Beta
S/MIME Email Encryption
Secure your email communications with S/MIME (Secure/Multipurpose Internet Mail Extensions) digital signatures and encryption in SOGo webmail. This guide covers certificate setup, configuration, and daily usage of S/MIME for enhanced email security.
What is S/MIME?
S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of MIME data. It provides:
Digital Signatures
Verify the identity of the sender and ensure the message hasn't been tampered with during transmission.
Message Encryption
Protect the content of your emails from unauthorized access by encrypting the message body and attachments.
Prerequisites
Before setting up S/MIME in SOGo, you'll need:
-
✓
S/MIME Certificate: A valid S/MIME certificate (also called a personal certificate) from a Certificate Authority (CA) or your organization's PKI
-
✓
Certificate Format: Your certificate in PKCS#12 format (.p12 or .pfx file) containing both your private key and public certificate
-
✓
Certificate Password: The password protecting your PKCS#12 file
-
✓
Modern Browser: A recent version of Chrome, Firefox, Safari, or Edge
Obtaining an S/MIME Certificate
You can obtain an S/MIME certificate from various sources:
- DigiCert: Offers personal and enterprise S/MIME certificates
- Sectigo (formerly Comodo): Provides affordable personal certificates
- GlobalSign: Enterprise-focused S/MIME solutions
- Entrust: Personal and corporate certificate options
Cost: Typically $20-100 per year for personal certificates
- Actalis: Offers free personal S/MIME certificates valid for one year
- CERTUM: Provides free email certificates with basic validation
Note: Free certificates may have limitations in terms of validation level and recognition by email clients.
Many organizations operate their own Certificate Authority (CA) and issue S/MIME certificates to employees. Contact your IT department to:
- Request an S/MIME certificate
- Get instructions for your organization's specific process
- Obtain the root CA certificate if needed
Installing Your S/MIME Certificate
Follow these steps to install your S/MIME certificate in SOGo:
Step 1: Access Certificate Settings
- Log in to SOGo webmail
- Click on the Preferences icon (gear icon) in the top-right corner
- Navigate to Mail → Security
- Find the S/MIME section
Step 2: Import Your Certificate
- Click Import Certificate
- Select your PKCS#12 file (.p12 or .pfx)
- Enter the password for your certificate file
- Click Import
- Certificate subject (your email address)
- Issuer information
- Validity dates
- Serial number
Step 3: Configure Default Settings
Set your preferences for S/MIME usage:
- Default signing certificate: Select your imported certificate
- Sign messages by default: Enable if you want to sign all outgoing emails
- Encrypt messages by default: Enable for automatic encryption (when recipient certificates are available)
Click Save to apply your settings.
Using S/MIME in SOGo
Signing Emails
Digital signatures verify your identity and ensure message integrity:
- Compose a new email
- Look for the Security options in the compose window
- Click the Sign button or checkbox
- Send your email as usual
Encrypting Emails
Encryption protects your message content from unauthorized access:
- Compose a new email
- Add recipient(s) who have S/MIME certificates
- Click the Encrypt button or checkbox
- Send your email
Automatic Certificate Management
SOGo simplifies certificate management:
- When you receive a signed email, SOGo automatically extracts and stores the sender's certificate
- Certificates are saved in your personal address book
- You can view stored certificates in Address Book → contact details → Certificates tab
- These certificates enable you to send encrypted emails to those contacts
Advanced S/MIME Features
Certificate Management
Viewing Certificate Details
- • Go to Preferences → Mail → Security
- • Click on your certificate
- • View issuer, validity, and key usage
Managing Multiple Certificates
- • Import multiple certificates
- • Set different certificates for different identities
- • Choose certificates per email
Certificate Renewal
Before your certificate expires:
- Obtain a new certificate from your CA
- Import the new certificate in SOGo
- Update your default signing certificate
- Remove the expired certificate (optional)
Troubleshooting Certificate Issues
- Verify the file is in PKCS#12 format (.p12 or .pfx)
- Check that the password is correct
- Ensure the certificate includes the private key
- Try converting the certificate using OpenSSL if needed
- Verify you have the recipient's public certificate
- Check if the recipient's certificate is valid and not expired
- Ask the recipient to send you a signed email
- Manually import their certificate if needed
- Check if the certificate chain is complete
- Verify the root CA is trusted
- Ensure system time is correct
- Update SOGo's trusted certificate store if needed
S/MIME Best Practices
Do's
- ✓ Keep your private key secure
- ✓ Use strong passwords for PKCS#12 files
- ✓ Renew certificates before expiration
- ✓ Verify recipient certificates before encrypting
- ✓ Back up your certificates securely
- ✓ Sign emails to build your web of trust
Don'ts
- ✗ Share your private key or certificate password
- ✗ Use expired certificates
- ✗ Store certificates on unsecured devices
- ✗ Ignore certificate warnings
- ✗ Use self-signed certificates for external communication
- ✗ Encrypt without verifying recipient capability
Integration with Other Email Clients
S/MIME certificates configured in SOGo can be used with other email clients:
| Email Client | S/MIME Support | Notes |
|---|---|---|
| Microsoft Outlook | Full Support | Native S/MIME integration |
| Apple Mail | Full Support | Built-in S/MIME features |
| Mozilla Thunderbird | Full Support | Native S/MIME support |
| Gmail Web | Limited | Requires browser extension |
| Mobile Clients | Varies | Check specific app capabilities |
Frequently Asked Questions
Both provide email encryption and signing, but they differ in approach:
- S/MIME: Uses centralized Certificate Authorities, integrated into most email clients, easier for enterprise deployment
- PGP: Decentralized web of trust model, requires separate software/plugins, more popular in technical communities
SOGo supports both standards, allowing you to choose based on your needs.
Yes, you can export your certificate (including the private key) and import it on other devices. However:
- Always use secure transfer methods
- Protect exported certificates with strong passwords
- Consider the security implications of having your private key on multiple devices
- Some organizations may have policies against this practice
When your certificate expires:
- You can't sign new emails with the expired certificate
- Recipients may see warnings when verifying old signatures
- You can't encrypt new emails (but can decrypt old ones)
- You'll need to obtain and install a new certificate
SOGo will notify you before expiration. Plan to renew at least a week before expiry.
S/MIME provides strong security when properly implemented:
- Uses industry-standard cryptographic algorithms
- Private keys never leave your control
- Encryption protects message content and attachments
- Digital signatures prevent tampering
However, metadata (subject, recipients) remains visible, and security depends on proper certificate management and CA trustworthiness.
Additional Resources
Email Security Best Practices
Comprehensive guide to securing your email communications.
Security Guide