S/MIME with Z-Push

From Zarafa wiki

Jump to: navigation, search

Contents

S/MIME with Z-Push

Z-Push supports signing and en-/decrypting of emails on mobile devices since the version 2.0.7.

PKI setup

The major part of S/MIME deployment is the PKI setup. It includes the public-private key/certificate obtaining, their management in directory service and roll-out to the mobile devices. Individual certificates can either be obtained from a local (company intern) or a public CA. There are various public CAs offering certificates: commercial ones e.g. Symantec or Comodo or community-driven e.g. CAcert.org. Both most popular directory services Microsoft Active Directory (MS AD) and free open source solution OpenLDAP allow to save certificates. Private keys/certificates reside in user's directory or on a smartcard. Public certificates are saved in directory. MS AD and OpenLDAP both use userCertificate attribute to save it.

Z-Push configuration

It might be possible that PHP functions require CA information in order to validate certs. Therefore the CAINFO parameter in the config.php must be configured propertly.

Configuring mobile devices

The user needs to import his private certificate on the mobile device in order to de-crypt encrypted messages. The devices require certificate in PKCS#12 format (.pfx or .p12 extension). If the certificate was added to a browser, it is possible to retrieve it from the browser (choose backup or export for the appropriate certificate). Windows users can export certificates using MMC. A how to is available here: http://blogs.technet.com/b/exchange/archive/2007/06/07/3403124.aspx. If you have to convert a certificate you can refer to: https://www.sslshopper.com/ssl-converter.html. One way to import the certificate onto mobile devices is to send it as an attachment per email. The device recognizes it as a private key and imports it to the device. Another possibility is to copy the export PKCS#12 file on the storage (e.g. SD card) and open it on the device. After importing the private certificate it is necessary to configure the account to use it. The devices which support S/MIME have a security or S/MIME option in account's settings. Activating it will allow to select an available certificate or add new.

LDAP/AD notes

In Active Directory the public key for contacts from GAB is saved in PR_EMS_AB_TAGGED_X509_CERT (0x8C6A1102) property and if you save a key in a contact it's PR_USER_X509_CERTIFICATE (0x3A701102). In LDAP public key for contacts from GAB is saved in userCertificate property. It should be mapped to 0x3A220102 in ldap.propmap.cfg (0x3A220102 = userCertificate). Make sure it looks like this in LDAP:

userCertificate;binary:: MIIFGjCCBAKgAwIBAgIQbRnqpxlPa...

Additional notes

Attention: Currently only Android 4.X and higher and iOS 5 and higher devices are known to support encryption/signing of emails.

For in-depth information please refer to: http://www.zarafa.com/blog/post/2013/05/smime-z-push-signing-and-en-decrypting-emails-mobile-devices

Personal tools