-mail.aspx

Is signing needed only for emails sent to customers or also for email notifications to users?

Signing is most important for mails send to customers.

It would be nice if PGP is supported and not "only" SMIME encrypted mails. For us it's also mainly used to send sensitive data in an encrypted way to customers.

The following modes are possible:

  • Sign
  • Sign & Encrypt
  • Encrypt only

Is "Encrypt only" mode needed?

Will it be a problem if all outgoing emails (to customers and users) from the mailbox will be signed/encrypted?

It would be nice to have the possibility to activate it per use case e.g. encrypt only to customers but send as plain text to users or encrypt to users & customers.

If the Ticketsystem runs in the same secure network as the mailserver it would be not necessary to have a user encryption (and there would need to be a pgp key for all the users in place if the ticket is encrypted and sent to the users).

Will it be a problem if all outgoing emails (to customers and users) from the mailbox will be signed/encrypted?

All signed would be great, but all encrypted can be a problem in my opinion. Encrypting should be activated per customer. (I do not need encrypting anyways.)

It would be nice if PGP is supported and not "only" SMIME encrypted mails. For us it's also mainly used to send sensitive data in an encrypted way to customers.

Till now we could not find any working OpenPGP library for SwiftMailer. There are two ones, but they are not working:

https://github.com/Mailgarant/switfmailer-openpgp
https://github.com/NightJar/SwiftSigner-CryptGPG

It seems that they [1] are also referring to the same resource which you already shared.
[1] https://github.com/swiftmailer/swiftmailer/issues/861#issuecomment-273027074

Beta version of the module: https://freescout.net/module/mail-signing/

Try SMIME and PGP and let us know if it works for you.

I can not install the module because gnupg PHP extension is not installed on my shared hosting provider. Is it possible to allow installation of the module and using S/MIME without installed gnupg PHP extension?

Fixed. Just clear the cache and try again.

Signing with S/MIME works great. 馃憣

Hi,
first i want to thank you for the nice implementation of this plugin!

I've tested the PGP part of the Extension. Here is my two cents:

Setup:

  • Activation of the Module
  • Installation of the required extension (on Debian 10 it was apt-get install php7.3-gnupg)
  • Key creation: For me with Debian 10 as a base system it was not possible to create a key without a passphrase. I just created the keys with Kleopatra and copied it over to the Freescout installation (with setting the rights for the www-data group to the specific pgp keys which are located in the home directory).

Usage:

Signing of mails works perfectly fine.
Signing & encryption:

  • As suggested in the module description gpg --gen-key creates an keyring into which the certificates need to be imported (in this case the sending certificate of the mailbox mail in Freescout)
  • If a PGP public key is contained in the keyring this key will automatically used to encrypt outgoing mail with the public key.
  • If encryption is activated on the specific mailbox there is atm the requirement that all customer need to provide a pgp key. Otherwise it is not possible to send mails to them ("Unable to find an active key to encrypt for [email protected], try importing keys first") -> This is resolved by importing the key into the keyring.
  • if a mail comes in encrypted, then the agent needs to download the attachment which contains the encrypted message and decrypt it with a local tool to view the mail body.

Suggestions

My suggestions for future work would be to add a button to activate encryption (or deactivate) in the create or reply view (on a per customer lvl). This would enable the agents to send answers to people which did not provided an pgp key. In addition it would be nice if signed incoming mails automatically get imported into the keyring. At the moment a agent needs to connect with ssh to the server and import the key manually (just correct me please if i missed something). The possibility to upload pgp keys of customers over the webinterface would also be a nice addition to the module. Maybe it would be good to have an indicator in the create/reply view which tells the agent if there is already a pgp key in the keyring. A normal agent is in general not able to look into the logfiles or check if there is someting in the outgoing dropdown option listed.

Thanks for the report. We will see what can be done.

Hi!

Signing with S/MIME works like a charm. But I wonder what's the state with encryption?

  1. I think it's important that incoming encrypted mails are decrypted automaticly. Because when sending out signed mails some clients may respond with encrypted mails.
  2. Some kind of keymanagment is needed for customer keys. Like: If the customer sends in an signed or encrypted&signed mail his public key should be automaticly stored and used if encryption of a future message is needed.

As this is a very important feature to me, I appreciate this module and the work you put in it a lot!

Is there still being work done on this issue, because even though it is closed it is not fixed?

Is there still being work done on this issue, because even though it is closed it is not fixed?

No much.

Is it possible to have a look at that again, because we would really like this to be implemented

Was this page helpful?
0 / 5 - 0 ratings

Related issues

nfrancis picture nfrancis  路  8Comments

TimoStramann picture TimoStramann  路  5Comments

johanoloflindberg picture johanoloflindberg  路  7Comments

justajeffy picture justajeffy  路  3Comments

statepm picture statepm  路  4Comments