SMIME: Import users certificate to contacts from signed email

[twokeys]

I am testing the SMIME Web Client feature, which is pretty nice. But I find it's going to be very difficult to show people how to do this because I send them their .p12 file (I generate it from our CA), then they need to import it in under "Secure Mail" and put their password in. Then, they need to convert it to .pem format to get their public certificate. Then they need to send the .pem file to anybody they want to receive encrypted emails from.

If someone sends me a signed email, there should be an "Import certificate to contact" button or something. Isn't the whole point of sending signed emails initially so that you can automatically trade your public certificate without all the extra hassle of converting your .p12 to pem and manually sending the .pem as an attachment and then importing it?

I can't imagine trying to teach 300 users how to do this, some of them barely know what a start menu is.

Thanks for any help, I am wondering if this should be moved to a feature request?

[pup_seba]

Hi,

Unless I'm mistaken, Zimbra is supposed to import the public key to the user in the contact lists automatically. So maybe you need to create the contact so it automatically saves the public key? I remember just needing to exchange mails signed to have the public key from others and give my public key to others.

Certificate management is what it is, either for zimbra or to make your tax declaration (at least in spain you can do it with personal certificates), certificates will always need to be imported into the certificate store and depending on your browser/os combo, there could be more than one way to do it. I think there are some third party solutions (quite expensive and for big companies) to ease the certificate management for users and mail encryption, but I can't remember its name.

Most of the people I know, after they understand what it means to manage certificates, certificates expirations and renewals, private keys, etc...they realize that after all, mail encription and certification is not something they actually needed that much, and just reducing the initial target to just a bunch of users works just fine for them. Could that be your case maybe?

[twokeys]

Hi,

Unless I'm mistaken, Zimbra is supposed to import the public key to the user in the contact lists automatically. So maybe you need to create the contact so it automatically saves the public key? I remember just needing to exchange mails signed to have the public key from others and give my public key to others.

Certificate management is what it is, either for zimbra or to make your tax declaration (at least in spain you can do it with personal certificates), certificates will always need to be imported into the certificate store and depending on your browser/os combo, there could be more than one way to do it. I think there are some third party solutions (quite expensive and for big companies) to ease the certificate management for users and mail encryption, but I can't remember its name.

Most of the people I know, after they understand what it means to manage certificates, certificates expirations and renewals, private keys, etc...they realize that after all, mail encription and certification is not something they actually needed that much, and just reducing the initial target to just a bunch of users works just fine for them. Could that be your case maybe?

Oh ok so what you're saying is it *should* be automatic? For some reason mine is not automatically importing to the users contacts.

I sign from user 1 to user 2
I sign from user 2 to user 1

I expect to be able to sign &encrypt now, but no it says no public certificates found. I had to export user1 to pem file, import it to contacts on user 2 and then do the same thing for the other user and then I was able to encrypt.

Is that how it works on your mail server? Thank you for helping me again.

[pup_seba]

I don't use it, so is couldn't tell how it works for me, sorry.

What I do remember is that public key exchange being automatic, once you exchange signed mails. Reviewing the info, I found this where it says something about being automatic https://www.zimbra.com/email-server-sof ... ncryption/

[twokeys]

I saw that link you posted, but I also came across this Zimbra blog: https://blog.zimbra.com/2018/04/did-you ... th-s-mime/

Which says the users must do what I said. I am not sure which to believe now, lol.

I will keep digging, thanks for your help!

[pup_seba]

Hi,

The video you refer, does this:
1. userA sends signed email to userB (2:10)
2. userA imports userB public key manually (3:10)
3. userA sends encripted email to userB (3:30)

As you can see there, they do it manually. What they should have show is userB sending and encrypted email to userA after receiving the email from point 1. Does it make sense? They are not showing your specific use case. They are just showing how to send "from scratch" first a signed email and then an encrypted email, but they show this without the automatic key exchange as they always send from the same user and userB never sends an email to userA (which is the way userA could automatically get userB cert).

[twokeys]

Is there anyone who uses the Secure Mail feature confirm if this is supposed work this way?

What does signing the email do if it doesn't import into the recipients contact list automatically? There is no import button or any way to view their certificate in .pem format for manual import so the whole signing function seems worthless.

So far the best thing I can think of is to have everyone send me their public certificates in .pem format (I am an admin on the mail server) and I will import their public certificates to the galsync address book since he contains every user and is updated when new users are created. Then share the galsync address book to every mailbox via a distribution list.

I hope someone can tell me that the signed email function is bugged out and this isn't by design.

Thanks for any help

[twokeys]

I managed to find this thread where one of the users says it is broken:

http://lists.zetalliance.org/pipermail/ ... 01198.html

I don't see how this is a scalable solution. Some employees don't even know how to turn on their computer but I am supposed to give them a .p12 file with some openssl commands to convert from .p12 to .pem and tell them to email the .pem file to everyone they will be encrypting with?

I hope there's a way to fix this.