Skip to content

S/MIME email encryption setup

You can set up S/MIME encryption to improve email security.

This option is only available with an Email Advanced license.

To find out more about SMIME implementation in Sophos Email Security before you turn it on, see S/MIME settings.

S/MIME setup

To use S/MIME, you must turn it on and configure it.

The steps you take depend on whether you are new to S/MIME or already have a CA certificate.

To create a self-signed, local certificate authority (CA), do as follows:

  1. Go to My Products > General Settings > S/MIME settings.
  2. Turn on S/MIME - Allow your users to send and receive Secure MIME email.
  3. In Create Certificate Authority (CA), fill in the fields and click Save.

    Your local CA appears in the table of S/MIME components.

    Enable automatic S/MIME certificate extraction is turned on. This means inbound emails with certificates signed by a CA in Local Certificate Authorities are trusted and delivered.

You can send this CA to third-party organizations you want to communicate with.

User certificates

When you've created your local CA, you can create certificates for your users.

To add user certificates, choose whether to create individual certificates or import a list of users, and do as follows:

  • For an individual certificate, click Add user, enter the user's details and click Add.
  • For multiple certificates, click Import users, and create a file with a list of users (if you don't already have one). Find the file and click Upload.

The users appear in your list.

You can then download these and send them to third parties. You might have to do this if a third party organization can't automatically extract certificates from secure emails, or your certificates aren't signed by a publicly recognized authority.

First create a self-signed, local certificate authority (CA).

You must create a new CA, even if you already use certificates from other local or external certificate authorities. You don't have to use it.

To create a self-signed, local certificate authority (CA), do as follows:

  1. Go to My Products > General Settings > S/MIME settings.
  2. Turn on S/MIME - Allow your users to send and receive Secure MIME email.
  3. In Create Certificate Authority (CA), fill in the fields and click Save.

    Your local CA appears in the table of S/MIME components.

    Enable automatic S/MIME certificate extraction is turned on. This means inbound emails with certificates signed by a CA in Local Certificate Authorities are trusted and delivered.

Upload your CA certificate

You can now upload your own CA certificate. If you have a global certificate, to find out if Sophos recogizes your certificate authority, see Recognized certificate authorities.

Your CA certificate must be in a PKCS#12 container file with a .p12 extension. If your certificate is in a PFX file, you can convert it with an industry standard tool before you upload it.

To upload it, do as follows:

  1. Click User Certificates > Upload Certificate.
  2. In Upload Certificate enter your details.
  3. Click Browse.
  4. Locate the file on your device, then click Upload.

You can now create or upload certificates for your users.

Create user certificates

Every user who wants to send and receive encrypted email must have their own S/MIME certificate. We recommend you create certificates for your users before you set up your policies.

In User Certificates you can see your list of S/MIME certificates.

To add user certificates, choose whether to create individual certificates or import a list of users, and do as follows:

  • For an individual certificate, click Add user, enter the user's details and click Add.
  • For multiple certificates, click Import users, and create a file with a list of users (if you don't already have one). Find the file and click Upload.

The users appear in your list.

Upload certificates

You may already have certificates for some of your users. These must be in a PKCS#12 container file with a .p12 extension.

To upload an existing certificate and allocate it to a user, do as follows:

  1. Click User Certificates > Upload Certificate.
  2. In Upload Certificate enter the user's details.
  3. Click Browse.
  4. Locate the file on your device, then click Upload. The certificate appears in your list.

You can then download these and send them to third parties.

Local Certificate Authorities

Local CAs are sent to you by third parties that you communicate with. If you have Enable automatic S/MIME certificate extraction turned on, inbound emails with certificates signed by a CA in this list are trusted and delivered.

To add a Local Certificate Authority, do as follows:

  1. Click Local Certificate Authorities > Upload.
  2. Click Browse.
  3. Locate the file on your device, then click Upload. The certificate appears in your list.

External S/MIME Certificates

Sophos Email can't verify inbound messages signed by a third-party's self-signed certificate until they send you their certificate. You must upload these certificates in External S/MIME Certificates.

  1. Click External S/MIME Certificates > Upload.
  2. Click Browse.
  3. Locate the file on your device, then click Upload. The certificate appears in your list.

Policies

After you've set up S/MIME, go to Email Security > Policies to manage how S/MIME protection interacts with your users.

See Secure Message policy.