S/MIME Configuration

Email encryption and signing with S/MIME

todo4teams offers you the possibility of exchanging strongly encrypted and signed emails with your customers according to the S/MIME standard.

S/MIME is the most common standard for email encryption and is excellently supported by email programs such as Microsoft Outlook or Mozilla Thunderbird and is considered extremely secure.

Explanation of terms

With S/MIME, emails can be signed and/or encrypted - i.e. an email can only be signed but not encrypted, encrypted but not signed, or signed and encrypted. The terms and procedures are briefly explained below.

In both cases, so-called "asymmetric key pairs" are used. These are two digital keys, one of which can be distributed publicly, but the second is kept strictly secret. The two form a pair in that messages that have been encoded with the public key can only be decoded with the secret (private) key. A stranger who reads the message during transmission and does not know the private key is unable to decrypt the content of the message.

Signing

When signing emails, the sender uses his private key to add a digital signature to the content of the message. The recipient can use the signature and public key after receipt to check whether the message has been changed during transmission. However, the content of the message remains readable by third parties during transmission! The valid signature guarantees the recipient that the message actually came from the sender and was not changed during transmission.

Encryption

When an email is encrypted, its entire content is encoded with the recipient's public key in such a way that it can only be decoded with the appropriate private key. To do this, the sender must first obtain the recipient's public key - e.g. by receiving a signed email from the recipient.

The recipient can now be sure that no third party can decrypt the content during transmission. However, he cannot be sure of the sender's identity. To do this, the sender would have to both encrypt and sign the content:

Signing and Encrypting

If both of the above processes are combined, both the identity of the sender and strong encryption during transmission are ensured.

Application in todo4teams

todo4teams can receive and send both encrypted and/or signed emails.

To receive encrypted messages and send signed messages, the S/MIME certificate and the associated private key must be stored in the email mailbox configuration (see example on the right).

smime_en.png

Both must be in PEM format and marked as shown in the figure

-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----

or

----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----

If your S/MIME certificate is in P12 or other format, please use the openssl command to extract the certificate and private key into PEM format.
Kopieren Sie die Daten in das Textfeld "Zertifikat" und speichern Sie die Einstellungen. Tragen sie dafür Sorge, dass nur vertrauenswürdige Administration die Zugriffsrecht auf diese Einstellungen erhalten! Der private Schlüssel darf auf keinen Fall in falsche Hände gelangen.

Managing your customers' certificates

todo4teams, as a helpdesk tool, does not have an address book with certificate and key storage. In order to reply to an email in encrypted form, the sender (your customer) must sign their email to todo4teams. todo4teams can then use the certificate sent to encrypt the reply.

The same applies in the opposite direction: In order for a customer to send you an encrypted email, they need a signed email, which then automatically contains your public key.

Receiving messages

When receiving messages in S/MIME format, you do not need to pay attention to anything special: todo4teams will convert the email into a ticket as usual and display the attached files. Only a small message in the header of the tickets will show you that it is a signed message and whether the signature is valid.

image-20250211145039-2.png

Sending messages

In the "Complete" dialog of ticket processing, more precisely in the email tab, you will see two checkboxes with which you can control the signing and encryption of the response. These options may be deactivated. If the incoming message does not have a signature certificate, the response cannot be encrypted. On the other hand, if the mailbox used does not have a certificate, the response cannot be signed.

image-20250211131207-1.png

If you select both options for the response, the customer will see the response with markings like these signedencrypted.png, which indicate that the email has been signed and encrypted.

Security and key length

When creating your S/MIME certificate, use key lengths of 2048 or 4096 bits. With these key lengths, S/MIME is now considered secure, i.e. if your private keys are stored securely, the encrypted messages cannot be decoded by hackers or government institutions.