Add S/MIME-support to Roundcube

[rcubetrac]

Reported by Luzifer on 26 Jan 2008 15:03 UTC as Trac ticket #1484725

It would be very nice if one could digitally sign / encrypt mails in roundcube with S/MIME certificates (http://en.wikipedia.org/wiki/S/MIME) which are fetched at cacert or thawte free mail cert for example. This would pass more security to the sent mails.

Keywords: s/mime security encryption digitalsignature Migrated-From: http://trac.roundcube.net/ticket/1484725

[rcubetrac]

Comment by seansan on 19 Feb 2008 20:55 UTC

Moved to later for now

[rcubetrac]

Comment by vanbroup on 5 Mar 2010 14:16 UTC

I would love to make a donation to the project or just paying the full development to get S/MIME support added in a short time!

Please just contact me, if you are interested.

[rcubetrac]

Comment by dprophit on 3 Nov 2013 16:53 UTC

Necessary webmail feature over pgp

[rcubetrac]

Comment by dprophit on 25 Nov 2013 14:22 UTC

Why is this feature taking to long to bring to a revision?

[rcubetrac]

Comment by glawrie on 3 Dec 2013 13:27 UTC

Would be interested in this being added too... not sure what milestone "later" means... hopefully not sometime-never.

[rcubetrac]

Comment by Takika on 12 Dec 2013 00:40 UTC

I just made a plugin which can verify the S/MIME signed mails.

[rcubetrac]

Comment by admins on 18 Feb 2014 13:23 UTC

Hi all It's really important to integreate it. It could not be, that the S/MIME integration dures over 6 years.

• When is it's ready
• Has someone an plugin? If yes coul'd I've this?

Thx admins

[rcubetrac]

Comment by amarand on 30 May 2014 15:43 UTC

Adding self to Cc list.

[rcubetrac]

Comment by Shellmaster on 1 Mar 2015 19:25 UTC

Hi there,

I am working on it. At the first step I want to add full signature verification. Other steps will depend on the private key security options.

[rcubetrac]

Comment by @alecpl on 11 Apr 2015 06:00 UTC

Please, take a look at current state of enigma plugin. There's full PGP support and some code for s/mime, but this part requires work. Would be great to have s/mime and pgp integrated in one place. There's already a lot of helpful code there. Of course if you agree to the solution that keeps keys/certs server-side. I can understand if you plan to create a client-side plugin.

[Offerel]

Are there any progress for S/MIME Support in Roundcube?

[alecpl]

Some people were working on this subject, but nothing has been integrated into Roundcube. I know one plugin exists: https://plugins.roundcube.net/packages/takika/rc_smime, but from the description I see it does not support encryption. There's also some code in this fork github.com/guitarmanusa/roundcubemail.

So, if anyone is interested in working on this see the links and my comment above.

[Offerel]

Thx for that info. I hope someone can continue to work on S/MIME Support, since PGP isn't supported by most of my Contacts. Most of them use S/MIME and cant include PGP Support in their Clients.

[AliceWonderMiscreations]

I would really love this. With DANE support coming to S/MIME (see https://tools.ietf.org/html/draft-ietf-dane-smime-16) it would let me publish a DANE record 2 1 1 intermediate certificate that could be used to sign S/MIME certs for each user account that wants it without the cost of certificate authorities.

The mail service I provide is webmail only, I would want the S/MIME keys/certs on the webmail server which some people rightfully object to but those people should be using mail services that are not webmail only.

Whoever is working on this should take that draft RFC into consideration so that roundcube can DANE validate S/MIME certs sent by other users.

I believe current version of OpenSSL support DNSSEC validation, not sure if the php wrapper does. I don't know about LibreSSL. But on a webmail server that wants to offer DANE validation of S/MIME certs, it is reasonable IMHO to require they use a DNSSEC validating recursive resolver so the webmail server itself only needs to validate that the zone is DNSSEC signed (easy to do) and doesn't need to do the DNSSEC validation itself.

[CRtEurope]

@AliceWonderMiscreations all this sounds well. But I would prefer pushing PGP signed messages. The PGP public keys can also be ditributed over dns and can be dnssec signed.

And roundcube should also push PGP signed messages. In this case it would be nice to see if a key is denssec signed or not.

OpenSSL is able do do dnssec validation. But I do not think that each provider samall or big use a validating resolver for it.

But at the end opinions will differ widely about what to use.

[taalas]

@alecpl Would it be possible to financially support development of this feature?

[duk3luk3]

@taalas @boredland I will be working on S/MIME support, are you still interested in supporting this feature financially? (Note: I am not affiliated with Roundcube, just a happy user and occasional contributor at this point)

[taalas]

@duk3luk3 We are still interested in this feature and might be able to financially support it's development. This largely depends on the amount of support needed though, what did you have in mind?

[duk3luk3]

The enigma readme has the following TODO items for S/MIME:

- S/MIME: Certs generation (?)
- S/MIME: Certs management
- S/MIME: signed messages verification
- S/MIME: encrypted messages decryption
- S/MIME: Sending signed/encrypted messages
- S/MIME: Handling of certs attached to incoming messages
- S/MIME: Certificate info in Contacts details page (optional)

This is how I'd go about implementing it:

1. Signed message verification
2. Certs management
3. Sending encrypted messages
4. Decrypting messages
5. Sending signed messages

This allows me to build the code up without worrying about ancillary functionality and "bookkeeping" type stuff until I get to step 2, and I won't need to have private keys around until step 4. I think that progression should also make it easy for someone to pick up the work if I have to abandon it.

So maybe you'd like to put some bounties on these steps for anyone to pick up, or we could contract directly.

I am an independent IT consultant and one of my main clients is a university in Germany, where S/MIME support in Roundcube would be a very nice to have feature since all users have S/MIME certificates, however it's not a priority requirement and there are no plans for it right now.

Now before I can put numbers to this, I need to know at what level you want to support this and what your organization is and I think we should take the conversation off this issue tracker.

You can find my contact info here: http://www.lerlacher.de/contact.en.html - please just shoot me an e-mail!

[duk3luk3]

@alecpl I am working on this now - is it "PR's welcome"? Any special requirements to make sure it will be acceptable for merging into core?

[alecpl]

Create a PR, please and I will review. For now the only requirement is to use code style of Roundcube.

[duk3luk3]

I will as soon as I have something mergeable - would it be enough to just implement verification of signed (unencrypted) messages against CAs installed on the server / added in global configuration of plugin as a first step?

[alecpl]

Yeah, should be enough for a first PR ;)

[wioxjk]

following this with great excitement

[duk3luk3]

I am running into some issues with the php_openssl module. Would it be acceptable to implement the s/mime functionality by shelling out to the openssl binary, like crypt_gpg does for the gpg functionality?

(I am also still looking for additional financial support to allow me to dedicate more of my time to this. As you can see, it's not that simple...)

EDIT: I've figured out my php_openssl issue, but the request for funding still stands!

[duk3luk3]

PR submitted!

[m0urs]

@duk3luk3 Are you still working on the S/MIME functionality? Would really like to see that in Roundcube. Thanks!

[duk3luk3]

@m0urs Unfortunately I only got up to 50% of the financial support I wanted to make a really serious push for this, so #6043 is the only real result. And I am now no longer able to take on side projects. So unfortunately the answer is no :-(

[wioxjk]

@m0urs @duk3luk3 There is some third party addons for roundcube that can verify s/MIME now.

[m0urs]

@wioxjk I know, however that is not really useful. I would need to be able to encrypt and decrypt S/MIME encrypted mails ... @duk3luk3 I understand. :-(

[wioxjk]

@m0urs Yes, it would be a nice feature indeed. However, I would also like to see a "Great DANE" implementation in RC (https://greatdane.io). I think that would solve the need encrypt/decrypt/sign mail with S/MIME

[taalas]

@duk3luk3 That is too bad but understandable. I had contacted you a couple of weeks ago about the current status. Sorry to hear that there is no chance of this happening in the near future...

[ghost]

I am choosing between horde, squirrelmail and roundcube... That S/MIME is not supported immediately excludes roundcube from my options.

[taalas]

Since @duk3luk3 s pull request seems to still be open I would like to kindly ask if there is anything planned for S/MIME support in future Enigma versions. How likely is it that this feature will be worked on anytime soon(ish)?

[tborychowski]

Any update on this?

[scottnzuk]

Also following.. Can we get a bounty going for this code change?

https://www.bountysource.com/teams/roundcube/issues

[ohreally]

Unfortunately, I don't have time to dive into this. However, I did have time to do some research.

Horde Webmail supports S/MIME. The Horde Cryptography API is released under the terms of the LGPLv2.1. Roundcube is released under the terms of the GPLv3. The license compatibility matrix states that code released under the LGPLv2.1 can be relicensed under the GPLv3.

This means that Horde code can be used to implement S/MIME in Roundcube.

The _Horde_CryptSmime class can be found here: https://github.com/horde/Crypt/blob/master/lib/Horde/Crypt/Smime.php This class extends the _HordeCrypt class that can be found here: https://github.com/horde/Crypt/blob/master/lib/Horde/Crypt.php

Isn't open source just beautiful? :) Just make sure to respect the license conditions, and give credit where it's due.

(I understand that it's prettier to implement this using own code, but this ticket has been open for 13 years now. So maybe someone could at least implement this as a temporary solution?)

[ScarVite]

any updates on this?

[ulwanski]

any updates on this?

[captainwasabi]

12 years later and still not support for the CRITICAL feature.

[scottnzuk]

Honestly I feel like this is old tech now. So not too worried.

Sent from my iPhone

On 18 Aug 2022, at 9:26 pm, captainwasabi @.***> wrote:

 12 years later and still not support for the CRITICAL feature.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.

[Ratchet-master]

Hi,

This is getting ridiculous. Is there any update to this please??

[andreashaerter]

@jedvod:

This is getting ridiculous.

I would also like to see S/MIME in Roundcube, but your expectations and wording are the only really ridiculous thing here. Nobody owes you anything, especially if you do not contribute in any way.

[scottnzuk]

@jedvod:

This is getting ridiculous.

I would also like to see S/MIME in Roundcube, but your expectations and wording are the only really ridiculous thing here. Nobody owes you anything, especially if you do not contribute in any way.

Easy easy lol..

I feel his frustration but such is life with free products and not being a dev and no bounty style go fund me. :(

[Anarbb]

16 Years and still no support, I'll try to develop it myself.

[captainwasabi]

16 Years and still no support, I'll try to develop it myself.

Nextcloud Mail supports s/mime now. Just got it all working today.