Version:            (using KDE KDE 3.5.6)
Installed from:    SuSE RPMs

I just found out a serious security bug in KMail.
My platform: openSUSE 10.2
KDE 3.5.6 "Release 77.1"

I'm using InlineOpenPGP/MIME with GPG keys. My default settings are "encrypt when ever possible" and "sign whenever possible". Usually this works fine, I create a new message to a contact whose public GPG key is correctly assigned in the addressbook. I click send, KMail shows me the dialog which keys it will use for encryption and signing, I enter my passphrase and the message goes out encrypted.

Today, I found out by accident, that not all parts of a message are encrypted under certain circumstances:
This is the case when I create a message as usual, but add an attachment. In the attachment frame I check the two checkboxes 'encrypt' and 'sign'. I click send, the used keys are shown, I enter my passphrase and the message is sent. But the text part of my message has not been encrypted.. it was sent in plain text, only the attachment was encrypted. This is very dangerous, because I assumed that all parts of my message would be encrypted.

Strangely, If I create a message and DON'T CHECK, the 'encrypt' and 'sign' checkboxes for attachments, all parts of the message will be encrypted.

I think this is a serious bug, please fix this soon. Anyway, those kind of bugs can always be there, I whish there was a last step in the workflow of sending encrypted mails, where you have the chance to inspect the email in raw format, to be sure that everything is really encrypted as expected, before the message is actually sent out. Trust in KMail is good, but control is even better!