Secure Email¶
Zammad supports two systems of high-security email communication:
Pretty Good Privacy (PGP)
Secure/Multipurpose Internet Mail Extensions (S/MIME).
Prerequisites¶
Both feature are optional; if you don’t see the 🔒 Encrypt and ✅ Sign buttons in the ticket composer, that means your administrator hasn’t activated any of them yet.
Administrators can learn more here:
PGP and S/MIME are only working if the other party is using them too.
Overview¶
PGP and S/MIME are the most widely-supported methods for secure email communication. With each of the systems, you can exchange signed and encrypted messages with others.
Note
In special cases it is possible that both systems are configured in your system and a customer is using both, as well. In this case, you have an additional button to switch between PGP and S/MIME security types. Otherwise, you just see the 🔒 Encrypt and ✅ Sign buttons.
- Signing
is a proof that a message hasn’t been manipulated on its way.
In other words, it guarantees message integrity and authenticity.
- Encryption
scrambles a message so that it can only be unscrambled by the intended recipient.
In other words, it guarantees message privacy and data security.
Your administrator is responsible for adding all the necessary certificates and keys in Zammad’s admin panel.
📬 Incoming¶
The 🔒 and ✅ icons at the top of a message indicate its encryption and signing status.
This message was encrypted for you. Even if it was intercepted by a third party (hacker, gov’t agency, etc.), they won’t be able to read it. |
|
This message can not be decrypted. |
|
This message’s signature has been successfully verified. You can be confident that it’s authentic and that the content has not been modified. |
|
The verification of the signature of this message has failed. You can find more information by hovering over the icon. |
📮 Outgoing¶
Use the 🔒 Encrypt and ✅ Sign buttons to turn on encryption and signing for outgoing emails.
Note
Outgoing emails can only be encrypted for a single recipient.
This message will be encrypted. Even if it’s intercepted by a third party (hacker, gov’t agency, etc.), they won’t be able to read it. |
|
This message will not be encrypted. |
|
This message will be signed. Recipients can verify that it came from you and that the content has not been modified. |
|
This message will not be signed. |
Troubleshooting¶
📬 Incoming¶
- “Sign: Unable to find certificate for validation”
Without the sender’s certificate, Zammad cannot verify the message signature.
Ask your administrator to add the sender’s certificate to Zammad’s certificate store.
Warning
🕵️ ALWAYS verify certificates in-person or over the phone!
The whole point of signature verification is to alert you when someone is trying to pretend to be someone they’re not. Never accept a certificate from someone online without verifying it first.
- “Encryption: Unable to find private key to decrypt”
This message was encrypted with a certificate that does not match any on file. Without a matching private key, Zammad cannot decrypt the message.
Ask your administrator to verify your organization’s private key in Zammad’s certificate store, and ask the sender to double-check the public key they used to encrypt the message.
Hint
📢 Your public key can be safely shared with anyone.
(But if they’re smart, they’ll take extra precautions to make sure it really belongs to you.)
📮 Outgoing¶
- The 🔒 Encrypt button is disabled
Ask your administrator to add the recipient’s certificate to Zammad’s certificate store.
- The ✅ Sign button is disabled
Ask your administrator to verify your organization’s private key in Zammad’s certificate store.