Zimbra S/MIME Encryption

From XMission Wiki
Jump to: navigation, search

Introduction

S/MIME is a method of signing and encrypting email. It is conceptually similar to PGP/GnuPG, but using SSL certificates. Zimbra natively supports S/MIME in the browser interface.

Email information sent via S/MIME is stored encrypted at rest on the remote mail server and can only be decrypted by utilizing the recipients public PGP key.

XMission's Zimbra email service supports S/MIME in the webmail interface.

JAVA DISCLAIMER: - S/MIME uses a Java applet, this means end-users need working Java, which will take effort since many manufacturers, software applications, and Operating Systems, have all had rounds of disabling Java everywhere

S/MIME Certificates

S/MIME requires an SSL certificate.

Free browser certificates can be had at StartSSL. Mozilla also has a list of free S/MIME certificate providers: http://kb.mozillazine.org/Getting_an_SMIME_certificate.

The S/MIME certificate should be both installed into the user's browser and backed up to a safe location. Firefox has it's own certificate management, while other browsers generally use the operating system's cert management.


Contact XMission to Enable S/MIME for the Mailbox Account

The "S/MIME" feature must be enabled by XMission staff for accounts. XMission only enables by account actively requiring S/MIME support.

Using S/MIME In Zimbra

Once the certificate is installed in the user's browser and S/MIME is enabled on the account, the user can begin using S/MIME.

S/MIME makes use of Java and that the client certificate needs to be installed at the time that Zimbra loads. If you add a certificate to your browser's store, reload Zimbra for it to pick it up.

When sending a message, there will now be a security button on the toolbar. The user can use this button to sign or encrypt any given message. The default action can be changed in Preferences -> Mail -> Security. They can also view what certificates Zimbra detects in their browser from the Security Preferences pane.

XMission Zimbra accounts can send encrypted messages to recipients only if they have the recipients’ public-key certificate stored in one of the following:

  • recipient’s contact in their Address Book
  • local OS or browser keystore
  • external LDAP directory

Important Note:

There needs to be a certificate for every email address a sender needs to send signed or encrypted email from. In other words, if they have a cert for user@example.com, but not alias@example.com, they can't send signed or encrypted mail when sending from the alias address.

The S/MIME feature has to be activated by XMission per account. It is not enabled by default. Please email requests to support@xmission.com.

The Zimbra Desktop application does not support S/MIME encryption, only the webmail interface.