How to configure SMIME on Zimbra

Revision as of 11:20, 3 November 2021 by Shanxt (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

How to configure S/MIME (in Webmail, ZCO,IMAP,POP and Thunderbird)?

   KB 24294        Last updated on 2021-11-3  

(0 votes)

What is S/MIME?

S/MIME is an acronym for Secure/Multipurpose Internet Mail Extensions. It references a type of public encryption and signing of MIME data (email messages) to verify a sender’s identity.

What it allows to do is two things:

Ensure to the email recipients that the sender actually sent the email.

Allows the possibility of sending and/or receiving email encrypted.

How Does S/MIME Work?

As mentioned above, S/MIME is a type of “end-to-end” encryption solution used for email messages. To be more specific, it uses asymmetric cryptography to protect emails from being read by a third party.

Sign: Digitally validate that you are the sender of a message. When signing, you use your private key to write message's signature, and they use your public key to check if it's really yours.

Encrypt: encrypt the composed message for one or more recipients. When encrypting, you use their public key to write a message and they use their private key to read it.

In order to encrypt, you must have previously received a signed message from that user, such that Zimbra has stored the public S/MIME certificate for that other user. A digital id or digital certificate consists of a public and private key. Your public key is shared with everyone. Your private key is kept private.

Digital signatures and end-to-end email encryption:

A digital signature only requires the sender (the signer) to have cryptographic keys (a private key and a public key). The sender signs the message locally on his/her device (using sender’s private key). Furthermore, the receiver verifies it on his device by using sender’s public key. The process works as follows:

 --  Alice (sender) generates a key pair and shares her public key with Bob (a one-time prerequisite).
 --  Alice signs the message using her private key in her device and sends the message to Bob.
 --  Bob receives the signed message on his device and verifies the signature using Alice’s public key.


Enabling S/MIME Email Encryption:

Enabling S/MIME email encryption may be different for depending on the Webmail and email application combination in use. There are few examples of how S/MIME control on different email client and Zimbra Webmail.

Enabling S/MIME on Zimbra Webmail:

1. This is a license feature, a valid S/MIME license(SMIMEAccountsLimit) should be present in license file.

2. Get the valid S/MIME certificate from CA authority or use free S/MIME certs as well. When creating this certificate, it must match exactly the From: address use when sending email. If there is a mismatch, S/MIME will not work.

3. Enabling this feature in account level and COS level:

Account level: Edit account -> Features -> S/MIME features. COS level: Open admin console -> Configure ->Class of Service ->Cos_name ->Features -> S/MIME features.


$ zmprov  ma zimbraFeatureSMIMEEnabled TRUE
$ zmprov mc cos_name zimbraFeatureSMIMEEnabled TRUE

4. In Zimbra Web Client, go to Preferences -> Zimlets, and make sure the Zimlet called "Secure Email" is enabled. Securemail zimlet can be enable from COS as well. 5. In Zimbra Web Client, go to Preferences -> Security, and upload the S/MIME cert.



After upload it should be like this:


When composing Sign email, sender should now see a pull-down box offering "Don't Sign", "Sign" or "Sign and Encrypt". Here, select “Sign”.

"Recipient can see signed email and certificate detail


Recipient end you can see signed email and certificate detail:


Once you have sent sign public cert of sender will add in contact list, now send a Sign and Encrypt email to each other.


Enabling S/MIME in (ZCO,IMAP/POP) outlook:

1. Configure a new ZCO profile and configure an account in outlook.

2. After complete the ZCO profile open the account and go to the File -> Options -> Trust Center -> Trust Center Settings -> Email Security -> Import/Export


New window will open, browse the certificate file and enter the password.


Now, enter the name of certificate and check the settings as per screenshot:


Try to compose one e-mail from outlook and you will see the “sign” and “encrypt” option in Options tab:


Note: Outlook saves the public cert of sender in local outlook contact list, it will not save it automatically when someone sends a “Sign” e-mail. User needs to save it manually.

Steps to add contact in local outlook contact list.

1) Open the signed e-mail message

2) Right-click on the sender's name

3) Select Add to Outlook Contacts

4) If the sender is not yet in Contacts address book, a Contact window will appear. Enter any information wants to include.

5) Click Save and Close. This automatically adds the sender's Digital ID to local Contact address book.

6) If the sender is already in local Contacts address book, a dialog box will appear stating that a duplicate contact is detected. Click OK to update new information from this contact to the existing one.

Once you have saved the contact, it will sync with webmail as well and now you can send the Sign&encrypt email to the sender. If the contact not saved you will get an error when you will try to send the encrypt email.

You can see the saved certificate information in contact:


Steps are same to add certificate and compose an email for IMAP/POP account in outlook but only the local contact will not sync with webmail.

Enabling S/MIME in Thunderbird e-mail client:

1. Go to the Options -> Certificates -> Manage Certificates -> Import Here you need to import the certificate then Ok.


2. Now go to the Account Settings-> Security -> Digital Signing-> Select the certificate.


3. You can try to compose the Digitally Sign email or Encrypt e-mail.

Jump to: navigation, search