Larksuite rewrites encrypted OpenPGP messages in a way that removes the PGP/MIME structure, and the result cannot be decrypted by Thunderbird
Categories
(MailNews Core :: Security: OpenPGP, defect)
Tracking
(Not tracked)
People
(Reporter: sainnhe, Unassigned)
Details
Attachments
(1 file)
|
38.00 KB,
application/x-gzip
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.1.2 Safari/605.1.15
Steps to reproduce:
I'm using thunderbird on a M1 mac, the version number is 115.5.1 (64-bit).
I added two email accounts to thunderbird, one is Gmail, and another one is a smtp account which uses lark suite email service [1]. I created two gpg keys for these two email address, both of the gpg public keys have been published on openpgp keyserver [2][3][4]. Then I imported the secret keys respectively in account settings.
If I use the gmail account to send encrypted message to the smtp account, the smtp account can successfully decrypt the message that is located in the "Inbox" folder, but if I use the smtp account to send encrypted message to the gmail account, the gmail account cannot decrypted the message in "Inbox" folder.
[1] Lark Suite, https://www.larksuite.com/en_us
[2] Open PGP key server, https://keys.openpgp.org
[3] Public key for the smtp account, https://keys.openpgp.org/search?q=i%40sainnhe.dev
[4] Public key for the gmail account, https://keys.openpgp.org/search?q=sainnhe%40gmail.com
Actual results:
Extract the attached file "attachment.tgz" and there will be two folders: "gmail-to-smtp" and "smtp-to-gmail".
When I send an encrypted message from the gmail account to the smtp account, there were two email attachments as shown in the "gmail-to-smtp" folder:
- A file named "Mail Attachment" which would be decrypted automatically in the thunderbird client. After decryption, the email header and content was shown.
- A file named "encrypted.asc".
When I send an encrypted message from the smtp account to the gmail account, there were two email attachments as shown in the "smtp-to-gmail" folder:
- A file named "noName" which couldn't be decrypted automatically in the thunderbird client.
- A file named "encrypted.asc".
Btw, out of curious, why one attachment is named "Mail Attachment" while another one is named "noName"?
Expected results:
The "noName" attachment could be automatically decrypted in the thunderbird client and the thunderbird client can show the correct message.
|
||
Comment 1•2 years ago
|
||
SMTP? Do you mean IMAP?
Yeah… Sorry for my bad description.
After some investigation I found that the “noName” file and the “Mail Attachment” file are actually plain text file and only contain the version information, while the “encrypted.asc” file is a pgp encrypted message file that actually contains email data. This file can be decrypted via my secret key, then I got a .eml file that can be opened in an email client. This is an email file, and can be moved to my email folder like “Inbox” and “Archive”.
Now the problem becomes that:
- Thunderbird can’t decrypt this pgp message file automatically.
- If I use gmail account to send encrypted emails to Proton Mail which has built-in support for pgp encryption, Proton Mail can successfully decrypted the email. But if I use the imap account to send encrypted emails to Proton Mail, Proton Mail cannot decrypt the email, only leaving two attachments as I described above with empty subject and empty email body.
|
|
||
Comment 3•2 years ago
|
||
Something on the way changing the message?
Check the copy of the mail you send from the imap account (from the sent folder of that account), and compare it with the message received at gmail.
They are the same:
~/Downloads
❯ ls
gmail-inbox.asc lark-sent.asc
~/Downloads 0.04s sainnhe@Sainnhes-Mac
❯ gsha256sum gmail-inbox.asc lark-sent.asc
0400f54fa0fb11f33f0c0f6939b9e7d2cbd2254b178df241ba4064864878cb5a gmail-inbox.asc
0400f54fa0fb11f33f0c0f6939b9e7d2cbd2254b178df241ba4064864878cb5a lark-sent.asc
|
|
||
Comment 5•1 year ago
|
||
Can you decrypt the one in the sent folder? (Would assume not, but you should try to cut down on the steps to reproduce.)
|
||
Comment 6•1 year ago
|
||
It isn't easy to analyze your issue, because it isn't obvious how you created those files.
Your archive isn't compressed (as the extension .tgz suggests), but it seems to be a plain archive. However, that file contains several attributes that my Linux tar doesn't understand, for example
"tar: Ignoring unknown extended header keyword 'LIBARCHIVE.xattr.com.apple.quarantine'
I think you need to provide us with your data differently.
Let's focus on the scenario that doesn't work.
- from the sender account, use Thunderbird, and go to your folder with sent messages, and view that message
- tell us if you can decrypt the message
- then use "file save as" to save that message to a file, you will get one with extension ".eml". Maybe name it "sent.eml"
- give us that file (e.g. attach it here)
- then in thunderbird, to the account and folder where you received this email.
- you said you cannot decrypt this copy
- again, use "file save as", name it "received.eml"
- give us that file also
When we receive those files, we can compare whether they are the same or different.
Sorry for not providing clear steps to reproduce. I created a test email account and a test gpg key to help you reproduce this bug.
To add this test IMAP account, download this tarball: https://share.sainnhe.dev/bsaw.zip
Extract it and you'll get a pair of gpg key and a README instruction on how to add the IMAP account and importing the gpg key.
After adding this test IMAP account and importing the gpg key, simply send a encrypted email to your personal email account, and you'll see that the email in the Inbox cannot be decrypted in thunderbird.
I've tested this bug on both macOS and Arch Linux, and I can successfully reproduce this bug.
I've tested sending two email to the following two accounts, both accounts cannot decrypted the message:
- A gmail account added in thunderbird client, with a working gpg secret key imported. The received encrypted email in the "Inbox" folder cannot be decrypted.
- A proton mail account, which did not be added to the thunderbird client, but only be used in browser. In the browser, I can see a encrypted email in the "Inbox" folder, but the content cannot be decrypted.
NOTE: What I mean the email cannot be decrypted above is that the email message cannot be decrypted and viewed in the thunderbird client or the web browser, BUT I can decrypt the message via the command line.
I can download the attachment named "encrypted.asc" in the email, and using the following command to decrypt this file:
~/Downloads❯ gpg -d encrypted.asc > msg.eml
gpg: encrypted with cv25519 key, ID 85C6D1464243603D, created 2023-12-08
"Sainnhe Park <sainnhe@gmail.com>"
gpg: encrypted with cv25519 key, ID DC56249338619312, created 2023-12-12
"Test <test@sainnhe.dev>"
gpg: Signature made Tue Dec 12 11:57:45 2023 CST
gpg: using EDDSA key 6BF3DFC566D03DC8D1E70C0A74CBE146A5C7B0B1
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2024-12-08
gpg: Good signature from "Test <test@sainnhe.dev>" [ultimate]
Then I'll get a file msg.eml, this eml file can be opened in apple mail or thunderbird client, and I can see the decrypted content.
@mkmelin, no, I can't see the decrypted content. But if I download the attachment "encrypted.asc", I can use command line to decrypt this file.
@KaiE
- I can't decrypt the message in the "Sent" folder in thunderbird client, but I can decrypt the attachment "encrypted.asc" via command line.
- Sent.eml: [https://share.sainnhe.dev/Nsdx.eml][https://share.sainnhe.dev/Nsdx.eml]
- I can't decrypt the message in the received "Inbox" folder in the thunderbird client, but I can decrypt the attachment "encrypted.asc" via command line.
- Received.eml: https://share.sainnhe.dev/zjwf.eml
|
|
||
Comment 8•1 year ago
|
||
Thank you. I was able to obtain the details of the account. Feel free to take down the file you have shared, if you want to limit access to your server.
|
|
||
Comment 9•1 year ago
|
||
I sent an email from your test account, to the same email address, using the key that you shared.
I can confirm that the received message cannot be displayed by Thunderbird.
The message that is found in the folder with sent messages on your IMAP server cannot be decrypted either.
I believe this is because of your email provider (Larksuite).
The message that I found in the sent folder looked very unusual, it had a MIME structure that doesn't match what Thunderbird usually produces.
As another test, I changed the Thunderbird configuration to store a copy of the sent message in the "local folders", not on the IMAP server.
The copy in the local folders has the usual structure, and can be decrypted and shown by Thunderbird correctly.
I conclude that Larksuite modifies/rewrites all messages that are passed through it - even messages that are simply transferred to an IMAP server for storage...
The resulting message format completely removes all structuring information that Thunderbird could use to conclude that it should be processed as an encrypted PGP/MIME message.
|
|
||
Comment 10•1 year ago
|
||
If you'd like to use encrypted email, you should either contact your email provider to stop that rewriting, or use a different provider.
I think this bug report is invalid, because it doesn't affect Thunderbird itself.
|
|
||
Updated•1 year ago
|
|
|
||
Comment 11•1 year ago
|
||
... because the problem isn't caused by Thunderbird, but rather by mail server software that removes the required structure of emails.
|
Reporter | |
Comment 12•1 year ago
|
||
Thank you so much for your time and patience! I’ll contact lark suite support.
|
|
Reporter | |
Comment 13•1 year ago
|
||
The lark dev team said that they altered the email because they don't support encrypted email...
https://share.sainnhe.dev/wm8w.png
I'll switch to another email provider.
Description
•