GpgOL: Support G Suite Sync Accounts
Open, LowPublic

Description

Google Apps Sync is a COM Addin for Outlook that creates it's own data store / transport layer in Outlook.

This conflicts with GpgOL in that it is not possible to create valid OpenPGP/MIME or S/MIME Messages when using the Google Apps Sync account.

As a workaround users have to use IMAP / SMTP to access their Google Mails through Outlook. Then GpgOL works as expected. Alternatively GpgOL might fallback to the old "no-mime" interface for these accounts.

Technical Details:

GpgOL relies on the MS-OXOSMIME: S/MIME Email Object Algorithm to send a valid PGP/MIME Mail.
Basically we use the same way Outlooks S/MIME Mails use to create valid MIME without being mangled by Exchange.

As far as we know it is not possible even with Outlooks built in S/MIME Support to send crypto mails through Google App Sync. So there is no obvious way we could also use such a message handling for our PGP/MIME or S/MIME Mails.

Normally GpgOL creates the full PGP/MIME Structure as an attachment, sets a specific message class and Outlook / Exchange then use this attachment as the MIME structure of the sent mail. Google Apps Sync takes this attachment and wraps it additionally in a multipart/mixed structure and doubly encodes the contents. There is no Mail User Agent known that gracefully handles such a structure. Resulting in broken mails both for the sender and the receiver.

Example of such a mangled MIME Structure:

Content-Type: multipart/mixed; boundary="001a11402dda2db6c6055f0d1edc"
 
--001a11402dda2db6c6055f0d1edc
Content-Type: application/pgp-encrypted
Content-Disposition: attachment
Content-Transfer-Encoding: base64

VmVyc2lvbjogMQ0K
--001a11402dda2db6c6055f0d1edc
Content-Type: application/octet-stream
Content-Disposition: attachment
Content-Transfer-Encoding: base64

LS0tLS1CRUdJTiBQR1AgTUVTU0FHRS0tLS0tDQoNCmhRRU1BeDdVOEx4cys4a1NBUWdBa05GWmtu ( < doubly base 64 encoded PGP Message)

This issue is supposed to be a "big picture" / discussion issue that may include subtasks to improve compatibility with G Sync.

Some ideas:

  • We could put the Mail Body into a PGP MESSAGE and add that as a text/plain part. (PGP/Inline)
    • This would work with most mailers but would not work properly with attachments.
  • We could only allow sending encrypted PGP Mails without attachments. (Users would have to send attachments in a different mail with file encryption)
    • Encrypting attachments automatically would be a lot of effort to properly implement on the sending and the reading side.
  • We could show the old 1.x Interface with the "Add Encrypted File" "Encrypt Text" buttons for manual encryption if a G Sync account is detected.
  • We could just bail out if a G Sync account is detected and insist that for Crypto Mail IMAP / SMTP access to gmail is used.
aheinecke raised the priority of this task from Normal to High.

Priority High as we should decide for the next release in which direction we should move.

For now I've added messages to make it clear to the user that most actions won't work with G Sync.
Better to fail loudly instead of silently breaking.

In the future we could probably support more actions but signing is always problematic without MIME Support.
Currently only OpenPGP encryption (without signing) and without attachments is supported.

For anything else, please use IMAP/SMTP. Reading encrypted / signed mails is fully supported.

The Messages are:

With attachment:

If sign is selected:

If secure (both) is selected:

Better to fail loudly instead of silently breaking.

That's a good and transparent approach, appreciate that. Having encryption working should cover at least some use cases already.

BTW: I digged a bit through GApps documentation. It seems that Google supports server based S/MIME if you pay some extra
money and upgrade your account. I'm pretty sure that GSync handles S/MIME somehow - maybe with a proprietary message
encoding? However I do not have the ability to enable that and test it.

bernhard updated the task description. (Show Details)Nov 30 2017, 4:37 PM

Version 3.1.0 now supports sign & encrypt and sign only for G Suite accounts as long as there are no attachments on the mail.

You can find the beta on https://files.gpg4win.org/Beta/gpg4win-3.1.0-beta-current.exe I have not tested it with a G Suite account, yet.

aheinecke lowered the priority of this task from High to Low.Apr 12 2018, 10:25 AM

With the changes in 3.1.0 I think this is acceptable enough that we can move further improvements to this to a lower priority.
We only support PGP/Inline (no-mime), warn if an attachment is also added. A user could send attachments encrypted on a file basis.

It's not comfortable but I think that this is the best what we can reasonably do with the limitations / modifications GApps does to crypo mail.