The Best Open Source Email & Collaboration Software

English English down

S/MIME with Z-Push - signing and en-/decrypting of emails on mobile devices


Usage of mobile devices for corporate purposes has gain a lot of popularity over the last few years in all kinds of companies. It is possible to access almost every information using a smartphone or a tablet. This includes sensitive data like business emails, calendar items, contacts. It is an important requirement to protect this data and there is growing interest in solutions which offer that.

Encryption is very useful in achieving this goal because it can protect data in transit (moving from one place to another, e.g. sending an email) as well as at rest (data is saved on some storage, e.g. encrypted email saved on a mobile device). An encryption system must be based on standards which allow information exchange between a variety of messaging systems or otherwise it will have only limited usage. The standard used for message encryption on the Internet is Secure/Multipurpose Internet Mail Extensions (S/MIME). S/MIME is on an Internet Engineering Task Force (IETF) standards track and has been implemented by major operating systems and collaboration software vendors. S/MIME provides authentication, message integrity, non-repudiation of origin (using digital signatures), privacy and data security (using encryption) for electronic messaging applications. It requires a X.509-format digital certificate for each sender and recipient, so that public-key infrastructure (PKI) setup is the major part of S/MIME deployment.

Implementing S/MIME with mobile devices

Currently all major vendors of operating systems on mobile devices (Windows Mobile, iOS, Android, Blackberry)¹ offer S/MIME support for their products. The implementation as such might be different depending on a particular device. The devices offer different messaging security options, e.g. Samsung Galaxy SII lets an user to select the desired encryption or signing algorithm whereas it's limited to the certificate on iOS devices. And of course there are mobile phones which do not implement S/MIME. Nevertheless they should be able at least to display the sender and the subject of an encrypted email and not to break the synchronisation entirely.

S/MIME with Z-Push

Z-Push is an open source implementation of the ActiveSync protocol which is used to synchronize multi platform ActiveSync capable devices. Z-Push is implemented in PHP and PHP has a built-in support for X.509-format certificate processing, so that all required functionality is available out of the box. The email application on the device does the en-/decryption of emails itself, Z-Push is just the middleware passing the encrypted data from/to the server to/from the mobile device. Taking that into account the only challenge in PHP was the certificate verification because the devices query the server for this purpose. The PHP function openssl_x509_checkpurpose uses system's openssl command under the hood therefore a correctly configured folder for the certificate authority (CA) with CA trusted files is required as a parameter. Practically it means that besides the CA directory no further configuration is required for Z-Push.

PKI setup

The major part of S/MIME deployment is the PKI setup. It includes the public-private key/certificate obtaining, their management in directory service and roll-out to the mobile devices. Individual certificates can either be obtained from a local (company intern) or a public CA. There are various public CAs offering certificates: commercial ones e.g. Symantec or Comodo or community-driven e.g.
Both most popular directory services Microsoft Active Directory (MS AD) and free open source solution OpenLDAP allow to save certificates. Private keys/certificates reside in user's directory or on a smartcard. Public certificates are saved in directory. MS AD and OpenLDAP both use userCertificate attribute to save it.

Configuring mobile devices

The user needs to import his private certificate on the mobile device in order to de-crypt encrypted messages. The devices require certificate in PKCS#12 format (.pfx or .p12 extension). If the certificate was added to a browser, it is possible to retrieve it from the browser (choose backup or export for the appropriate certificate). Windows users can export certificates using MMC. A how to is available here: If you have to convert a certificate you can refer to:
One way to import the certificate onto mobile devices is to send it as an attachment per email. The device recognizes it as a private key and imports it to the device. Another possibility is to copy the export PKCS#12 file on the storage (e.g. SD card) and open it on the device.
After importing the private certificate it is necessary to configure the account to use it. The devices which support S/MIME have a security or S/MIME option in account's settings. Activating it will allow to select an available certificate or add new.

Enable s-mime


Behind the scenes - signing and en-/decrypting emails

This parts explains what happens when an encrypted or signed messages arrives and when an user sends an encrypted message.
A digitally signed email contains the sender's signature as application/x-pkcs7-signature content type attachment (it is a base64 encoded signature). The device has to validate the signature. Therefore it sends a ValidateCert request to Z-Push to check if the certificate is valid. Z-Push checks it using the openssl_x509_checkpurpose function mentioned above and sends the response. In the "From:" line on the mobile device the user sees if the validation was successful or failed. In Z-Push log file there is more information available.

An encrypted email is transmitted as application/x-pkcs7-mime content type message. The device decrypts it using the private key of the recipient. This part occures entirely on the device and no communication with Z-Push takes place. If email was encrypted and signed, the mobile will check the signature of the sender after decrypting it.

In order to send an encrypted message, the public key of the recipient is necessary. The mobile device sends ResolveRecipients command with the email address(-es) in the recipient list. Z-Push searches for this (these) email address(-es) in the Global Address List and private contacts. If there is a public folder with contacts, Z-Push will look up it for certificates either. In case that there is a public certificate associated with the email address and it is valid, Z-Push sends it to the device and the it uses that key for the email encryption.


Data protection is an important topic for every company. The newer mobile devices offer a possibility to send and receive encrypted emails. Using Z-Push with ZCP is simple but effective way to secure email communication.


¹At time of writing this blog post, Windows Phone 7 and 8 devices lack the native S/MIME implementation in their email client.



Post new comment


Jobs at Zarafa

View zarafa tour 2013 video

Zarafa customers