Thanderbird sends email but does not encrypt it
OpenPGP addon for Mozilla Thunderbird
Brought to you by:
pbrunschwig
Menu
▾
▴
My System:
- ArchLinux
- Thunderbird 60.6.1
- gpg (GnuPG) 2.2.15
- libgcrypt 1.8.4
- ~/.gunpg/gpg-agent.conf has the following:
cache-ttl 300
max-cache-ttl 999999
allow-loopback-pinentry
pinentry-program /usr/bin/pinentry-gtk-2
The Problem:
I added my home key to my office email. I then trusted my key.
Then I created a message and encrypted with my home key. I also added the key to the per-recipient-rules editor.
All looks good but when I try to send an email after I compose it shows "sending" and nevers stops to ask for my key ring password and the email is sent unencrypted.
Any ideas as to what could be wrong?
I have the same setup at home it it works flawlessly.
Thanks,
R.
Last edit: R. Alvez 2019-04-24
Impossible to tell with debugging log file.
In the dubug the only indication I see as suspissios is this:
keyRing.jsm: getKeyById: 0x8A71F9B10A926431
2019-04-23 17:27:29.169 [DEBUG] keyRing.jsm: doValidKeysForAllRecipients(): return null (no single valid key found for="0x8A71F9B10A926431" with minTrustLevel="?")
2019-04-23 17:27:29.169 [DEBUG] enigmailMsgComposeHelper.js: doValidKeysForAllRecipients(): return null (key missing)
2019-04-23 17:27:29.169 [DEBUG] enigmailMsgComposeHelper.js: validKeysForAllRecipients(): return 'null'
Where 0x8A71F9B10A926431 is the key of the imported key.
Or would you like me to post the entire log?
Thanks for your reply.
R.
There are two possible reasons:
1. You imported the key via gpg and didn't refresh the key cache in Enigmail.
2. You didn't sign the key, but configured Enigmail to only accept signed keys.
Hi Patrick,
I signed the key but no joy.
I'm attaching my log file, perhaps you have a better eye to see something I cannot.
The relevant emails are ralvez@ittwo (the imported key) and Ricardo.Alvez@humber.ca my office mail.
Appreciate your help.
Best,
R.
@Patrick, couldn't this also be an AutoCrypt (PRR) issue as I see "autocrypt.jsm: processAutocryptHeader(): from="R. Alvez" ralvez@ittwo.ca" in the logs?
@Ricardo, since I only see two pEp initialization log lines, it seems that you already disabled the "pEp Junior Mode". If not, go to menu Edit > Preferences; then switch to the "Privacy" tab and select "Force using S/MIME and Enigmail".
Plus I never see Ricardo.Alvez@humber.ca except for in the keyring, Enigmail tries to encrypt the message to alvez@humber.ca (only) and does not find a match:
2019-04-24 11:08:56.175 [CONSOLE] enigmail> /usr/bin/gpg --charset utf-8 --display-charset utf-8 --no-auto-check-trustdb --batch --no-tty --no-verbose --status-fd 2 --log-file /tmp/gpgOutput.GUl179 -a -t --encrypt --trust-model always --encrypt-to alvez@humber.ca -r 0x8A71F9B10A926431 -u alvez@humber.ca
2019-04-24 11:08:56.182 [DEBUG] errorHandling.jsm: invalidRecipient: detected invalid recipient alvez@humber.ca / code: 0
2019-04-24 11:08:56.183 [DEBUG] keyRing.jsm: getKeysByUserId: 'alvez@humber.ca'
2019-04-24 11:08:56.183 [DEBUG] enigmailMsgComposeHelper.js: getInvalidAddress(): gpgMsg="The email address "alvez@humber.ca" cannot be matched to a
key on your keyring. Please select a valid key in the OpenPGP section of your Account Settings."
Please also note THIS hint.
Last edit: Olav Seyfarth 2019-04-24
Olav,
Thank you for your reply.
You are correct, I disabled Junior Mode and forced S/MIME. For what I heave read in some of the threads here in the forum is advisable.
I also noticed that it menioned alvez@humber.ca but I do not know why. The only reason I can think of it is that I use Thunderbird to access IMAP services from Office365 Exchange Server where the college/vendor uses alvez@humber.ca. However, I have no keys for that email; the default I have is Ricardo.Alvez@humber.ca and that one used to work.
As per the hint you mentioned, I did refresh the keys.
Once again thank you guys for your help.
R.
Last edit: R. Alvez 2019-04-24
Have you checked your per-receipient rules? Enigmail DOES try to encrypt to alvez@humber.ca and cannot. That's must probably the culprit, so you might want to search for that string in prefs.js and pgpruls.xml in your TB profile (if you want and know how to use the CLI).
Olav,
Yes. I know how to work on the CLI. I've been using Linux/Unix for +/- 20 years. But ... what do you want me to do within those files? Do I change ralvez@humber.ca for Ricardo.Alvez@humber.ca or just delete all references to alvez@humber.ca ?
R.
Hi Ricardo, so you're about Patrick's my age then? Those that started with zmodem or CP/M indeed do know how to use (and value) CLI. OK, off-topic, sorry ;-)
Presumption is that alvez@humber.ca is "wrong" in terms of that it's no valid email address. Enigmail tries to encrypt to it, so:
1. create abackup of pref.js and pgprules.xml
2. find the alvez@humber.ca (without the "ricardo.") and either leave (account login credentials my well use it), correct (if it rather be a valid e-mail address) or delete it (decide on the setting name).
@Patrick: I just received a similar case where someone tried to send a message to me (via a functional address 3 representatives use) and Enigmail encrypts to the personal key of one of the 3, EXCLUDING the key that would be available, not sure if WAS available when she wrote the first tim but I'll ask her to import the key now and retry.
Olav,
Yup, I'm one of those old fogs ... yet kicking strong on the CLI. ;)
To be honest, what's the point of using Linux if one would not touch the CLI? Is like having a Maserati but never driving faster than 40. Just saying ...
OK. I'll give that idea a try and report back.
Thanks!
R.
Last edit: R. Alvez 2019-04-25
Olav,
After taking a look at both files these are my conclusions:
1. prefs.js is 1320 lines long and alvez@humber.ca show about 20 or 30 times. Deleting it seems a rather perilous excercise.
2. gpgfules.xls only has a reference to ralvez@ittwo.ca nothing about the other two. Is that what you would expect?
Thanks.
R.
I've attached pgprules.xml just in case is useful.
Olav,
OK. Since alvez@humber is the "hold up" I decided to create a key for that email.
I then send an email to ralvez@ittwo.ca using the corresponding key. Once again, though, the message was sent immediately but I was not asked to enter my pass message in pinentry. Of course the message went un-encrypted.
Seems to me that there is another problem.
I've attache the logs.
Thanks.
R.
The log says this:
In other words gpg cannot find a key for alvez@humber.ca (please note the <> brackets). I'd recommend that you
1. Reload the key cache in Enigmail (in the Key Manager)
2. In the Account Manager in the OpenPGP settings, you should specify the key ID that you want to use for alvez@humber using the Select button. That's safer than using detection via email address.
Hi Patrick,
I did all that you said but the problem persists.
I noticed now the logs point to ralvez@ittwo.ui as not having a key. I do not even have such email.
I'm beginning to believe that the problems here run dip.
I have put 2 1/2 days of work doing this but have not much to show for. :(
I've attached the new logs but if you cannot spot a viable solution I think I'll cut my losses and let this one go. Cannot affort to lose more time doing this.
I appreciate the help.
R.
p.s. I recognize that you guys have spent time helping me here and I hope you will not fill too badly if I let this one go in the end but I also feel the time invested on my side is getting out of hand.
Last edit: R. Alvez 2019-04-25
We're sad that you had issues and that we couldn't help you better but we don't feel offended if you decide to move on. What troubles me is that you managed on one system but not on another. In such cases, I tend to re-create the TB profile (yes, I know how much work THAT is).
First do a test (that's 10 min.)
1. Make sure your keyring looks clean using pgp on CLI
2. Start TB profile manager, temporarily switch off "automatic", create a test profile
3. set it up only as far as it is needed to rend/receive signed/encrypted messages, test
If THAT works but your current sutup doesn't, then find out about what's different. If you can't, either not use Engimail or go for the full re-creation.
Concerning your per-receipient-rule: I don't think you need it. Depending on your "Always BCC" settings or alike, it may well cause trouble as it forces encryption as soon as that address is ONE of the receipients.
Olav,
You guys are great and I appreciate your support. In truth I have to say that I did not use much email encryption in the past because as a general rule whent it works is great but if it does not then it seems to go down hill fast.
I do use pgp on a regular basis (cli of course) and that works great. I use it with pass, for instance, to encrypt all my browser passwords and it is incredibly good. There is even a neat plugin that allows you to use a short-cut to log into web sites.
In connection to the setup in my office, it is a bit complicated because the college is a Microsoft shop and I'm the only Linux guy. I, therefore, get not support from the IT division and have to figure out everything by myself in order to be backwards compatible with everyone else. I have a relatively complex setup to allow TB to talk to Exchange Calendar and also send and retrive email from Office365. I even wonder if that is part of the problem.
I do software development for the institution and am at the end of a big project, therfore, I cannot devote too much time to this problem at this time.
Once I get "out of the cranch" I'll give it another shot. If you know programmers you also know that "unfinished business" is not an option. I want to figure this one out but may be a few weeks down the road.
Thanks a lot!! We'll talk again I'm sure :)
R.
Last edit: R. Alvez 2019-04-25
The question for me is if you are using the same keyring on the CLI as in Enigmail.
The most frequent source of problems is that you're using GnuPG 2.2 in Enigmail, but 1.4 or 2.0 on the CLI. gpg 1.4/2.0 have a different keyring for the secret keys than gpg 2.2, even if both use the same GNUPGHOME.
I can see in the log that Enigmail uses /usr/bin/gpg, which is version 2.2.15, GNUPGHOME=/home/ralvez/.gnupg. Are you using the same version of GnuPG, with the same directory?
Hi Patrick,
My home system (which is running fine) reports the follwoing when I run
gpg --version at the command promt:
so I think we can say I'm using 2.2.15 in both. Correct?
On Monday, (I only work Mon. to Thur.) I'll verify that in the office I have the same responses.
I'm pretty sure it will be the same because I run ArchLinux and it is a rolling release, which means I'm allways on the latest versions of everything.
But I'll let you know for sure.
Thanks!!
R.
Just out of curiosity. I noticed that at home I get Icons in my email interface like the one's in this screen shot in this link but I do not have them in the office's interface. Is that indicative of a problem?
R.
Last edit: R. Alvez 2019-04-26
This just means that the icons are not visible - nothing more. You can configure the toolbar via right-mouse click on the toolbar.
Patrick,
Well... that's interesting. If I go to TB and rigth-click the top bar and the select "config" there are not icons for "Encrypt" or "Sign" only one for "Decrypt".
Seems odd don't you think?
Oh, BYW. I tested the gpg -- version in my office station and it is the same as I have at home. Including the gpg home directory.
R.
Last edit: R. Alvez 2019-04-29
No :-) The other icons are available in the COMPOSE window only (you can edit its toolbar THERE, it's a separate toolbar configuration).