Slashdot Mirror

Well, you can always use MS Outlook :-( I've been looking for the same, with the addition of supporting HTML mail, and it seems like PMail for GNOME has all these features. If you are a KDE user, I think newer versions of KMail might do the trick. StarOffice's email client also supports these features, but I found it to be awful. Mahogany may also be a consideration. If you enjoy a text-based program, I highly recommend mutt - awesome and highly configurable - I pass HTML mail through lynx or w3m to read it. I'll probably try out PMail for my wife soon.

The cryptographic key material used by PGP and X.509 certificates are essentially the same. Newer versions of PGP can support X.509 certificates where the PGP key is stored as an X.509 extension. YMMV.
Also, check out Mutt at http://www.mutt.org for a secure application.

I have a Handspring Visor that I use for pretty much everything in my life.

I use three different ways of getting information into the PDA:

• Grafitti: The built-in text recognition software that recognizes individual characters written in a special area. I can get about 25 words per minute with this method.
• Fitaly Stamp: A little flexible sheet that sits in the Grafitti area that has little squares to represent letters. (See the picture in the link.) When you tap a letter, the PDA thinks that you wrote it. I can get about 40 wpm with this.
• The Stowaway keyboard (as mentioned in the article): This keyboard is a fold-up one. It folds up pretty darn small (small enough to fit in my back pocket) and is a full-sized keyboard when unfolded. I can get regular typing speeds (80 wpm or more) with this.

The other place that the Stowaway is really useful is when I'm on travel and need to dial into the modem pool at work to log on and check email. There's no way that I'm gonna navigate a shell, mutt, and vile with a stylus!

So I would suggest to people to think about how they intend to use their PDA. If it's just for occasional text entry, you probably don't need a keyboard. But if you plan on putting lots of information into it, I would definitely recommend getting a keyboard.

Relevant URLs:
Dan Bernstein's page. Home of Qmail and djbdns.
The OpenBSD and OpenSSH home pages are full of useful information.
PuTTY, a free Windows SSH client Great for on road trips, internet cafe's, consulting, etc.
Mutt, the One True mail client. Takes some getting used to, a good .muttrc doesn't hurt either.

People seem to overlook qmail when setting up a reliable, secure system. Having dealt with Sendmail and Qmail, I would suggest the latter to anyone who cares about security or performance. The same logic applies to BIND vs. djbdns.

My set up: postfix as the MTA. Courier IMAP to provide IMAP. I actually tunnel my IMAP connection over an href="http://www.openssh.com">OpenSSH connection, but courier IMAP supports SSL as well. The guy that writes Courier, also writes SqWebMail,(webmail) and maildrop(pleasent alternative to procmail) which I have found to be useful. FWIW I use mutt as my mail client.

Straight off the Mutt Index Page... but I'll refrain from editorializing:

Using Mutt with PGP/GPG

--

Yeah, mutt comes with integration with PGP and GPG. The latest mutt's (1.2) have default .rc files that you can source from your .muttrc to configure your environment for either one. Older mutt's had a few config variables for configuring PGP/GPG support. I'm surprised you didn't just hike over to http://www.mutt.org/ and check this out yourself. :)

If you're in a windows environment, there's really no choice -- pgp is by far the more integrated and useful solution. If you're using a Windows mail reader, then go for PGP for Windows.

In a unix environment, you'll find either to be roughly equivalent. Some minor differences I've noticed since making the migration to gnupg:

• gnupg has a nifty feature that makes it automatically grab a key off the keyserver if I read a signed email by someone whose key I don't have. This is nifty.
• gnupg apparantly doesn't have a way to retrieve a key from the keyservers by email. This is a real pain in the ass. With pgp, you can just import the key for "nugget@slacker.com" and if there are keys on the server for that email, they'll be imported. gnupg requires you to know the key ID (like E43C5FC3).
• The pgp command line syntax and commands are cryptic and obtuse
• The gnupg command line syntax and commands are unnecessarily verbose and will push you over the edge with your carpal tunnel if you're doing much manual work
• PGP has the edge for application integration, but this is rapidly changing. gnupg works fine with mutt, which is the mail reader you want to be using anyway, so it's a moot point. :)
• gnupg's key management is vastly superior to pgp's in both conveying key-management information as well as allowing access to key-management functions.

If you're already using pgp, the differences aren't enough to justify conversion, but if you're just starting out -- gnupg seems to be the most viable option. And, of course, mutt is too good to believe.

The learning curve for either is the same, mainly just getting past public key crypto concepts and mechanisms. Wrapping your brain around "public key" and "private key" and the difference between "signing" and "encrypting" is well over half the battle.

then use a good level of encryption. i don't think any company is exercising due dilligance if they aren't encrypting their email.

use gpg or pgp. use mailers like pine, mutt or eudora that support them.

then they should use encryption. use gpg or pgp. use mailers like pine, mutt or eudora that support them.

use gpg or pgp. use mailers like pine, mutt or eudora that support them.

• PGP international home
• Direct link for novices at PGP international home
• GNU Privacy Guard
• Using Mutt with PGP
• Info on one of the PGP plugins for MS Outlook

Fucking government assholes... if you weren't such snooping bastards, maybe I wouldn't feel it was necessary to ensure my privacy. My problem is that not-so-savvy friends and business associates require me to use cleartext e-mail. Ah, life is depressing...

---------///----------
All generalizations are false.

Well, I don't know about number 1, but mutt has many flexible options for pgp or gpg and should be able to handle all the other requirements you list.

It only asks for your pass-phrase once, and you can set it up to always sign, or sign/encrypt by default, and it handles keyring stuff. Check out www.mutt.org for more info.

look into stegfs for plausible deniability.

then go get gnupg for encryption and get mutt for a mailer that makes it dead simple to use. drop me an email if you have an issue.

Mutt.

"All mail clients suck. This one just sucks less." Jeremy Blosser, circa 1995.

According to the release notes, Mutt 1.2 supports this (along with many other improvements to the IMAP support). I'm not using IMAP on my current machines so I haven't tested this, but it's certainly worth a try if you need it.

You're talking mutt here, right?

Debian is a non-profit trying to promote free software. They are only providing non-free software as a convenience. They should stop providing if at least one of two conditions are met:

Well, in order to promote free software, you have to get people to use it. And right now there is little market acceptance for a 100% free software system. Let's face it. In today's real world, non-free applications must supplement what OSS software developers cannot.

Until Mozilla is stable enough for every day use (its not, trust me :), Netscape 4.7 is a necessary evil. Until KOffice or GNUOffice or whatever are stable and fully-featured enough for everyday use, programs like StarOffice and WordPerfect will be necessary.

Pine I honestly don't understand. Isn't pine a BSD (or BSD-like) license? That meets OSI, right?
Anyhow, IMHO mutt is a much better mail client :) (ok, blatant plug mode off :)

Netscape -> Mozilla
Pine -> Mutt
JDK -> Kaffe

What was the problem again?

Rich.

So it's a copy of Magellan for KDE?

If you want to think of it that way, go ahead. :^) I can assure you that the Evolution developers are thinking of it as a substitute for Outlook, not Magellan. But since they all seem to be in about the same application space, it doesn't really matter.

If you want a free software IMAP reader, and you're adventurous, you could always try Mutt or GNUS in the meantime. :^)

There are several sample .muttrcs linked from http://www.mutt.org/links.html#config.

I hope they finally included imap folder browsing. I'm suprised they haven't added a gui (xmutt?) to the program yet. Well, just a useful tidbit of information - Mutt was the open source mailer ESR developed to test the ideas he presented in CatB (The Cathedral and the Bazaar). ESR also thinks this mailer sucks - it just sucks less than all the other mailers. :^)

--

That's it... I've put it off for too long, I'm switching to Mutt (from Pine).

Sure, the functionality and the control are nice and all that, but dammit, that little dog on their FAQ page is so doggone (pardon) cute.

Guess that means I'll have to switch to Tin too...

But I won't miss having to go around my ass to get to my pgp-encrypted elbow.

ever heard of urlview? It pops up a window after parsing some text (or an email message) displaying all that url-like items. You simply click a key and it loads your favorite browser with the url.

I couldn't find a link to urlview's homepage, but you can find info about it in Mutt's manual or at filewatcher

Has anyone thought that half the problem comes from the phrase "open the mail", not necessarily the mail itself?
I treat it as indicative that people want, and are given, flashy features such as (for example) javascript-enabled mail clients (netscape), which then prove to have problems.

If we were to give up on the verb "open", and actually *read* mail instead - insert "hey everyone let's use mutt" rant here - then would we have the same problem? I think not.

Now, how do we persuade people to use simple mail clients that actually do just what they need with *NO* fancy features?
"Look! PigMail has new security plugin! Complete with rm /var/spool/mail/$USER technology!"

;]

AFAIK, mutt has gpg integration. Dunno exactly how it works, but I'm told it's there. At least that's what somebody told me the last time he tried to convert me from pine. :P

Mutt!

Yes it's flexible, it's great, it has tons of features, it's Mutt! It does autoencrypting, encrypting, autosigning, etc. Even better, It directly supports different pgp versions and, TADA, gpg! I run mutt 1.0pre2 (yes it is also about to be stable!) and it interfaces with GNUpg 1.0 really well. Very nice work all ye mutt developers.

Look on the GnuPG web page. There are links to a number of mail clients with some level of support.

Personally, I prefer mutt.

How do I enecrypt emails and stuff

For e-mail: use a mailer that supports PGP (I use mutt) if you can. If not, then you can save the message as a file and then encrypt it manually.

For general use: pgp -ea filname will create filename.asc which is a PGP-encrypted version of the file. You will be prompted for the recipient -- i.e., who will be able to read the file. Now, this is for PGP 2.6.3 -- I can't help with the other ones. You could try reading the manuals which came with the software....

how can I add a public key i got from someones webpage or something?

If the public key is in a file called key.asc then type pgp -ka key.asc . That's "key add".

everything is in PDF format and i HATE acrobat reader

PGP 2.6.3 predates PDF. The documentation that accompanies PGP 2.6.3 is in ASCII text format.

the network associates one

I recommend against using this. PGP 2.6.3 is the de facto standard -- the newer versions can read PGP 2.6.3 keys, but not vice versa (PGP 2.6.3 cannot read PGP 5 keys). If you don't want to use PGP 2.6.3, I recommend GnuPG.

Of course, you might want to create a PGP 2.6.3 key pair, but actually use the PGP 5 (or newer) software -- that way you can handle keys from both versions, and people who only have the older version can still handle your key. Last time I checked, PGP 5 could not create a PGP-2.6.3-compatible key pair -- you actually had to download and run the old software if you wanted to generate a PGP 2.6.3 key.

GnuPG can't create PGP-2.6.3-compatible key pairs, either, but that's because of patent restrictions on the RSA algorithm.

You! Reading this article! Do you use ssh and pgp? If not, why not? You're part of the problem!

If you're not using PGP (yet), drop by http://www.pgpi.com/ and have a look around. http://www.pgpi.com/cgi/download-wizard .cgi will let you easily determine exactly which version of is appropriate for your OS and location. PGP installation is pretty straightforward and there is ample online documentation and tutorials. Not only does PGP become more useful each time a new person starts using it, but the more people we have using PGP routinely the harder it will be to remove our freedom to do so. There's no reason not to use encryption, except for inertia. And I guarantee it's not as hard to install or use as you may be thinking.

Using a nice pgp-aware mailer like mutt is a nice step, too.

If you ARE using telnet or rlogin or ftp, then you have problems now and you don't even realize it. Did you realize that every time you telnet or rlogin or ftp to a remote host that you are transmitting your username and password in clear text? Sniffing passwords is a trivial task, mostly due to the widespread use of insecure protocols such as telnet. ssh is a drop-in, secure alternative for telnet, rlogin, rsh, and ftp. Not only is it secure, but it's easier to use and more featureful as well. On top of security it adds such features as compression, encrypted traffic, encrypted tunnels, and completely automatic and secure X11 forwarding. Plus with RSA Authentication you can eliminate passwords entirely. A cracker can't crack a password that doesn't exist.

Unix users can obtain ssh from ftp://ftp.cs.hut.fi/pub/ssh/ and have it up and running in a matter of minutes. I recommend the 1.2.27 version of ssh (as opposed to the v2 platform) due to licensing difficulties with the v2 platform. Non-unix users have even more options.

For Win32 there's SecureCRT (http://www.vandyke.com) which is an excellent, albeit commercial solution. There's also a very nice, free implementation of ssh which works with Tera Term. You can grab it from http://hp.vector.co.jp/author s/VA002416/teraterm.html

There's even an opensource ssh for win32 at http://www.chiark.greenend.o rg.uk/~sgtatham/putty.html although I must admit that I'm not sure I trust an ssh implementation done by a guy who refuses to implement RSA Authentication.

For Macintosh, I understand that there's a nice plug-in for NiftyTelnet at http://www.lysator.liu.se/~jon asw/freeware/niftyssh/ although I've not used it.

There's never been a better time to be more secure. Simply by installing a couple of easy-to-use applications you could be on your way to a more secure, more private computing experience. Your data is yours, and here are two ways to ensure that it stays that way.

Yeah, I ripped this shamelessly from my .plan -- so sue me, it's still useful information...

Unfortunately, there are no really good ways to block spam, and the better ones require that you have access either to your main mail server or another mail server that can act as an intermediate. I'll assume that you don't have access to the mail server.

• procmail is by far the best way to filter your mail. You mentioned that procmail wasn't adequate; I would respond by saying: Recheck your procmail config. procmail is infinitely configurable by using regular expressionss and having procmail run an external script or program for each incoming message. If you know Perl and can download the Net::SMTP module, have procmail fire a Perl script which contacts the originating mail server and attempts to verify the sender's address through VRFY or EXPN. This won't always work, however, because some (*&$%#^) mail servers aren't running a real MTA (sendmail, qmail, smail, etc) or are behind a firewall.
• Someone mentioned this already, and it's a good idea. Everything that doesn't have your specific email address in the To: or Cc: fields is suspect, except for mailing lists to which you may belong. Have procmail file those away in a separate folder for manual checking. This should be the default action; have procmail look first for mail from specific people, then perform your other checks (specific mailing lists, etc), then check for your address in the To: field, then everything else which doesn't match one of those criteria is suspect.
• As a final resort, you can rely on your MUA to filter messages as well. Some people like to do all the filtering at the MUA level; I'm not so sure I'm fully comfortable with this, because you are limited to the filters (or at least the filter-types) that your MUA has predefined. With procmail, you have access to regular expressions and can call external programs on your email messages, and I've never seen a MUA that allows you to do that. Perhaps sorting messages from particular users can be done in the MUA, after procmail flushes the ones that are not directly addressed to you. As an aside, the Netscape mail client lets you write mail filters in JavaScript, which has regular expression support, although it's not as intuitive or as powerful as the regexp support in, say, Perl.

What do I do? I use a combination of fetchmail, procmail, and some custom Perl scripts to sort my mail. By the time I get to it with my MUA ( mutt rules), it has already been cleaned out quite a bit. I have a list of past spammers that gets checked each time a new message comes in from someone my scripts don't recognize or isn't addressed directly to me. It's a bit of work to set up at first, but it's easier in the long run. One thing I've been toying with is creating a database of good and bad addresses, which I can call through Perl scripts from the server to which my mail actually goes (I have several accounts, through school, work, and my ISP). The scripts, and procmail, would run on the individual server, contacting my workstation, which would hold the database (a perl-based server, running on some random port, with a specialized interface to the database).

By the way, if you do have access to a mail server, get the latest version of sendmail, which includes support for the Realtime Blackhole List (which someone already mentioned). It can reject mail based on the sender's originating IP address or domain, if they are known spammers. Very useful, although it can be a resource drain if you get a lot of mail or run a high volume mail server. I have a linux box on my desk which is my primary mail server, and I have all my email forwarded to that machine, which then checks the domains.

http://www.mutt.org/doc/manual/ma nual-6.html#move

move
Type: quadoption
Default: ask-no
Controls whether you will be asked to confirm moving read messages from your spool mailbox to your $mbox mailbox, or as a result of a mbox-hook command.

"set move=no" will do exactly what you want.

Insofar as unix is concerned, you simply cannot beat mutt ( http://www.mutt.org/) for a pgp-aware mailer.

If you're currently using either pine or elm, you're doing yourself a serious disservice not looking at mutt. It's easier, more flexible, and more powerful than any of the alternatives.

PGP support is top-notch and native, for both v2 and v5 pgp. Highly recommended.

I suggest you take a good look at mutt. mutt's one of those programs where, once it's set up, people think, "Ahh, this is the way email was *meant* to be!" If the only thing it did better than pine was to thread messages, that would be a good enough reason to switch. It does much more than just that, though.