Adding a Security Certificate and enabling TLS in Smartermail Enterprise will encrypt messages IN TRANSIT but it will not encrypt them AT REST. If you are needing HIPAA Compliance for Required Providers (as opposed to Addressable Providers for which AT REST encryption is optional), for example, then you would need to use S/MIME or OpenPGP in supported MUA email clients (Outlook, Thunderbird, Apple Mail, IBM Notes). Although SmarterMail does handle the delivery of S/MIME & OpenPGP encrypted emails it can neither display nor create AT REST encrypted emails from within the webmail client itself.
In practice S/MIME & OpenPGP are clumsy at best. We have had only a handful of clients try using it and have all met with frustration as it involves getting a personal Email Certificate to install in their MUA email client and then exchanging Public Keys with their contacts that they want to encrypt emails to by using signed email signatures. Once you have exchanged keys with a contact it is easy however as you can either chose to encrypt & sign all outgoing messages in your MUA email client, or in some cases enforce this as a Domain Policy. Especially since personal Email Certificates need to be renewed annually (just like any other kind of Security Certificate) this becomes troublesome for many end-users, especially if they get a new computer and didn't export their Private Key, resulting in the inability to read encrypted messages sent to them previously...as well as keeping the Public Keys for contacts updated on an annual basis.
Alternately you can use a third-party secure Messaging Portal or a service that provides Incoming/Outgoing Gateway Encryption over SMTP TLS although in many cases this requires the recipient to login to those third-party services to access the encrypted email.