Zimbra S/MIME Encryption
Email information sent via S/MIME is stored encrypted at rest on the remote mail server and can only be decrypted by utilizing the recipients public PGP key.
XMission's Zimbra email service supports S/MIME in the webmail interface.
JAVA DISCLAIMER: - S/MIME uses a Java applet, this means end-users need working Java, which will take effort since many manufacturers, software applications, and Operating Systems, have all had rounds of disabling Java everywhere
S/MIME requires an SSL certificate.
Free browser certificates can be had at StartSSL. Mozilla also has a list of free S/MIME certificate providers: http://kb.mozillazine.org/Getting_an_SMIME_certificate.
The S/MIME certificate should be both installed into the user's browser and backed up to a safe location. Firefox has it's own certificate management, while other browsers generally use the operating system's cert management.
- Firefox: http://kb.mozillazine.org/Installing_an_SMIME_certificate
- Windows: http://support.microsoft.com/kb/823503
- Mac OS X: http://arstechnica.com/apple/2011/10/secure-your-e-mail-under-mac-os-x-and-ios-5-with-smime/
- OS X users may need to update/install Java directly from oracle.
- Linux: http://code.google.com/p/chromium/wiki/LinuxCertManagement
- Linux isn't officially supported by Zimbra, and, though I've only spent limit effor, I haven't had any luck getting it to work on Linux. YMMV, and I expect it can't be made to work in the current version.
- See: http://www.zimbra.com/forums/users/56471-secureemail-_signmessage.html
Contact XMission to Enable S/MIME for the Mailbox Account
The "S/MIME" feature must be enabled by XMission staff for accounts. XMission only enables by account actively requiring S/MIME support.
Using S/MIME In Zimbra
Once the certificate is installed in the user's browser and S/MIME is enabled on the account, the user can begin using S/MIME.
S/MIME makes use of Java and that the client certificate needs to be installed at the time that Zimbra loads. If you add a certificate to your browser's store, reload Zimbra for it to pick it up.
When sending a message, there will now be a security button on the toolbar. The user can use this button to sign or encrypt any given message. The default action can be changed in Preferences -> Mail -> Security. They can also view what certificates Zimbra detects in their browser from the Security Preferences pane.
XMission Zimbra accounts can send encrypted messages to recipients only if they have the recipients’ public-key certificate stored in one of the following:
- recipient’s contact in their Address Book
- local OS or browser keystore
- external LDAP directory
There needs to be a certificate for every email address a sender needs to send signed or encrypted email from. In other words, if they have a cert for firstname.lastname@example.org, but not email@example.com, they can't send signed or encrypted mail when sending from the alias address.
The S/MIME feature has to be activated by XMission per account. It is not enabled by default. Please email requests to firstname.lastname@example.org.
The Zimbra Desktop application does not support S/MIME encryption, only the webmail interface.