Skip to main content


S/MIME, which stands for Secure/Multipurpose Internet Mail Extensions, is a widely accepted protocol for sending digitally signed and/or encrypted messages. It is built into most modern email software and interoperates between them, which makes it one of the most popular ways to send secure emails.

S/MIME uses the principles of public key cryptography. Each user has a pair of keys - a public key, which is made publicly available and used by anyone to encrypt the message, and a private key, which is kept secret by the user and used to decrypt any messages received. To use S/MIME, users must obtain a digital certificate from a trusted certificate authority (CA). The certificate includes the user's public key and is used to verify the identity of the user. The private key is kept securely by the user and is never shared.

Stalwart Mail Server supports S/MIME and can use it to encrypt messages using either AES256-CBC or AES128-CBC symmetric encryption. The choice between AES256-CBC and AES128-CBC depends on the level of security required and the computational resources available. AES256-CBC provides a higher level of security but requires more computational resources, while AES128-CBC is less resource-intensive but still provides a strong level of security.

Obtaining a key pair

S/MIME key pairs are typically obtained by requesting a certificate from a trusted Certificate Authority (CA). These certificates are usually distributed as a PKCS #12 file (also known as a PFX file), which includes the private key paired with the public key (the S/MIME certificate). These files are password protected to ensure the private key remains secure.

After you have your PFX file, it should be imported into your email client. Each email client has a slightly different process for importing the S/MIME certificate, so you'll need to follow the instructions specific to your client. Once you have your S/MIME certificate installed, you can then export and share your public certificate (without the private key) with others to enable them to send you encrypted email.

Please note that the private key from the S/MIME certificate should always remain private and secure. If anyone else gains access to your private key, they can impersonate your identity and decrypt your messages.

Exporting certificates

Using a mail client

S/MIME public certificates, which are necessary for others to send you encrypted email, can be exported from most email clients. The steps vary depending on the email client used, so it's recommended for users to refer to their email client's specific instructions. Within the settings of the email client, users typically have the option to view and export their certificates. Once located, users can select their S/MIME certificate and export the certificate file.

Using MacOS

If the email client doesn't offer an easy way to export the certificate, Mac users have another option. They can use the Keychain Access tool, a password management system in macOS. It stores a variety of data including passwords, certificates, and keys. To export the S/MIME public certificate, users can open the Keychain Access application, locate their S/MIME certificate in the list of keys, and then export the selected certificate.

Using OpenSSL

Alternatively, OpenSSL can also be used to export S/MIME public certificates. This requires some knowledge of command line operations. Here's a basic command that can be used:

$ openssl pkcs12 -in path_to_pfx_file -clcerts -nokeys -out public_cert.pem

Or, if problems are encountered while loading legacy PKCS#12 files, this command may be used instead:

$ openssl pkcs12 -legacy -in path_to_pfx_file -clcerts -nokeys -out public_cert.pem

This command will export the public certificate from the PFX file (path_to_pfx_file) into a PEM formatted file (public_cert.pem). Users should replace path_to_pfx_file and public_cert.pem with the actual paths and names of their files.

Importing certificates

Stalwart Mail Server supports encrypting messages using either a single certificate or multiple certificates. This is particularly useful for scenarios like key rotation, where it may be necessary to transition from an old certificate to a new one, while still maintaining the ability to decrypt messages encrypted with the old certificate.

Stalwart supports both DER and PEM formats for importing certificates. DER format is a binary form of the certificate, whereas PEM (Privacy Enhanced Mail) is a Base64 encoded version of the same certificate, typically encapsulated between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements. Importing a single certificate can be done be in either DER or PEM format. However, when importing multiple certificates, the PEM format must be used.

For example:


Once the certificates have been obtained, they can be imported using the management interface.