S/MIME Email Nodes for n8n

Introduction

The /n software n8n nodes extend n8n with powerful integration capabilities backed by the /n software node library. These nodes allow workflows to securely exchange data with external systems using proven Internet protocols and services.

The SMIMEEmail Sender and SMIMEEmail Trigger nodes extend n8n with built-in S/MIME capabilities. These nodes allow workflows to send encrypted and signed email messages, as well as receive messages that are automatically decrypted and verified. This article provides an overview of both nodes and their configuration.

Node Installation

Before proceeding, please ensure that the /n software n8n nodes have been installed successfully. For instructions on how to install the /n software n8n nodes, please refer to the installation guide here. Afterwards, assuming the mentioned node location is populated, simply restart your n8n server instance, and the /n software nodes should be searchable via the n8n UI.

SMIMEEmail Trigger Node

The SMIMEEmail Trigger node is the S/MIME-enabled equivalent of the /n software Email Trigger node. This node supports IMAP and POP3 connections and adds automatic S/MIME processing. This node is used to periodically poll the Email server at the interval defined by the n8n trigger schedule (one minute by default). On each poll, the node will connect to the Email server and perform the operation specified by the TriggerOn property. Please see below for each supported operation for the TriggerOn property.

Node Setup

For both operations, the following server-related properties should be configured:

  • ServerType - Indicates the type of server from which the node will download/list messages. This can either be set to IMAP (default) or POP3.
  • MailServer - Specifies the name or address of the mail server.
  • MailPort - Specifies the port of the mail server. Depending on the value of SSLStartMode, this value may need to be adjusted to ensure implicit/explicit SSL/TLS connections.
  • MailFolder - Specifies the folder of the mail server the component will download/list messages from. By default, this is 'Inbox'.
  • Filter - May be optionally specified to filter out messages received from the mail server (only valid for IMAP, please see product documentation for valid filters).

To enable SSL/TLS when connecting to the specified MailServer:

  • Configure SSLStartMode to determine how SSL negotiation is initiated (automatic, explicit, or implicit). Ensure the correct MailPort is specified depending on this value.
  • Configure the SSLCert* properties if client certificate authentication is required.
  • Configure the SSLAcceptServerCert* properties control how the server certificate is validated.

The AuthMode property may be used to specify the authentication method to be used when connecting to the MailServer. Possible values are:

  • Login - The User and Password are sent in a basic authentication command.
  • CRAMMD5 - The User and Password are digested using MD5 and sent to the server in a secure authentication command.
  • NTLM - Windows NTLM authentication is utilized. If User and Password are not supplied, the credentials for the current Windows account are used.
  • APOP - POP authentication is utilized. This is only valid when ServerType is set to POP3.
  • SASL Plain - The User and Password are concatenated into a plaintext SASL authentication command. This is only valid when ServerType is set to IMAP.
  • XOAUTH2 - OAuth authentication is utilized. The OAuthAuthorization* properties are used to acquire and set an access token.

When using XOAUTH2, OAuth authorization is configured directly through the node's properties and will be performed at runtime. The following properties must be specified:

  • OAuthAuthorizationAuthorizationScopes
  • OAuthAuthorizationClientId
  • OAuthAuthorizationClientSecret
  • OAuthAuthorizationServerAuthURL
  • OAuthAuthorizationServerTokenURL

After entering the necessary values, execute the node to begin the authorization process. When executed, the node will launch a browser window prompting the user to sign in and grant access.

Once access is granted, all necessary values will be saved in the OAuthAuthorizationCacheLocation for use in subsequent executions. The node will automatically use the cached values and refresh the access token when necessary. In this way, user interaction is only required during the initial authorization. Subsequent workflow executions can run without additional user involvement unless reauthorization is required.

Lastly, to ensure the node is able to decrypt and/or verify the received message:

  • The Certificate* properties should be set to the certificate to be used when decrypting an encrypted message.
  • The SignerCert* properties should be set to the certificate to be used when verifying a signature associated with the message.
  • The RequireEncryption property can be set to require encryption when receiving a message (an error will be thrown if the message is not encrypted).
  • The RequireSignature property can be set to require a valid signature when receiving a message (an error will be thrown if the message is not signed).
  • The RequireOAEP property can be set to ensure messages are encrypted with OAEP (an error will be thrown if not encrypted with OAEP).
  • The RequirePSS property can be set to ensure messages are signed with RSA-PSS (an error will be thrown if not signed with RSA-PSS).

After configuring the node, the TriggerOn property will determine what operation is performed. Please see below for details regarding the returned message information depending on the selected operation.

Receive Messages

When the TriggerOn property is set to 'Receive Messages', the node may be used to download multiple remote messages. In this case, the AttachmentDirectory should be set to a directory on disk where attachments are saved.

After the node successfully executes, two different types of messages will be available in the JSON output depending on whether AttachmentDirectory was specified. In either case, email data is provided in the JSON output like so:

[ { "type": "message", "messageText": "Test Message", "messageSubject": "Test Subject", "messageHeaders": "Test Headers", "messageDate": "Thu, 29 Jan 2026 20:14:33 -0500", "messageSize": 12, "messageFrom": "\"Test\" test@test.com", "messageTo": "\"Test\" test@test.com", "messageCc": "", "messageId": 123, "messageNetId": "somecharacters@mail.test.com", "messageSender": "\"Test\" test@test.com" } ]

If AttachmentDirectory was not specified, attachments will be provided as binary data after the node successfully executes. Additionally, attachment information, including which message the attachment is associated with, is provided in the JSON output like so (e.g., given the above parent message):

[ { "type": "attachment", "parentMessageId": 123, "attachmentIndex": 0, "attachmentName": test.txt "attachmentSize": 440 } ]

List Messages

When the TriggerOn property is set to 'List Messages', the node may be used to return a listing of messages without downloading the entire message. In this case, the actual message text and attachments associated with the message will not be retrieved. The following is an example of the JSON data output:

[ { "type": "message", "messageText": "", "messageSubject": "Test Subject", "messageHeaders": "Test Headers", "messageDate": "Thu, 29 Jan 2026 20:14:33 -0500", "messageSize": 12, "messageFrom": "\"Test\" test@test.com", "messageTo": "\"Test\" test@test.com", "messageCc": "", "messageId": 123, "messageNetId": "somecharacters@mail.test.com", "messageSender": "\"Test\" test@test.com" } ]

SMIMEEmail Sender Node

The SMIMEEmail Sender node is the S/MIME-enabled equivalent of the /n software Email Sender node. This node supports SMTP connections and adds automatic S/MIME processing. This node is a complete SMTP client that can also encrypt and sign emails.

Node Setup

To send emails, the following message and server-related properties should be configured:

  • SMTPServer - Indicates the name or address of the SMTP server (mail relay).
  • SMTPPort - Indicates the port of the SMTP server. This value may need to be adjusted depending on SSLStartMode.
  • From - Specifies the email address of the sender.
  • SendTo - Specifies the email address the message should be sent to.
  • Cc - Specifies any email addresses you wish to CC on the message.
  • BCc - Specifies any email addresses you wish to BCC on the message.
  • DeliveryReceipt - Indicates whether you want to receive delivery notifications.
  • ReadReceipt - Indicates whether you want to receive read notifications.
  • MessageText - Specifies the text to send with the message. If sending HTML data, instead specify MessageHTML.
  • MessageHeaders - Optionally specify any additional message headers to be sent with the message.

To enable SSL/TLS when connecting to the specified SMTPServer:

  • Configure SSLStartMode to determine how SSL negotiation is initiated (automatic, explicit, implicit). Ensure the correct SMTPPort is specified depending on this value.
  • Configure the SSLCert* properties if client certificate authentication is required.
  • Configure the SSLAcceptServerCert* properties control how the server certificate is validated.

The AuthMode property may be used to specify the authentication method to be used when connecting to the SMTPServer. Possible values are:

  • Login - The User and Password are sent in a basic authentication command.
  • CRAMMD5 - The User and Password are digested using MD5 and sent to the server in a secure authentication command.
  • NTLM - Windows NTLM authentication is utilized. If User and Password are not supplied, the credentials for the current Windows account are used.
  • XOAUTH2 - OAuth authentication is utilized. The OAuthAuthorization* properties are used to acquire and set an access token.

When using XOAUTH2, OAuth authorization is configured directly through the node's properties and will be performed at runtime. The following properties must be specified:

  • OAuthAuthorizationAuthorizationScopes
  • OAuthAuthorizationClientId
  • OAuthAuthorizationClientSecret
  • OAuthAuthorizationServerAuthURL
  • OAuthAuthorizationServerTokenURL

After entering the necessary values, execute the node to begin the authorization process. When executed, the node will launch a browser window prompting the user to sign in and grant access.

Once access is granted, all necessary values will be saved in the OAuthAuthorizationCacheLocation for use in subsequent executions. The node will automatically use the cached values and refresh the access token when necessary. In this way, user interaction is only required during the initial authorization. Subsequent workflow executions can run without additional user involvement unless reauthorization is required.

To ensure the node is able to encrypt and/or sign the outgoing message:

  • The EncryptData property should be set to true if the outgoing message should be encrypted, and the EncryptingAlgorithm should be set accordingly.
  • When encrypting outgoing messages, the RecipientCert* properties should be set to the receiver's certificate.
  • The SignData property should be set to true if the outgoing message should be signed, and the SigningAlgorithm should be set accordingly.
  • When signing outgoing messages, the Certificate* properties should be set to your certificate. The IncludeCertificate and IncludeChain properties can be specified to determine whether the certificate and/or chain should be included with the signed message.
  • The UseOAEP property can be enabled to use OAEP when encrypting.
  • The UsePSS property can be enabled to use RSA-PSS when signing.

After the node is configured, successful execution will indicate that the message has been sent.

We appreciate your feedback. If you have any questions, comments, or suggestions about this article please contact our support team at support@nsoftware.com.

Copyright © 2026 /n software, Inc.
Contact
Terms of Use
Privacy Statement