FAQ

General questions

Will S/Notify encrypt all email messages or only specific notifications?

Once activated, S/Notify will encrypt any email message that is sent from Jira, Confluence or Bitbucket, no matter why they have been generated. 

If, due to a missing or non-matching certificate, encryption is not possible for a specific recipient, S/Notify will handle this message as configured in the Encryption Fallback configuration page (send anyway, send problem report only, or do not send at all). 

Which type of encryption does S/Notify enable?

S/Notify enables Jira, Confluence and Bitbucket to send S/MIME or PGP encrypted emails. It can be configured to support both encryption types at the same time or just one of them, just as your requirements are. 

What encryption algorithm is used by S/Notify?

S/MIME

S/Notify follows the S/MIME 3.2 specifications with a preference for AES-256-CBC encryption, yet also supports all ciphers specified in S/MIME 4.0, including AES-GCM. If you want S/MIME 4.0 compliance for outgoing email, please contact our support desk for instructions.

Note that Java versions before Java 1.8 update 162 have only limited cryptography support. If AES-256 encryption cannot be performed because the Java runtime does not support it, S/Notify falls back to using AES-128 encryption.

For details about which Java versions support only limited cryptography and how to change that, please refer to Java Cryptography Support.

PGP

S/Notify selects the encryption algorithm based on the preferences stored on PGP key according to the OpenPGP specifications as defined in RFC 4880. If you need to override this and always use a specific cipher, please contact the S/Notify support team for instructions how to change the encryption algorithm.

Prior to version 3.2.0, S/Notify used AES-128 for PGP email encryption, because of known vulnerabilities in Triple-DES.

Can we use S/Notify to just sign all outgoing emails?

Yes, S/Notify can sign all outgoing emails. Signing is independent from encryption, so you can even have it just sign (and not encrypt) if you want to.

Can I temporarily suspend email encryption?

Yes, admins can disable S/Notify in the app management which will stop encryption and allow all emails to be sent unencrypted, just as if S/Notify had not been installed at all. However, the log file will display the message: S/Notify is disabled. Emails will not be encrypted.

Encryption can be switched back on any time by re-enabling the app.

Is S/Notify available for Cloud ?

We would absolutely love to offer a Cloud edition of S/Notify, but due to limitations in the Atlassian Cloud products, it is currently impossible to provide this functionality in a cloud app because there is no API that would allow us to get hold of the email messages sent by Jira or Confluence Cloud, or received by Jira Cloud.

We have proposed to Atlassian that they provide an API for this purpose, but it is unknown if and when they might decide to implement it. Another customer has opened a request JSDCLOUD-8850 with Atlassian, and we recommend that you add your vote to it.

However, for the time being, you should go for Data Center, if you need email encryption.

Installation questions

Why do our emails not get encrypted?

If emails are not encrypted, please follow the below steps to track down the cause for this.

Before you begin, you might want to set Encryption Fallback to Do not allow unencrypted notifications – send problem report instead. This will put an indication of the problem in the sent email. However, beware that you should not use this option unless you are testing in a non-productive environment, as the setting will apply to all emails sent from it.

1 Verify the installation

  1. Go to Manage apps from the Administration menu
  2. Find S/Notify in the list of installed apps, expand its entry, then click Get started
  3. S/Notify will check if it is ready to encrypt emails and display information about the result

2 Check if the quick test works

Please perform the quick test as explained here for Jirahere for Confluence and here for Bitbucket. If the email does not get encrypted, this probably means that you are using the wrong S/MIME certificate or PGP key for the email address associated with your Jira, Confluence or Bitbucket user.

However, if emails get encrypted in the quick test, but do not otherwise, proceed to the next check.

3 Check the user email addresses

Note that problems can occur if multiple users share the same email address, because then S/Notify cannot know which user the email belongs to.

Check if another user shares the same email address. If so, change the email address of one of these users, so they are unique.

4 Check the log file

If S/Notify is set to encrypt emails, but cannot do it, the reason for it is written to the log file. Please check there to see why it could not encrypt.

However, if you do not see any log entry from S/Notify in your log file at all, the problem is almost always a missing or incorrectly installed mailer library. Please verify that you have correctly followed Step 2: Download and install the S/Notify library component of the instructions explained in Installation - S/Notify for JiraInstallation - S/Notify for Confluence or Installation - S/Notify for Bitbucket, then proceed to the next check.

5 Check the files

Please double-check that

  • you have copied the mailer library to the correct directory WEB-INF/lib
  • you have not copied the GUI library to this directory
  • the mailer library is either world readable or at least readable by the user your Jira, Confluence or Bitbucket instance runs under
  • if you are using Confluence 7.0–7.4, please check the Confluence 7.0–7.4 issue 
  • you have restarted Jira, Confluence or Bitbucket after the installation of the mailer library

If you are still unable to identity the problem, try to increase the log level as explained below.

6 Contact our help desk

Please never hesitate to contact us, so we can help you identify the problem. We're here for you!

When doing so, remember that it can speed things up if you provide us with the log file created during your tests.

Why can't users see an option to upload an S/MIME certificate or PGP key?

If users do not see the option to upload an S/MIME certificate or PGP key to the user profile, please go to User Key Management and verify that Allow user certificates and/or Allow user keys is checked, as explained in User Key Management - S/Notify for JiraUser Key Management - S/Notify for Confluence or User Key Management - S/Notify for Bitbucket.

Note also that users do not see the option to upload an S/MIME certificate, if Encryption Type Priority has been set to PGP only, and vice versa. 

How can I increase the log level to track down an issue?

Please refer to Troubleshooting: Logging for detailed instructions on how to increase the log level for S/Notify in Jira and Confluence.

S/MIME questions

Which types of key store can be used with S/Notify?

Currently, PKCS#7 bundles (p7b) as well as BouncyCastle key stores (bks) are supported for public S/MIME certificates, and PKCS#12 key stores for private S/MIME certificates. 

If your company requires the use of another key store type, you are welcome to get in contact with us to teach us the details of your requirements!

How can I convert other key store types into a BouncyCastle key store? 

An existing Java key store (JKS) or PKCS#12 key store (P12 or PFX) can be converted to a BouncyCastle BKS key store using the command line tool keystore which is provided with Java. Please refer to our S/MIME Reference for details.

Do we have to obtain S/MIME certificates from one of the big certificate authorities (CAs)?

Not necessarily. 

We recommend that you start by creating your own root CA for your organization. This root CA can then be used to issue and sign S/MIME certificates. You can consult us to learn more details about this approach. Just ask us.

You can, of course, just buy paid certificates from one of the big CAs. The advantage would be that their root certificate is automatically available and trusted on all client platforms.

How to use inbound S/MIME decryption with multiple Jira server email addresses?

If you want to use inbound email decryption and have configured multiple Jira or Service Desk inbound handlers for different email addresses of your server, there are two ways to go.

One option is to have the server S/MIME certificate issued for multiple email addresses, so you can use one certificate for all email addresses.

The other option is to have separate S/MIME certificates and add all of them to the server key store. S/Notify will automatically search for and pick the correct certificate.

You can freely choose the option that is easier to handle for you. You may as well use a mixture of both options.

I'm new to S/MIME and would like to do some testing first. Can I get free S/MIME certificates somewhere?

Unfortunately, most of the few CAs that used to offer free personal S/MIME certificates have ceased to do so. The last ones are listed here. There is actually only Actalis left who still issue a free certificate that is valid for one year. Additionally, for testing purposes, the 30 days S/MIME certificates from Secorio should be good enough, too. You might also consider to create self-signed S/MIME certificates.

Another option is to get a free certificate from CAcert which is an organisation dedicated to providing free certificates. However, their root certificates in not included in Windows and macOS trust stores, and not in all Linux OS trust stores, so you would probably have to add it manually, as otherwise the emails will be displayed as untrusted.

PGP questions

How to use inbound PGP decryption with multiple Jira server email addresses?

If you want to use inbound email decryption and have configured multiple Jira or Service Desk inbound handlers for different email addresses of your server, there are two ways to go.

One option is to have the server PGP key issued for multiple email addresses, so you can use one PGP key for all email addresses.

The other option is to have separate PGP certificates and add all of them to the server key ring. S/Notify will automatically search for and pick the correct key.

You can freely choose the option that is easier to handle for you. You may as well use a mixture of both options.

Why does the connection to the key server fail, while I am sure the key server URL is correct?

If your Jira or Confluence is operated behind an outbound proxy that limits access to external domains, please make sure that the key server URL is added to the exception list, so the key server can be accessed.

For details on how to operate Atlassian products with an outbound proxy, please refer to How to Configure Outbound HTTP and HTTPS Proxy for your Atlassian application

Licensing questions

My 30 days trial period has expired. Can I extend it?

Yes, you can extend your trial period up to 5 times - in other words, for a total of up to six months. Extend your trial by generating a new evaluation license key from the Marketplace of S/Notify for Jira or S/Notify for Confluence. Click Try it free, then Generate the new license and finally, copy and paste it into the app listing in UPM from your Jira or Confluence instance.

We are a nonprofit organisation. Do you offer a free license for us?

Yes, nonprofit organisations can request a free Community License through Atlassian here. For Data Center hosting, please inquire directly at our support desk.

We are an open source project. Do you offer a free license for us?

Yes, open source projects can request a free Open Source License through Atlassian here. For Data Center hosting, please inquire directly at our support desk.

We are a small startup company. Do you offer a free license for us?

Probably. Please inquire directly at our support desk.