Zimbra S/MIME Encryption

From XMission Wiki
Revision as of 12:30, 16 January 2014 by Jab (talk | contribs)
Jump to: navigation, search

Introduction

S/MIME is a method of signing and encrypting email. It is conceptually similar to pgp/gnupg, but using SSL certificates. Zimbra natively supports S/MIME in the browser interface.

JAVA DISCLAIMER: - S/MIME uses a Java applet, this means end-users need working Java, which will take effort since many manufacturers, software applications, and Operating Systems, have all had rounds of disabling Java everywhere


S/MIME Certificates

S/MIME requires an SSL certificate.

Free browser certificates can be had at StartSSL. Mozilla also has a list of free S/MIME certificate providers: http://kb.mozillazine.org/Getting_an_SMIME_certificate.

The S/MIME certificate should be both installed into the user's browser and backed up to a safe location. Firefox has it's own certificate management, while other browsers generally use the operating system's cert management.


Contact XMission to Enable S/MIME for the User Account

The "S/MIME" feature must be enabled by XMission staff for accounts. We do not enable by domain, only by account actively requiring S/MIME support.


Using S/MIME In Zimbra

Once the certificate is installed in the user's browser and S/MIME is enabled on the account, the user can begin using S/MIME. Note that S/MIME makes use of Java and that the client certificate needs to be installed at the time that Zimbra loads. If you add a certificate to your browser's store, reload Zimbra for it to pick it up.

When sending a message, there will now be a security button on the toolbar. The user can use this button to sign or encrypt any given message. The default action can be changed in Preferences -> Mail -> Security. They can also view what certificates Zimbra detects in their browser from the Security Preferences pane.

There needs to be a certificate for every email address they plan to send signed or encrypted email from. In other words, if they have a cert for user@domain.com, but not alias@domain.com, they can't send signed or encrypted mail when sending from the alias address.