Encrypted email from external client gets rejected by chatmail server

nathanael · February 12, 2026, 11:57pm

I’ve followed this guide from @adbenitez on Delta Chat before and on Arcane Chat just now again (thought maybe it would be a different result).

The goal is to send and receive messages from a DC profile to an external mail client. I tested this with Mutt. I could send an encrypted message from the DC profile to my personal email, but couldn’t send one back.

It probably has something to do with how Mutt encrypts the email. Here the full email i’ve send (I also tried it with disabled Autocrypt, same result).

Email

Date: Fri, 13 Feb 2026 00:21:11 +0100
From: nathanael@dalliard.ch
To: xwjfco5ay@arcanechat.me
Subject: ...
Message-ID: <aY5gaMBbtw0KztRB@dalliard.ch>
References: <feab4c9a-11b0-4be1-834f-b99e384225e7@localhost>
 <feab4c9a-11b0-4be1-834f-b99e384225e7@localhost>
MIME-Version: 1.0
Content-Type: multipart/encrypted; protocol="application/pgp-encrypted";
	boundary="gaZ2XVIMd74rbz7S"
Content-Disposition: inline
In-Reply-To: <feab4c9a-11b0-4be1-834f-b99e384225e7@localhost>
Autocrypt: addr=nathanael@dalliard.ch; prefer-encrypt=mutual; keydata=
	mDMEaMJ9UxYJKwYBBAHaRw8BAQdAd3FVPZluYDAdzPpJOFmPQDeS8ynoVh4uBpzeiXjVUJ60IW5
	hdGhhbmFlbCA8bmF0aGFuYWVsQGRhbGxpYXJkLmNoPoiOBBMWCgA2AhsDAheAFiEEIrC84YaDhq
	LMW2PKxhq/eW69AOIFAmjCh0EECwkIBwUVCgkICwQWAgMBAh4FAAoJEMYav3luvQDiTpoA+wUwr
	9l6n9d1dltCXrF0kbKzqs004Hi18Ev9cH70mZ6eAP9VA9YrC4UnG1MBpkvMvmv7YlIjXo2/Yn59
	hTysXDmcA7g4BGjCfVMSCisGAQQBl1UBBQEBB0CNGCdN8HMxHzp8DnvfpzsOdFmPS007HUvBSUB
	6zL92CwMBCAeIeAQYFgoAIBYhBCKwvOGGg4aizFtjysYav3luvQDiBQJown1TAhsMAAoJEMYav3
	luvQDiACoA+gLtJvoQBsXL+hHPxIBBFccAge4+0vuyvPXxvGs483OwAP4z9dkh5B+7edtnbtVll
	zTXFDnxaMGThB16yjUwt2LPCA==


--gaZ2XVIMd74rbz7S
Content-Type: application/pgp-encrypted
Content-Disposition: attachment

Version: 1

--gaZ2XVIMd74rbz7S
Content-Type: application/octet-stream
Content-Disposition: attachment; filename=msg.asc

-----BEGIN PGP MESSAGE-----

hF4DFYw3E47UG/ASAQdA3JnkJLJJALitYG/jzzEuF0p+hEBsgLTicaEJkJerInkw
SftuCMBjxv4D6rTqNkBn7IQh6gmlUKrUNBVEnq0V1InVF9o0kDpZfUUaB5ajNDMb
hF4DMiMKov7/CVgSAQdA7ib6HK7UVW2IdAM5PILbtqzuynukooXdg9YWWamjal8w
h/L0BxbtUFzI3U847dvzwtsW7A9CZXpi45OMXRC9mO3G/FAY1fW+C6PwObT7X1qK
0sDSAbyYddCihL1UEl6EigtD/YQezCTCydzstD2cRdV75lmUqzMCR8NbfvdttBbl
g04ZZtoHm1DSnXIAN4iFzW4EBgNVUDCnqO8wyYmWw4OCOt45IkTXGQUICGxeVh6g
4Pdj4OzSrg/mTZGIDjE2h/osVpPEQjwcAus73EZC4sz4n2U+OMHsq0M54Ds7wyGv
1KBzcQQ5Rc/DPPT0INnl58datm2HGKtWFWYab9/cw/fnQ+oYhmpkZbdITTmnTAyn
CHih86i0w6gXsX99iRLe6yP8BcU3rCCflsCp5zzlcFYViTPgEn1W8H32VOXulfcV
rpRFtc5yzjFj8Dvq9gI9yGIgqiS7oEAXdRBYhmBRTydMcbS1bCPDWy5w95Cp2VzR
x8cBq5e+27QTl9YNHr4xeric7del79wktJFiINzUCQPwkwM9ud2EJ1zN8Owr2Dp8
JvS2ioSEK5J2Lc95vDLmbVnMuKmVW6qD+fEdtYSHnSIc/t+iYG3GlaFyvO8t0Jav
cbsijrbYhoSOq67KseQWvfL+gL5u
=WWqc
-----END PGP MESSAGE-----

--gaZ2XVIMd74rbz7S--

The error I got back from the chatmail server was:
xwjfco5ay@arcanechat.me: 523 Encryption Needed: Invalid Unencrypted Mail

link2xt · February 13, 2026, 1:22am

I have looked at the message. The reason filtermail rejects the message is because the message uses legacy pre-OpenPGP packet format, while filtermail expects standard OpenPGP packet format.

The beginning of the message looks like this, I decoded it with base64 -d | xxd:

00000000: 845e 0315 8c37 138e d41b f012 0107 40dc  .^...7........@.
00000010: 99e4 24b2 4900 b8ad 606f e3cf 312e 174a  ..$.I...`o..1..J

0x84 is the first byte, 1000 0100 in binary. Bit 6 (second from the left) is set to 0, which means it is a legacy packet format.

link2xt · February 13, 2026, 2:00am

I have looked at GnuPG source code, it seems there is no way to make it send PKESK packets using standard OpenPGP packet format.

Here is the code writing PKESK packet:

github.com/gpg/gnupg

g10/encrypt.c

c0f9ca47f


      
          init_packet (&pkt);
          pkt.pkttype = PKT_PUBKEY_ENC;
          pkt.pkt.pubkey_enc = enc;
          rc = build_packet (out, &pkt);

Inside build_packet the variable new_ctb is not set:

github.com/gpg/gnupg

g10/build-packet.c

c0f9ca47f


      
          int new_ctb = 0;
          int ctb, pkttype;
          
          if (DBG_PACKET)
            log_debug ("build_packet() type=%d\n", pkt->pkttype);
          log_assert (pkt->pkt.generic);
          
          switch ((pkttype = pkt->pkttype))
            {
            case PKT_PUBLIC_KEY:
              if (pkt->pkt.public_key->seckey_info)
                pkttype = PKT_SECRET_KEY;
              break;
            case PKT_PUBLIC_SUBKEY:
              if (pkt->pkt.public_key->seckey_info)
                pkttype = PKT_SECRET_SUBKEY;
              break;
            case PKT_PLAINTEXT:
              new_ctb = pkt->pkt.plaintext->new_ctb;
              break;

This file has been truncated. show original

One option is that we make filtermail accept legacy packet format. The other is to fix packet generation in FreePG project, this is essentially the version of GnuPG used in all major Linux distributions such as Debian, Ubuntu and Arch Linux and it aims to be compatible to OpenPGP.

I have opened filtermail issue:

github.com/chatmail/filtermail

Filtermail rejects legacy pre-OpenPGP packet headers

opened 02:05AM - 13 Feb 26 UTC

link2xt

This is the issue reported on the forum: https://support.delta.chat/t/encrypted-…email-from-external-client-gets-rejected-by-chatmail-server/4728 GnuPG always generates PKESK packets using legacy packet format, while [OpenPGP specification](https://www.rfc-editor.org/rfc/rfc9580.html#name-packet-headers) says that "the Legacy packet format SHOULD NOT be used to generate new data". If we add support for legacy packet format, we will need to modify check here and parse length differently: https://github.com/chatmail/filtermail/blob/951901e7ac4e65809909252ff9bef95807f9691f/src/openpgp.rs#L28-L32

I also opened a FreePG issue:

nathanael · February 13, 2026, 2:52am

Wow. Thank you for looking into this so fast.

Just an aside: I am running OpenBSD and couldn’t find a port for FreePG. Maybe I would be able to compile it, but it seems the “better” solution for me would be to accept legacy packet format in filtermail, but since I have no idea if there are security implications with this, I won’t ask for anything. Please do what is best for the project and not for my edge case.

Shall I already select your answer as the solution or is it better to wait until it is implemented either in filtermail or FreePG? Sorry not sure how you’re doing this here, just let me know.

link2xt · February 13, 2026, 3:09am

I marked it as the solution, let’s track it in filtermail issue. I agree that it’s easiest to fix it there. Don’t think there are any security problems with accepting legacy format, it is just length encoding.