dymion
Goto Top

Outlook encrypts messages that are only signed? Lock icon on just signed mails?

Hello,

recently I've set up Outlook to send always signed mails. But not encrypted ones.
Everything worked fine so far, since today I received feedback from one recipient, that he couldn't "view" an email message. He is the only one from multiple (maybe hundred) recipients so far.
Whats odd: some of the outgoing mails are displayed with a signed badge and others that are also just signed, with a lock-symbol.
symbols

I thought that the lock-icon is only applied to emails that were encrypted.
But if you look at my following screenshot, it looks otherwise.
In the list of mails it is marked with a lock, but in the email itself and its properties its just the red badge.
sent_mail

It looks like it has something to do with attached stuff. Another person complained, that opening the attachment was not possible.

My settings:
trust_center
trust_center_settings

The mails where this happens are mostly opened from outlook templates. But even there the settings under options don't state them as "send with encryption". Just signed.
email_option

Any idea whats wrong or if?


P.S.: Certificates are not self signed and from a common distributor.


EDIT: Added details in the description.

Content-Key: 6839733611

Url: https://administrator.de/contentid/6839733611

Printed on: June 24, 2024 at 15:06 o'clock

Mitglied: 6247018886
6247018886 Apr 19, 2023 updated at 18:55:05 (UTC)
Goto Top
Hi.
Just to be sure, have you stored a public key for this recipient in the corresponding contact item? Because without, Outlook would be unable to encrypt anyway, without public key no encryption by design! So be sure there is no public certificate stored in the recipients contact object. It could also be just a display/cache error in the overview list.

Regards briggs
Member: Dymion
Dymion Apr 24, 2023 at 06:50:26 (UTC)
Goto Top
Hi briggs,

not actively.
If a recipient want to forward a message is also problematic.

Another behavior: It looks like that if I sent a signed email, the recipient then knows that it can "upgrade" the email with encryption, because of the included/sent certificates with signed messages. Therefore responses are often come back encrypted.

Somehow, mail encryption is activated after an email is sent. How is this possible if the option is in Outlook is not activated?
Mitglied: 6247018886
6247018886 Apr 24, 2023 updated at 08:05:40 (UTC)
Goto Top
Zitat von @Dymion:

Hi briggs,

not actively.
If a recipient want to forward a message is also problematic.

Another behavior: It looks like that if I sent a signed email, the recipient then knows that it can "upgrade" the email with encryption, because of the included/sent certificates with signed messages. Therefore responses are often come back encrypted.
Somehow, mail encryption is activated after an email is sent. How is this possible if the option is in Outlook is not activated?
OK this explains the behavior! The contact already sends you an encrypted message, Outlook sees the public key in the message and automatically updates the public key set in the contact when there is already a contact with this email address and there is not already a corresponding public key inside ist (just check the contact-objects installed certs).
If you respond to an encrypted message Outlook automatically turns on encryption, because otherwise you would expose details of the mail when replying in this conversation unencrypted which was encrypted beforehand, that's by design for security reasons.
Member: Dymion
Dymion Apr 24, 2023 at 08:34:18 (UTC)
Goto Top
If I'm responding to an encrypted message and encryption is therefore on is fine.
But it happens that if I'm sending an email message that is just signed. Not encrypted.

Maybe I should deselect the checkbox: Send these certificates with signed messages.
Then the emails are just signed and not encrypted anymore? Because the recipient has no public key to encrypt his response?
I observed that behavior, that some recipient encrypts his response, even if I just signed my message. No encryption turned on.
Mitglied: 6247018886
Solution 6247018886 Apr 24, 2023 updated at 08:59:30 (UTC)
Goto Top
Zitat von @Dymion:
But it happens that if I'm sending an email message that is just signed. Not encrypted.
Is it a new message? If yes this could only be a an Outlook bug or third party plugin causing this.
Maybe I should deselect the checkbox: Send these certificates with signed messages.
If the recipient cannot validate the signature signing makes no sense. So any remote party which does not have your public key cannot validate your signature.
Then the emails are just signed and not encrypted anymore? Because the recipient has no public key to encrypt his response?
This would be only valid for recipients which do not already have your public key in their contacts details.
I observed that behavior, that some recipient encrypts his response, even if I just signed my message. No encryption turned on.
That depends on the remote parties client. If you offer your public key in your messages you should always be aware that someone could send you encrypted mail. If you don't want receiving encrypted messages just don't publish your public key!

To check if you have a public key of a recipient in your contact see the contact object here (sorry Outlook is running in German language):


screenshot
Member: Dymion
Dymion Apr 25, 2023 at 14:26:07 (UTC)
Goto Top
Quote from @6247018886:

Zitat von @Dymion:
But it happens that if I'm sending an email message that is just signed. Not encrypted.
Is it a new message? If yes this could only be a an Outlook bug or third party plugin causing this.
Yes. I have an Addin in suspicion. The new draft is marked not encrypted until it gets sent.
Maybe I should deselect the checkbox: Send these certificates with signed messages.
If the recipient cannot validate the signature signing makes no sense. So any remote party which does not have your public key cannot validate your signature.
Thats why with signed messages the certificates are sent with the mail. (Last checkbox in Security settings)
Then the emails are just signed and not encrypted anymore? Because the recipient has no public key to encrypt his response?
This would be only valid for recipients which do not already have your public key in their contacts details.
I observed that behavior, that some recipient encrypts his response, even if I just signed my message. No encryption turned on.
That depends on the remote parties client. If you offer your public key in your messages you should always be aware that someone could send you encrypted mail. If you don't want receiving encrypted messages just don't publish your public key!
Ok well, that's certainly one bad decision by leaving the checkbox for sending the certs with the email ticked.
Maybe thats why often a prompt about the CryptoAPI gets shown, requires me to 'Zulassen'. ;)

To check if you have a public key of a recipient in your contact see the contact object here (sorry Outlook is running in German language):
Kein Problem. Deutsch hier. ;) Ich hab gar keine Kontakte im Outlook.
Mitglied: 6247018886
Solution 6247018886 Apr 25, 2023 updated at 14:42:18 (UTC)
Goto Top
Zitat von @Dymion:
Yes. I have an Addin in suspicion. The new draft is marked not encrypted until it gets sent.
So restart outlook in safe mode and try again. In safe mode all addins are disabled.
Ok well, that's certainly one bad decision by leaving the checkbox for sending the certs with the email ticked.
No, that's a good selection. So anyone has the ability to send you messages without privacy exposure.
Maybe thats why often a prompt about the CryptoAPI gets shown, requires me to 'Zulassen'. ;)
No, this arises when you have enabled/checked extended security for your private key when you imported the key into your keyring.

To check if you have a public key of a recipient in your contact see the contact object here (sorry Outlook is running in German language):
Kein Problem. Deutsch hier. ;)
OK da das hier die englische Version des Forums ist sollten wir aber auch bei Englisch bleiben face-wink.
Ich hab gar keine Kontakte im Outlook.
Then no public key and in the end no encryption is possible by design! That's an essential part of asymmetric cryptography.