Outlook 2016 wont encrypt messages if S/MIME encrypt or Sign was activated
Closed, ResolvedPublic

Description

Hi
I Updated yesterday gpg4win to version 3.0.2 and now Outlook 2016 32bit (Office 365 ProPlus 1711) wont encrypt or sign messages anymore. With the old version (gpg4win-2.3.4) this was working.
If I write a message, check encrypt and send it, I got asked for the key and confirm that and the message was sent. But, its not encrypted.
My Settings:


I use an Exchange 2013 Server.

Decrypt is working fine.

Is there any log, anything I can track what is going wrong?

Thanks
Martin

Mak created this task.Dec 30 2017, 12:59 PM
Mak created this object in space S1 Public.
Mak updated the task description. (Show Details)Dec 30 2017, 7:20 PM
Mak added a comment.Dec 30 2017, 7:25 PM

Enabled Logging, and here the results with some Errors inside...

Mak updated the task description. (Show Details)Jan 6 2018, 10:51 AM
Mak added a project: Bug Report.
aheinecke triaged this task as High priority.Jan 8 2018, 8:53 AM
aheinecke added a subscriber: aheinecke.

I give this high priority as sending unencrypted is pretty much a worst case scenario. :-o

From your Log I can see that the encryption was successful. But there is indeed some strange stuff happening with the Outlook state that I have never seen before this way.
My first guess is that somehow another addon interferes. Do you have any other addons installed and could you please try to disable them to see if this fixes the problem?

Mak added a comment.EditedJan 9 2018, 12:09 AM

I disabled all my add-ins and tested it again. Still the same. Mails are sent unencrypted.
Tried also to send a plain text message


I attached the actual log file
Add-Ins are disabled...

Tried also with full disabled virus protection
and disabled hardware acceleration...

This is strange, something in your setup must be different from other users. Any Idea what might be special for you? In your log it looks like only the send event for the encrypted mail is passed.
Where do you send your mails to, to another user on the same exchange server?

Can you please try to send me an encrypted mail with GpgOL? Maybe I can see something in the actually sent mail.

My key is:

Thanks

Mak added a comment.EditedJan 9 2018, 11:28 PM

I sent it to a user on a different Mailserver. On my setup its nothing special... Win 10 Enterprise N en, Office 365 Pro Plus en, Kaspersky Internet Security. Server Win 2012 R2 with Exchange Server 2013 and GFI Mailessentials.
I don't think there is anything special... :-(

I sent you tree E-Mails, 1. encrypted and signed, 2. encrypted and 3. signed

I just noticed, that the outlook plugin is german only, also if I switch kleopatras language...

In T3656#109246, @Mak wrote:

I sent it to a user on a different Mailserver. On my setup its nothing special... Win 10 Enterprise N en, Office 365 Pro Plus en, Kaspersky Internet Security. Server Win 2012 R2 with Exchange Server 2013 and GFI Mailessentials.
I don't think there is anything special... :-(

I installed Kaspersky Total security on one of my test systems and still can't reproduce the problem.

GFI Mailessentials might be the culprit as this is non standard and from the product description it supports introspection of outgoing mails. Still it would be surprising as I did not expect there to be a way for the server to get to the plain text if we encrypt on the Outlook client (without an addon). :-/

I sent you tree E-Mails, 1. encrypted and signed, 2. encrypted and 3. signed

Thanks. From your mails I can at least take that there is something non standard going on. The MIME Boundaries are not Boundaries that Outlook would generate and they contain the hostname of your Windows Server, so I guess the MAPI (Outlook's internal data format) to MIME (the internet transfer format) happens on your server and somehow it does not use the encrypted mail.

It would be a huge help if I could get a test account on your server, then I could try to figure out more what's going on using introspection tools and interactive debugging.

> I just noticed, that the outlook plugin is german only, also if I switch kleopatras language...

The Language of GpgOL depends on the System locale and not on Kleopatra's language.

We have the same problem.
Sent emails are not encrypted with gpg4win 3.0.2
Outlook 2016
Exchange 2010
Locale: German
Plugins: Skype, OneNote, Sophos

I'm trying to get you a debug log

Any chance that I could get a temporary test account on your Server?

I would find it interesting if my Outlook 2016 connected to that server would show the same problem (so then we know that the problem would be with the server).

My current best guess is some server plugin or server configuration that is causing this as Mak already ruled out other plugins.

Mak added a comment.EditedJan 11 2018, 10:29 AM

Quoted Text

In T3656#109246, @Mak wrote:

I sent it to a user on a different Mailserver. On my setup its nothing special... Win 10 Enterprise N en, Office 365 Pro Plus en, Kaspersky Internet Security. Server Win 2012 R2 with Exchange Server 2013 and GFI Mailessentials.
I don't think there is anything special... :-(

I installed Kaspersky Total security on one of my test systems and still can't reproduce the problem.

GFI Mailessentials might be the culprit as this is non standard and from the product description it supports introspection of outgoing mails. Still it would be surprising as I did not expect there to be a way for the server to get to the plain text if we encrypt on the Outlook client (without an addon). :-/

Mailessentials is a Server extension, not outlook addon and has no influence to outlook. And as I mentioned, with the previous version that was no problem to sent encrypted mails in the same configuration.

I sent you tree E-Mails, 1. encrypted and signed, 2. encrypted and 3. signed

Thanks. From your mails I can at least take that there is something non standard going on. The MIME Boundaries are not Boundaries that Outlook would generate and they contain the hostname of your Windows Server, so I guess the MAPI (Outlook's internal data format) to MIME (the internet transfer format) happens on your server and somehow it does not use the encrypted mail.

It would be a huge help if I could get a test account on your server, then I could try to figure out more what's going on using introspection tools and interactive debugging.

No problem, I create you one and send you the Credentials by mail

> I just noticed, that the outlook plugin is german only, also if I switch kleopatras language...

The Language of GpgOL depends on the System locale and not on Kleopatra's language.

My system language is english.

I don't think that it is possible to create you an account.

Additional information:
We are using X509 certificates with Outlooks native integration. The certs are provided by our Active Directory

@JHohmann Your log is similar in that I can see two Write events after the send of which there should only be one. Somehow we seem to do crypto on a copy mail object and another mail is acutally sent.

! In T3656#109369, @Mak wrote:
Mailessentials is a Server extension, not outlook addon and has no influence to outlook. And as I mentioned, with the previous version that was no problem to sent encrypted mails in the same configuration.

With an Exchange MAPI connection Outlook and Exchange are very much linked together and the server can influence the clients behavior.

It would be a huge help if I could get a test account on your server, then I could try to figure out more what's going on using introspection tools and interactive debugging.

No problem, I create you one and send you the Credentials by mail

Very much appreciated. But I've tested it with your account and it just works for me. I tried both exchange without "Cache" mode and with Cache mode. :-/
At least we can now rule out that the Server creates the problem.

So we ruled out:

  • Other Addons
  • Any Server stuff

So what can be special about your clients,.. (Btw. I have X509 also set up in my Outlook, without Active Directory but that should not be a problem)

My next step will be to add more debug output in the related send code / the duplicated write, maybe that can tell us something.

Another question: Any outgoing Filters (Email Rules)?

What I mean is called in german "Regeln und Benachrichtigungen" I can imagine that some filtering might interfere. A quick test did not show it for me but it might be something that is different for you.

I do not have any rules configured that are applying to outgoing mails. (As far as I can see them with a non-administrative account)
Are there any group-policies, that might affect the behavior of Outlook regarding to GpgOL?

Mak added a comment.Jan 11 2018, 12:39 PM

My too, no outgoing rules.

Mak added a comment.Jan 11 2018, 12:48 PM

Ahh, and yes I use a public personal s/mime cert to sign my mails. nothing else.

Mak added a comment.EditedJan 11 2018, 1:56 PM

OK, found the problem now. Its the smime settings. I have set them to sign all outgoing mails. And thats where the problem starts...


If I disable the option "Add digital signature to outgoing messages" I am able to encrypt outgoing messages.
Its not what I wan't, because I want to sing all messages, but hope it helps to find the cause of the error.
@JHohmann can you confirm, that this option is active on your side also?

Ohh, and it does not help if i deselect the sign option in the message.

In T3656#109394, @Mak wrote:

Ahh, and yes I use a public personal s/mime cert to sign my mails. nothing else.

Wait a second: Do you sign all your Mails ? Even the ones you are trying to encrypt with GpgOL?

I could finally reproduce buggy behavior:
If I select encrypt & sign with GpgOL and Sign with Outlook S/MIME I'm asked for GpgOL encrypt / sign certificates but the Mail is sent out only S/MIME (by Outlook) signed.
This is a bit like you describe here. But the three mails you sent me tuesday were not S/MIME signed.

Mak added a comment.Jan 11 2018, 1:59 PM

I have now also the error T3662
Will try also 2.0.6-beta9

Yes, I also have this option enabled:

And no, I disable Signing and Encryption, before enabling PGP Encryption for the specific email

Mak added a comment.Jan 11 2018, 2:03 PM

Yes, I also have this option enabled:

And no, I disable Signing and Encryption, before enabling PGP Encryption for the specific email

That does not work for me. I had to disable the option in general (in settings), than it worked...

But that's it.
With these Options set and explicitly unchecking Sign & Encrypt before sending I get the exact same behavior that you two describe. Mails are sent unencrypted.

Mak added a comment.Jan 11 2018, 2:07 PM

But that's it.
With these Options set and explicitly unchecking Sign & Encrypt before sending I get the exact same behavior that you two describe. Mails are sent unencrypted.

Maybe gpgol thinks it should also send it unencrypted if we remove that option?


Hope you find a way to fix it....

aheinecke changed the task status from Open to Testing.Jan 11 2018, 4:55 PM

Ok so I found out that you could even trigger this bug without persistent options just by activating and deactivating any S/MIME option on a mail. This somehow changed the behavior of Outlook.

I now detect a result of the changed behavior and activate a special trick to send the encrypted mail. As that trick relies just on my experiments and not on documented behavior I only activate it If the changed behavior is detected and not unconditionally. This should minimize the regression risk.

In the log it will read:

Activating T3656 Workaround

Please confirm that gpgol-2.0.6-beta14 https://files.gpg4win.org/Beta/gpgol/

Fixes the issue for you, too. (And that your Outlook does not crash with that version ;-) )

aheinecke renamed this task from Outlook 2016 wont encrypt messages to Outlook 2016 wont encrypt messages if S/MIME encrypt or Sign was activated.Jan 11 2018, 4:55 PM
Mak added a comment.Jan 11 2018, 5:16 PM

:-)
I can confirm, that 2.0.6-beta14 is working and until now, Outlook did not crash :-)
Great work, thanks!

aheinecke closed this task as Resolved.Jan 11 2018, 5:20 PM
aheinecke raised the priority of this task from High to Unbreak Now!.
aheinecke claimed this task.

Thanks again for the test, your patience and the report :-)

It was really a critical bug and could have been called a Security Issue.

I hope to get a Gpg4win release out tomorrow.