1 files changed, 13 insertions, 2 deletions

diff --git a/extensions/SecureMail/Extension.pm b/extensions/SecureMail/Extension.pm
index 8fd09510d..a4a23a2cd 100644
--- a/extensions/SecureMail/Extension.pm
+++ b/extensions/SecureMail/Extension.pm
@@ -261,8 +261,14 @@ sub mailer_before_send {
     my $is_passwordmail = !$is_bugmail && ($body =~ /cfmpw.*cxlpw/s);
     my $is_test_email   = $email->header('X-Bugzilla-Type') =~ /securemail-test/ ? 1 : 0;
     my $is_whine_email  = $email->header('X-Bugzilla-Type') eq 'whine' ? 1 : 0;
-
-    if ($is_bugmail || $is_passwordmail || $is_test_email || $is_whine_email) {
+    my $encrypt_header  = $email->header('X-Bugzilla-Encrypt') ? 1 : 0;
+
+    if ($is_bugmail
+        || $is_passwordmail
+        || $is_test_email
+        || $is_whine_email
+        || $encrypt_header
+    ) {
         # Convert the email's To address into a User object
         my $login = $email->header('To');
         my $emailsuffix = Bugzilla->params->{'emailsuffix'};
@@ -329,6 +335,11 @@ sub mailer_before_send {
             # comes from the whine settings.
             $make_secure = _should_secure_whine($email) ? SECURE_BODY : SECURE_NONE;
         }
+        elsif ($encrypt_header) {
+            # Templates or code may set the X-Bugzilla-Encrypt header to
+            # trigger encryption of emails. Remove that header from the email.
+            $email->header_set('X-Bugzilla-Encrypt');
+        }
 
         # If finding the user fails for some reason, but we determine we
         # should be encrypting, we want to make the mail safe. An empty key