S/MIME client signing certificate attached as smime.p7s


  • Used Zammad version: 3.5.0-1602165773.71bff28e.buster
  • Used Zammad installation source: (source, package, …) Debian package
  • Operating system: Debian Buster
  • Browser + version: chrome latest

Expected behavior:

  • When Zammad receives a signed message from a (new) client with attached a smime.p7s certificate, i.e. like the ones sent out by Thunderbird, the certificate should be saved automatically and used to verify the message signature.

Actual behavior:

  • The smime.p7s certificate is not saved and not used to verify the message signature. Opening the ticket, an error is shown about processing the client’s signature. The only way to get the message signature confirmed is to manually add a .pem version of client’s certificate in the S/MIME section.

Steps to reproduce the behavior:

  • Send a signed message to Zammad with Thunderbird

Maybe I’m missing some config parameters… is there a way to let Zammad recognize and automatically save smime.p7s certificates?


Sorry, but no.
We wrote the functionality exact this way so every instance owner can decide on who to trust (or not).

This is also described within the documentation:

You can, if you must, trust specific CAs of your choice to allow several S/MIME certificates at once without trusting them one by one. But that’s an administrative choice of yours.

Thanks for you reply, I understand your position and I beg to disagree. The whole point of S/MIME is to delegate the trust to the built-in trusted CAs and you should, imho, just do the same, like all the browsers and mail clients out there.

Manual upload and checks would still be needed in case of a certificate signed by a CA not present in the built-in trusted CAs (i.e. /etc/ssl/certs).

I hope you’ll reconsider your decision.

All the best.

Thank you for your feedback.
Please create an enhancement / feature request on this board for that.

Technically you can also change this posts category to feature request to safe your time if you please.

The functionality the way it is right now is the way our sponsors wanted it.
By this you have the full control on who you want to trust and who not. (yes, that’s a use case)

We’re always trying to cover about 80% user base with Zammad as open source product.

As a compromise I’d suggest allowing to import a cert from the ticket view. Of course this should only be allowed for admin accounts but I can imagine workflows to make this work. If a user has no permission for importing a certifiicate just add it with a state of “proposed import by user x” or similar so an admin can just confirm or request additional information.

But I have to agree with admin-gbm: The whole point of S/MIME is to not build your own web of trust like in PGP. Of course I can just upload all the root and intermediate CAs. But still, it’s not about allowing access to the system but to secure communication. As it is it encourages to just skip S/MIME because of the additional hurdles. All the checks if someone really is the person they pretend to be are up to the cert issuer.

I’m sorry, but above still applies.