Skip to main content

A Django email backend that encrypts outgoing mail with S/MIME.

Project description

A Django email backend that encrypts outgoing mail with S/MIME.


It automatically encrypts messages to recipients for whom certificates are available, falling back to cleartext for any recipients that don’t have certificates on file.

Add certificates for the addresses in settings.ADMINS and you can relax (a little) about emailing notifications, Django error reports, or other potentially sensitive information.

It supports multiple certificates per recipient address, so you can define ADMINS as an alias, configure each recipient’s address and certificate and they’ll all be able to read the messages.

If a private key is associated with a sending address, messages from that sender will also be signed.


You can copy, modify, distribute and perform the work, even for commercial purposes, all without asking permission.

To the extent possible under law, the author(s) have dedicated all copyright and related and neighboring rights to this software to the public domain worldwide. This software is distributed without any warranty.

See the file COPYING for the full text of the CC0 Public Domain Dedication, also available at:


pip install django-djembe


  1. Add djembe to your INSTALLED_APPS setting.

  2. Create its model tables with migrate djembe.

  3. To use it as your default email backend, add this setting:

    EMAIL_BACKEND = 'djembe.backends.EncryptingSMTPBackend'
  4. To use a cipher other than the default AES-256, specify it in settings.DJEMBE_CIPHER:

    DJEMBE_CIPHER = 'des_ede3_cbc'  # triple DES

    The intersection of M2Crypto’s ciphers and RFC 3851 are:

    • des_ede3_cbc (required by the RFC)

    • aes_128_cbc (recommended, not required, by the RFC)

    • aes_192_cbc (recommended, not required, by the RFC)

    • aes_256_cbc (recommended, not required, by the RFC)

    • rc2_40_cbc (RFC requires support, but it’s weak – don’t use it)

    RFC 5751 requires AES-128, and indicates that higher key lengths are of course the future. It marks tripleDES with “SHOULD-”, meaning it’s on its way out.

    The following mail clients have worked fine with AES-256 in my testing.

    • 6.2 (Mac)

    • Thunderbird 17 (Mac, Linux)

    • Windows Live Mail (Windows 7)

    I’d recommend you try the default and fall back to 3DES if necessary.

  5. Use the Django admin to add recipients that should receive encrypted mail.

    The simplest case is an Identity with a certificate. Any mail sent to that Identity will be encrypted.

    To create signing Identities, supply both a certificate and a private key – which must not have a passphrase, obviously. Any mail sent from the Identity’s address will be signed with the private key.

    You can create multiple Identity records with the same address, but different certificates. This is how you encrypt mail to an alias or mailing list.


The project is on Github. If you find a bug or have a feature request, please add an issue there. Patches or pull requests are of course welcome, too. I won’t even make you add tests; just make sure you don’t break what’s already there – you can check by running python test in your working copy.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-djembe-0.2.0.tar.gz (15.4 kB view hashes)

Uploaded source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page