New in version 3.4, Zammad supports S/MIME for high-security email communication.
What is S/MIME?¶
S/MIME is the most widely-supported method for secure email communication. With S/MIME, you can exchange signed and encrypted messages with others.
is proof that a message hasn’t been tampered with or sent by an impersonator.
In other words, it guarantees a message’s integrity and authenticity.
scrambles a message so that it can only be unscrambled by the intended recipient.
In other words, it guarantees privacy and data security.
A certificate and private key for your own organization
(Use this to ✒️ sign outgoing messages and 🔓 decrypt incoming messages.)
Certificates belonging your contacts, or their issuing certificate authority (CA)
(Use these to ✅ verify incoming message signatures and 🔒 encrypt outgoing messages.)
🙋 I’m new to S/MIME. Where can I get a certificate?
The easiest way to get certificates is to buy an annual subscription through a commercial CA, such as:
(Zammad is not affiliated with these CAs in any way.)
You can also generate your own self-signed certificates, but the process is complicated and usually 🙅 involves extra work for your contacts.
Bear in mind that 🤝 S/MIME only works if the other party is using it, too.
S/MIME is disabled by default. Enable it to start adding certificates.
- Add Certificate
Import public-key certificates for both your own organization and your contacts.
🕵️ ALWAYS verify certificates in-person or over the phone!
The whole point of signatures is to alert you when someone is trying to pretend to be someone they’re not. Never accept a certificate from someone online without verifying it first.
📇 What about trusted certificate authorities?
In some cases (e.g., when dealing with large enterprises), you may be given a certificate for an entire CA, rather than a single contact. Add it here to trust all certificates issued by that CA.
Commercial CAs can usually be verified online. Zammad does not include a list of built-in, trusted CAs.
- Add Private Key
Once you’ve added a public-key certificate, you can import its matching private key.
Private keys are for your own organization only; never ask your contacts for their private keys.
📤 Certificates and private keys must be uploaded separately.
If your certificate and private key are bundled together in the same file or PEM block, import it twice (once using each button).
The ticket composer will set all outgoing messages to signed and encrypted by default (assuming the required certificates exist).
These defaults can be modified on a per-group basis:
Of course, agents can always manually change these settings on each email they send out.
- I received a signed/encrypted email before I set up S/MIME integration
No problem. Once S/MIME has been enabled and the appropriate certificates have been added, agents will be prompted to retry verification/decryption on matching emails.
- The 🔒 Encrypt button is disabled
- Have you added the recipient’s certificate?
- Are you sure the recipient’s certificate is valid?
- Have you checked your
production.logfor more details?
- The ✅ Sign button is disabled
- Have you added both the certificate and private key for your organization?
- Does the email address on the certificate match the email address of the agent/group composing the email?
- Error: “Fingerprint already taken”
- Are you sure you haven’t added this certificate already?
- Error: “❌ invalid byte sequence in UTF-8”
- Please ensure to provide PEM formatted certificate and keys.
- Did you check if the provided file is a valid certificate or key?