GPG4win 3.0: Outlook-2010 stores encrypted/signed S/Mime-mails only encrypted

Hello,
if sending S/Mime encrypted/signed or encrypted mails, copy is stored in Outlook’s sent folder.
Encryption is done to own and recipient’s S/Mime-key.

But sent copy cannot be decrypted for reading in Outlook…
Why? Faulty settings?

Thx + regards, Chris

Hi Chris,

So you are trying to decrypt the sent mail, that is in the “Send” folder? You are right, it should be encrypted with the senders key as well!

What is the error you are receiving? Is the display of the crypto-status in the top right corner correctly? Is the key associated with the account you are sending from still valid?

Best wishes,
Jochen

Hi Jochen,
yes, I am trying to decrypt the sent mail, that is in the “Send” folder.

It has been encrypted to foreign and own Smime keys, dialogue has been shown (S/Mime: 1x FROM, 2x TO).

Both keys are still valid and shown in Kleopatra as “beglaubigt”, Comodo-CA.

Pls refer to attached OL-screenshot.

Thx + regards, Chris

[ https://i.imgur.com/e1PrHHr.jpg ]

Hi Chris,

Thanks for clarifying that!

Can you check if this issue also occurs, if you change the type of mail (i.E. from HTML-Formatted Mail to Plain text Mail or vise versa)?

Best Wishes,
Jochen

Hello Jochen,

no, it makes no difference if composing outgoing S/Mime-email as html or txt:
Both sent mails cannot be decrypted in sent folder.

Sorry + regards, Chris

Hi Chris,

I try to recreate your issues and stumbled upon the old issue of CRL files. Can you disable the CRL check in Kleopatra (it is in Kleopatra Options, GnuPG System, S/MIME, “Never Consult CRL”). Also, please check if it makes a difference if you sign and/or encrypt the message only.

Best wishes,
Jochen

Hello Jochen,
results after disabling the CRL check in Kleopatra (it is in Kleopatra Options, GnuPG System, S/MIME, “Never Consult CRL”):

Signing only: Works as expected, sent mail is marked green as “GpgOL: Vertraute Absenderadresse” in sent folder.

Encrypting only: Sent mail cannot be encrypted…

Enc + Sign: Sent mail cannot be encrypted…

No difference between HTML or TXT mails.

On recipient’s client everything works as expected, all mails are signed, encrypted or signed+encrypted, reading possible.

Best regards, Chris

Mistake, pls ignore previous post, sorry…

Hello Jochen,
results after disabling the CRL check in Kleopatra (it is in Kleopatra Options, GnuPG System, S/MIME, “Never Consult CRL”):

Signing only: Works as expected, sent mail is marked green as “GpgOL: Vertraute Absenderadresse” in sent folder.

Encrypting only: Sent mail cannot be decrypted in sent folder…

Enc + Sign: Sent mail cannot be decrypted…

No difference between HTML or TXT mails.

On recipient’s client everything works as expected, all mails are signed, encrypted or signed+encrypted, reading possible.

Best regards, Chris

Hey Chris,

Can you enable debugging in GgpOL and GnuPG for S/MIME, so we can take deeper look of the workflow (and maybe errors/issues in it)?

You can find an instruction how to enable debugging in the gpg4win compendium at chapter 23[1].

Best wishes,
Jochen

[1] - https://files.gpg4win.org/doc/gpg4win-compendium-en.pdf

Hi Jochen,

there are some private details in log files, which should NOT be shared by newssystem…
Cleaning of user/mailadress aso. possible?

Where to send the debugging logs in GgpOL and GnuPG for S/MIME?

Thx + regards, Chris

Hi Chris,

You can clean them of course! We don’t need the information to analyse what is happening. You can attach them to this post as an file-attachment.

Best wishes,
Jochen

You have mail with logs attached…
Regards Chris

From the logs you send me some lines in the gpg-agent.log were quiet interesting:

2017-10-07 19:30:36 gpgsm[3820] DBG: chan_0x000000f0 ← ERR 67108881 Kein geheimer Schlüssel

This states, that your private Key could not be found, therefore you can’t decrypt the information in your outbox. It seems that you either have no private key for your own account, or you have specified the wrong pubkey for sending the mail to yourself.

(You can check the existing private keys via “gpgsm -K” in console)

Do you have the option to backup your keyring and trust-db? You can just rename them and new ones would be created. Import your pub- and private key into that and a public key of an recipient. Make sure that you have at least keys as possible in that “testing-keyring” and make sure that no mail address doubles itself, since this can cause problems with S/MIME.

Best wishes,
Jochen