S/MIME is a standards-based method of public/private key encryption. It is commonly used for email and MIME data, and provides a straightforward method for email users to encrypt messages to one another. We're not going to go into great detail on what S/MIME is here, so please feel free to read the Wikipedia article for more background:
Acquiring and installing an S/MIME certificate in Zimbra requires a few steps, although the certificate itself can be acquired for free from a few sites. Individuals or corporations can also purchase S/MIME certificates for a higher level of trust or organizational control.
Certificates must be X.509 Base64 encoded DER and should be valid with a trusted chain.
Free S/MIME Certs
You can acquire and use a free S/MIME cert from one of the following:
Comodo(They've changed their name to Sectigo and no longer offer free S/MIME certificates/)
StartSSL(closed since Jan. 1st, 2018)
- Actalis (Free for a year)
CAcert(The SSL connection is untrusted)
GlobalSign(No longer offer free certificates)
- InstantSSL (free certificate is now a 30-day trial)
- Secorio (Links to InstantSSL)
Note that when you create this certificate, it must match exactly the From: address you use when sending an email. If there is a mismatch, S/MIME will not work.
Steps for Generating and Using S/MIME with Zimbra
Zimbra Web Client ("ZWC")
- Be sure your ZCS server is installed with the Network Edition version of the product, and has S/MIME enabled via the license.
- Follow the instructions at the above sites to your free S/MIME cert from one of the above locations - this will install the S/MIME cert into your chosen browser (or in some cases, such as Chrome with Mac, your OS keystore). Please note: there have at times been problems exporting certs from some browsers - Chrome in particular used to have a problem. However, Chrome also appears to be working properly now. You will likely be required to create a revocation password.
- Importing your S/MIME certificate into the browser may require a password for the certificate or the browser configuration.
- In Zimbra Web Client, reload the browser (restart browser, or shift-reload page), then go to Preferences -> Zimlets, and make sure the Zimlet called "Secure Email" is enabled.
- In Zimbra Web Client, go to Preferences -> Security, and confirm that the Secure Email Zimlet is finding the S/MIME certificate in your browser. You should see the S/MIME Certificate, and generally the "Auto (remember last setting)" option is prefererred.
- When composing a new message or replying, you should now see a pull-down box offering "Don't Sign", "Sign" or "Sign and Encrypt". The basic definitions of these are the following:
- Sign: digitally validate that you are the sender of a message
- Encrypt: encrypt the composed message for one or more recipients. In order to encrypt, you must have previously received a signed message from that user, such that Zimbra has stored the public S/MIME certificate for that other user.
Importing your Certificate into another Browser
- In your Browser Preferences or Keystore, locate the Certificate (usually in an area called "Your Certificates" or "My Certificates"), and then right-click to select "Export Certificate"
- Export the certificate to a file type of pkcs12 (typically with a file extension of .p12) - this is your private key, so must be kept safe. The export may request you to use a password to secure the certificate file, so be sure to use a good one. If someone else were to get ahold of your .p12 file and file password, they could import that S/MIME cert as themselves, and use this to impersonate you or access your encrypted email.
- From your other browser, import the certificate file and enter the password used to secure the file.
Importing into iOS
- You'll first need to get the pkcs12 file over to your iOS device. The easiest way to do so is use Zimbra Briefcase, Dropbox, or send it as an email attachment to yourself. Note that you want to keep this file as secure as possible, and unencrypted email is a relatively untrusted means of transfer (unless you already have S/MIME installed, catch 22). Using Zimbra Briefcase may be most secure, as it allows you to keep it within a single, trusted system.
- Zimbra Briefcase example (although other methods are similar): Upload your .p12 file into your Zimbra Briefcase. Then, using Safari on iOS, login to your mail server using the Zimbra Mobile interface. Select Briefcase, browse to the appropriate Briefcase, then click the .p12 file.
- This will open up your iOS Settings application, and ask if you want to install the Certificate in your iOS device as a new Profile. Accept the install.
- Enter your .p12 password, as generated above.
- Now, go to Settings->Mail, Calendar, Contacts in iOS, and find the address that matches your S/MIME certificate. Select the Account, then select the "Account" option again, scroll to the bottom, and set the "S/MIME" slider to On. You can set the defaults for "Sign" and/or "Encrypt" here.
- Go to your iOS Mail application, and outbound mail will be sign/encrypted as desired.
Should you run into trouble, you can troubleshooting by locating the logs on your filesystem.
- On windows, the logs are located at %TEMP%\com.zimbra.smime\com.zimbra.smime.log
Now you're smiming, enjoy!