New in Symfony 4.4: Signing and Encrypting Email Messages
October 10, 2019 • Published by Javier Eguiluz
Warning: This post is about an unsupported Symfony version. Some of this information may be out of date. Read the most recent Symfony Docs.
Symfony 4.4 will be released in November 2019. This is the first article of the series that shows the most important new features introduced by this Symfony version.
The new Mailer and Mime components were introduced in Symfony 4.3 to replace the previous solution based on SwiftMailer. In Symfony 4.4 we've improved them with new features to allow signing and encrypting email messages using the S/MIME standard.
Signing a message improves its integrity because it includes a digital signature of the hash of the entire email contents, ensuring that the original contents haven't been modified:
1 2 3 4 5 6 7 8
use Symfony\Component\Mime\Crypto\SMimeSigner;
use Symfony\Component\Mime\Email;
$email = (new Email())->from('...')->to('...')->html('...');
$signer = new SMimeSigner('/path/to/certificate.crt', '/path/to/certificate-private-key.key');
$signedEmail = $signer->sign($email);
// now use the Mailer to send this $signedEmail instead of the original $email
Encrypting a message improves its security because its contents, including any attachments, can only be read if you have the private key associated to the public key used to encrypt them:
1 2 3 4 5 6 7 8
use Symfony\Component\Mime\Crypto\SMimeEncrypter;
use Symfony\Component\Mime\Email;
$email = (new Email())->from('...')->to('...')->html('...');
$encrypter = new SMimeEncrypter('/path/to/certificate.crt');
$encryptedEmail = $encrypter->encrypt($email);
// now use the Mailer to send this $encryptedEmail instead of the original $email
Read the Signing and Encrypting Messages article in the official Symfony documentation to learn more about this feature.
Help the Symfony project!
As with any Open-Source project, contributing code or documentation is the most common way to help, but we also have a wide range of sponsoring opportunities.
Comments are closed.
To ensure that comments stay relevant, they are closed for old posts.
-Encrypting a message improves its security because its contents, including any attachments, can only be read if you have the private key associated to the public key used to encrypt them:
+Encrypting a message improves its security because its contents, including any attachments, can only be read if you have the public key associated to the private key used to encrypt them:
^^ Nevermind, I was confusing things
@Ruben yes, this can be confusing sometimes. Just to be clear: to encrypt an email sent to a person, that person must give you their public key, which is what you use to encrypt the contents ... and then only the person with the private key associated to the public key can read the message.
Amazing.
Do you consider extending this to support GnuPG (PGP) signatures & encryption as well? Creating PGP keys is a bit easier (and cheaper) than obtaining a certificate from a trusted authority. Depending on a situation and scenario, it may be more practical (e.g., for sensitive system notifications).
The documentation for Signing and Encrypting Messages says that you can use a cert from Let's Encrypt, but according to their FAQ:
-- Email encryption and code signing require a different type of certificate that Let’s Encrypt does not issue.
https://letsencrypt.org/docs/faq/#does-let-s-encrypt-issue-certificates-for-anything-other-than-ssl-tls-for-websites
So I'm confused, does it technically work, but will email clients support it?