Zimbra S/MIME Encryption

Introduction

S/MIME is a method of signing and encrypting email. It is conceptually similar to pgp/gnupg, but using SSL certificates. Zimbra natively supports S/MIME in the browser interface.

JAVA DISCLAIMER: - S/MIME uses a Java applet, this means end-users need working Java, which will take effort since many manufacturers, software applications, and Operating Systems, have all had rounds of disabling Java everywhere

S/MIME Certificates

S/MIME requires an SSL certificate.

Free browser certificates can be had at StartSSL. Mozilla also has a list of free S/MIME certificate providers: http://kb.mozillazine.org/Getting_an_SMIME_certificate.

The S/MIME certificate should be both installed into the user's browser and backed up to a safe location. Firefox has it's own certificate management, while other browsers generally use the operating system's cert management.

• Firefox: http://kb.mozillazine.org/Installing_an_SMIME_certificate
• Windows: http://support.microsoft.com/kb/823503
• Mac OS X: http://arstechnica.com/apple/2011/10/secure-your-e-mail-under-mac-os-x-and-ios-5-with-smime/
  • OS X users may need to update/install Java directly from oracle.
• Linux: http://code.google.com/p/chromium/wiki/LinuxCertManagement
  • Linux isn't officially supported by Zimbra, and, though I've only spent limit effor, I haven't had any luck getting it to work on Linux. YMMV, and I expect it can't be made to work in the current version.
  • See: http://www.zimbra.com/forums/users/56471-secureemail-_signmessage.html

Contact XMission to Enable S/MIME for the User Account

The "S/MIME" feature must be enabled by XMission staff for accounts. We do not enable by domain, only by account actively requiring S/MIME support.

Using S/MIME In Zimbra

Once the certificate is installed in the user's browser and S/MIME is enabled on the account, the user can begin using S/MIME. Note that S/MIME makes use of Java and that the client certificate needs to be installed at the time that Zimbra loads. If you add a certificate to your browser's store, reload Zimbra for it to pick it up.

When sending a message, there will now be a security button on the toolbar. The user can use this button to sign or encrypt any given message. The default action can be changed in Preferences -> Mail -> Security. They can also view what certificates Zimbra detects in their browser from the Security Preferences pane.

There needs to be a certificate for every email address they plan to send signed or encrypted email from. In other words, if they have a cert for user@domain.com, but not alias@domain.com, they can't send signed or encrypted mail when sending from the alias address.