How to configure SMIME on Zimbra: Difference between revisions

No edit summary
No edit summary
(13 intermediate revisions by one other user not shown)
Line 2: Line 2:
__FORCETOC__
__FORCETOC__
<div class="col-md-12 ibox-content">
<div class="col-md-12 ibox-content">
=How to configure S/MIME(Webmail, ZCO,IMAP,POP and Thunderbird)?=  
=How to configure S/MIME (in Webmail, ZCO,IMAP,POP and Thunderbird)?=  
<hr>
<hr>
{{KB|{{WIP}}|{{ZCS 8.8.x}}||||}}  
{{KB|{{ZC}}|{{ZCS 8.8}}||||}}  




Line 10: Line 10:
S/MIME is an acronym for Secure/Multipurpose Internet Mail Extensions. It references a type of public encryption and signing of MIME data (email messages) to verify a sender’s identity.  
S/MIME is an acronym for Secure/Multipurpose Internet Mail Extensions. It references a type of public encryption and signing of MIME data (email messages) to verify a sender’s identity.  


=====What it allows you to do is two things:=====
=====What it allows to do is two things:=====
Ensure to your email recipients that YOU actually sent the email.
Ensure to the email recipients that the sender actually sent the email.


Allows the possibility of sending and/or receiving email encrypted.
Allows the possibility of sending and/or receiving email encrypted.
Line 36: Line 36:


====Enabling  S/MIME Email Encryption:====
====Enabling  S/MIME Email Encryption:====
Enabling S/MIME email encryption may be different for depending on the Webmail and email application combination that you use. There are few examples of how your S/MIME control on different email client and Zimbra Webmail.
Enabling S/MIME email encryption may be different for depending on the Webmail and email application combination in use. There are few examples of how S/MIME control on different email client and Zimbra Webmail.


=====Enabling S/MIME on Zimbra Webmail:=====
=====Enabling S/MIME on Zimbra Webmail:=====
1. This is a license feature, a valid S/MIME license(SMIMEAccountsLimit) should be present in license file.
1. This is a license feature, a valid S/MIME license(SMIMEAccountsLimit) should be present in license file.


2. Get the valid S/MIME certificate from CA authority and you can use free S/MIME certs as well. When you create this certificate, it must match exactly the From: address you use when sending email. If there is a mismatch, S/MIME will not work.
2. Get the valid S/MIME certificate from CA authority or use free S/MIME certs as well. When creating this certificate, it must match exactly the From: address use when sending email. If there is a mismatch, S/MIME will not work.


3. You can enable this feature in account level and COS level:
3. Enabling this feature in account level and COS level:


'''Account level''': Edit account -> Features -> S/MIME features.
'''Account level''': Edit account -> Features -> S/MIME features.
Line 53: Line 53:




4. In Zimbra Web Client, go to '''Preferences -> Zimlets''', and make sure the Zimlet called '''"Secure Email"''' is enabled. You can enable securemail zimlet from COS as well.
4. In Zimbra Web Client, go to '''Preferences -> Zimlets''', and make sure the Zimlet called '''"Secure Email"''' is enabled. Securemail zimlet can be enable from COS as well.
5. In Zimbra Web Client, go to '''Preferences -> Security,''' and upload the S/MIME cert.
5. In Zimbra Web Client, go to '''Preferences -> Security,''' and upload the S/MIME cert.
 
Steps:
 
[[File:Smime2.png|900px]]
 
After upload it should be like this:
 
 
[[File:Smime3.png]]
 
 
When composing Sign email, sender should now see a pull-down box offering "Don't Sign", "Sign" or "Sign and Encrypt". Here, select “Sign”.
 
"Recipient can see signed email and certificate detail
 
 
[[File:Smime4.png|500px]]
 
 
Recipient end you can see signed email and certificate detail:
 
 
[[File:Smime5.png]]
 
Once you have sent sign public cert of sender will add in contact list, now send a Sign and Encrypt email to each other.
 
[[File:Smime6.png|500px]]
 
 
=====Enabling S/MIME in (ZCO,IMAP/POP) outlook:=====
1. Configure a new ZCO profile and configure an account in outlook.
 
2. After complete the ZCO profile open the account and go to the '''File -> Options -> Trust Center -> Trust Center Settings -> Email Security -> Import/Export'''
 
[[File:Smime7.png]]
 
New window will open, browse the certificate file and enter the password.
 
[[File:Smime8.png]]
 
Now, enter the name of certificate and check the settings as per screenshot:
 
[[File:Smime9.png]]
 
Try to compose one e-mail from outlook and you will see the “sign” and “encrypt” option in Options tab:
 
[[File:Smime10.png]]
 
'''Note:''' Outlook saves the public cert of sender in local outlook contact list, it will not save it automatically when someone sends a “Sign” e-mail. User needs to save it manually.
 
'''Steps to add contact in local outlook contact list.'''
 
1) Open the signed e-mail message
 
2) Right-click on the sender's name
 
3) Select Add to Outlook Contacts
 
4) If the sender is not yet in Contacts address book, a Contact window will appear. Enter any information wants to include.
 
5) Click Save and Close. This automatically adds the sender's Digital ID to local Contact address book.
 
6) If the sender is already in local Contacts address book, a dialog box will appear stating that a duplicate contact is detected. Click OK to update new information from this contact to the existing one.
 
Once you have saved the contact, it will sync with webmail as well and now you can send the Sign&encrypt email to the sender. If the contact not saved you will get an error when you will try to send the encrypt email.
 
You can see the saved certificate information in contact:
 
[[File:Smime11.png|900px]]
 
Steps are same to add certificate and compose an email for IMAP/POP account in outlook but only the local contact will not sync with webmail.
 
 
=====Enabling S/MIME in Thunderbird e-mail client:=====
1. Go to the '''Options -> Certificates -> Manage Certificates -> Import'''
Here you need to import the certificate then '''Ok.'''
 
[[File:Smime12.png|900px]]
 
2. Now go to the Account '''Settings-> Security -> Digital Signing->''' Select the certificate.
 
[[File:Smime13.png|900px]]
 
3. You can try to compose the Digitally Sign email or Encrypt e-mail.
 
[[File:Smime14.png]]

Revision as of 11:20, 3 November 2021

How to configure S/MIME (in Webmail, ZCO,IMAP,POP and Thunderbird)?


   KB 24294        Last updated on 2021-11-3  




0.00
(0 votes)


What is S/MIME?

S/MIME is an acronym for Secure/Multipurpose Internet Mail Extensions. It references a type of public encryption and signing of MIME data (email messages) to verify a sender’s identity.

What it allows to do is two things:

Ensure to the email recipients that the sender actually sent the email.

Allows the possibility of sending and/or receiving email encrypted.


How Does S/MIME Work?

As mentioned above, S/MIME is a type of “end-to-end” encryption solution used for email messages. To be more specific, it uses asymmetric cryptography to protect emails from being read by a third party.

Sign: Digitally validate that you are the sender of a message. When signing, you use your private key to write message's signature, and they use your public key to check if it's really yours.

Encrypt: encrypt the composed message for one or more recipients. When encrypting, you use their public key to write a message and they use their private key to read it.

In order to encrypt, you must have previously received a signed message from that user, such that Zimbra has stored the public S/MIME certificate for that other user. A digital id or digital certificate consists of a public and private key. Your public key is shared with everyone. Your private key is kept private.


Digital signatures and end-to-end email encryption:

A digital signature only requires the sender (the signer) to have cryptographic keys (a private key and a public key). The sender signs the message locally on his/her device (using sender’s private key). Furthermore, the receiver verifies it on his device by using sender’s public key. The process works as follows:

 --  Alice (sender) generates a key pair and shares her public key with Bob (a one-time prerequisite).
 --  Alice signs the message using her private key in her device and sends the message to Bob.
 --  Bob receives the signed message on his device and verifies the signature using Alice’s public key.

Smime1.png

Enabling S/MIME Email Encryption:

Enabling S/MIME email encryption may be different for depending on the Webmail and email application combination in use. There are few examples of how S/MIME control on different email client and Zimbra Webmail.

Enabling S/MIME on Zimbra Webmail:

1. This is a license feature, a valid S/MIME license(SMIMEAccountsLimit) should be present in license file.

2. Get the valid S/MIME certificate from CA authority or use free S/MIME certs as well. When creating this certificate, it must match exactly the From: address use when sending email. If there is a mismatch, S/MIME will not work.

3. Enabling this feature in account level and COS level:

Account level: Edit account -> Features -> S/MIME features. COS level: Open admin console -> Configure ->Class of Service ->Cos_name ->Features -> S/MIME features.

CLI:

$ zmprov  ma account@domain.com zimbraFeatureSMIMEEnabled TRUE
$ zmprov mc cos_name zimbraFeatureSMIMEEnabled TRUE


4. In Zimbra Web Client, go to Preferences -> Zimlets, and make sure the Zimlet called "Secure Email" is enabled. Securemail zimlet can be enable from COS as well. 5. In Zimbra Web Client, go to Preferences -> Security, and upload the S/MIME cert.

Steps:

Smime2.png

After upload it should be like this:


Smime3.png


When composing Sign email, sender should now see a pull-down box offering "Don't Sign", "Sign" or "Sign and Encrypt". Here, select “Sign”.

"Recipient can see signed email and certificate detail


Smime4.png


Recipient end you can see signed email and certificate detail:


Smime5.png

Once you have sent sign public cert of sender will add in contact list, now send a Sign and Encrypt email to each other.

Smime6.png


Enabling S/MIME in (ZCO,IMAP/POP) outlook:

1. Configure a new ZCO profile and configure an account in outlook.

2. After complete the ZCO profile open the account and go to the File -> Options -> Trust Center -> Trust Center Settings -> Email Security -> Import/Export

Smime7.png

New window will open, browse the certificate file and enter the password.

Smime8.png

Now, enter the name of certificate and check the settings as per screenshot:

Smime9.png

Try to compose one e-mail from outlook and you will see the “sign” and “encrypt” option in Options tab:

Smime10.png

Note: Outlook saves the public cert of sender in local outlook contact list, it will not save it automatically when someone sends a “Sign” e-mail. User needs to save it manually.

Steps to add contact in local outlook contact list.

1) Open the signed e-mail message

2) Right-click on the sender's name

3) Select Add to Outlook Contacts

4) If the sender is not yet in Contacts address book, a Contact window will appear. Enter any information wants to include.

5) Click Save and Close. This automatically adds the sender's Digital ID to local Contact address book.

6) If the sender is already in local Contacts address book, a dialog box will appear stating that a duplicate contact is detected. Click OK to update new information from this contact to the existing one.

Once you have saved the contact, it will sync with webmail as well and now you can send the Sign&encrypt email to the sender. If the contact not saved you will get an error when you will try to send the encrypt email.

You can see the saved certificate information in contact:

Smime11.png

Steps are same to add certificate and compose an email for IMAP/POP account in outlook but only the local contact will not sync with webmail.


Enabling S/MIME in Thunderbird e-mail client:

1. Go to the Options -> Certificates -> Manage Certificates -> Import Here you need to import the certificate then Ok.

Smime12.png

2. Now go to the Account Settings-> Security -> Digital Signing-> Select the certificate.

Smime13.png

3. You can try to compose the Digitally Sign email or Encrypt e-mail.

Smime14.png

Jump to: navigation, search