Secure Email

Zammad supports two systems for secure email communication:

  • PGP (Pretty Good Privacy)

  • S/MIME (Secure/Multipurpose Internet Mail Extensions)

Both systems allow you to exchange signed and encrypted messages with others.

Prerequisites

  • Both features are optional. If you don’t see the Encrypt and Sign buttons in the email article editor, your administrator hasn’t activated them yet.

  • PGP and S/MIME only work if the other party is using them too.

  • Your administrator is responsible for adding all necessary certificates and keys in Zammad’s admin settings.

Hint

Administrators can find configuration details in the admin documentation:

If these requirements are met, the feature should work out of the box and Zammad encrypts, decrypts, signs and verifies signatures of emails if possible. Your admin can define a default behavior for each group. However, you can override the default for each outgoing email article on your own by switching encryption and signing on or off (see example in screenshot below with turned off encryption and activated signing). Read on to learn more about it and to find common errors.

Screenshot shows editor for outgoing email with disabled encryption and enabled signing.

Signing & Encryption

Signing

Signing is a proof that a message hasn’t been manipulated on its way. It guarantees message integrity and authenticity.

Encryption

Encryption scrambles a message so that it can only be unscrambled by the intended recipient. It guarantees message privacy and data security.

Incoming Email

The lock and check icons at the top of a message indicate its encryption and signing status. Click on an incoming message article to expand its details. In the details, you can hover over the security status to see more information.

Status Icons for Incoming Emails

lock

Encrypted for you. Even if intercepted by a third party, they won’t be able to read it.

encryption-error

Cannot be decrypted. Zammad lacks the required key to decrypt this message.

signed

Successfully verified. You can be confident it’s authentic and the content has not been modified.

not-signed

Signature verification failed. Hover over the icon for more information.

Outgoing Email

Use the Encrypt and Sign buttons to turn on encryption and signing for outgoing emails. They are available for new tickets and replies. Hover over the buttons to show details.

Note

Outgoing emails can only be encrypted for a single recipient.

Status Icons for Outgoing Emails

lock

Will be encrypted. Even if intercepted by a third party, they won’t be able to read it.

open-lock

Will not be encrypted.

signed

Will be signed. Recipients can verify that it came from you and that the content has not been modified.

not-signed

Will not be signed.

Troubleshooting

Incoming Email

Sign: Unable to find certificate for validation
Ticket article shows a warning for failed verification of a signed message

Without the sender’s certificate, Zammad cannot verify the message signature. Ask your administrator to add the sender’s certificate to Zammad’s certificate store.

Warning

Always verify certificates in-person or over the phone! The whole point of signature verification is to alert you when someone is trying to pretend to be someone they’re not. Never accept a certificate from someone online without verifying it first.

Encryption: Unable to find private key to decrypt
Ticket article shows a warning for failed decryption of an encrypted message

This message was encrypted with a certificate that does not match any on file. Without a matching private key, Zammad cannot decrypt the message. Ask your administrator to verify your organization’s private key in Zammad’s certificate store, and ask the sender to double-check the public key they used to encrypt the message.

Outgoing Email

The Encrypt button is disabled

Ask your administrator to add the recipient’s certificate to Zammad’s certificate store.

The Sign button is disabled

Ask your administrator to verify your organization’s private key in Zammad’s certificate store.

I can see a PGP and S/MIME button. What should I do?

In special cases, both systems may be configured in your system and a customer may be using both as well. In this case, you have an additional button to switch between PGP and S/MIME security types. Just pick one, make sure encryption and signing is enabled and send your email.