PureMessage for UNIX: Cryptographic signatures/keys are identified as suspect attachments

  • Article ID: 59555
  • Updated: 06 Jun 2012

Problem: Cryptographic signatures and keys are being identified as suspect attachments.

Version: PureMessage for UNIX with Sophos Anti-Virus Engine 4.42 and later.

What to do

This issue affects customers with a suspect attachment list containing the *.crt file extension, and who use the "Message contains suspicious attachments" test in the PureMessage policy coupled with the Sophos True File Type (TFT) detection technology.

The 4.42 update expanded TFT support for cryptographic signatures and keys. Email messages containing certain types of SMIME certificates are now categorized by the TFT engine as containing a *.crt attachment.

If you have a restrictive suspect attachment check coupled with TFT, and you expect to receive legitimate SMIME signed email, it is recommended that you change your settings.

If you are using the default suspect attachment list, you can remove this extension by editing the list manually. Alternatively, you can make the change on the Policy tab of the PureMessage Manager. On the sidebar, under Lists, click Suspect attachment names. Select the check box next to *.crt, which should be on the second page of attachment names, and then click Delete.

Depending on your PureMessage deployment and configuration, this action can be done on all servers. Or, it can be done on the server running the Centralized Server Manager (CSM) role, and then published to all servers.

Although the *.crt extension referred to various file types in the past, it is now becoming standardized as an extension for cryptographic certificates. We have removed this extension from the default list that ships with the product.

Messages that have been quarantined as a result of the default "Message contains suspicious attachment" test can be released by searching the quarantine for the reason "Suspect".

The default suspect attachment policy is as follows:

# attr NAME=Quarantine mail containing suspicious attachments
if pmx_suspect_attachment :tft {
pmx_mark "pmx_reason" "Suspect";
pmx_quarantine "Suspect";
stop;
}

Location of Suspect attachment names list

/opt/pmx/etc/suspect-attachment-names

Command

To see what type of attachments are in an email (as the "pmx" user):

pmx-list-true-filetypes -v <quarantined email in mbox format>

This will show all file extensions that an email contains, and the result can be cross-referenced against the Suspect attachment names list.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments