Page MenuHome GnuPG
Create Task
Maniphest T4807

Mime Compatibility with Symantec PGP
Open, NormalPublic
Actions

Description

This was tested to allow for Symantec encryption desktop to auto decrypt mail in outlook.
The auto decryption in Symantec handles attachments correctly if they are pre-encrypted before attaching using gpgol.

The two changes are for the mime mail headers.

src/mimemaker.cpp - Starting Line 1634

rc = write_multistring (sink,
                        "Content-Type: application/pgp-encrypted; name=\"Version.txt\"\r\n"
                        "Content-Description: Version.txt\r\n"
                        "Content-Disposition: attachment; filename=\"Version.txt\"; size=12;\r\n"
                        "Content-Transfer-Encoding: base64\r\n"
                        "\r\n"
                        "VmVyc2lvbjogMQ0K\r\n", NULL); /*Version: 1<cr><nl>*/

src/mimemaker.h - Line 34

#define OPENPGP_ENC_NAME "Message.pgp"

Details

External Link
https://github.com/gpg/gpgol
Version
GpgOL 2.4.6-beta1

Event Timeline

james created this task.Jan 12 2020, 5:28 AM
werner added a subscriber: werner.Jan 13 2020, 9:14 AM

Using base64 encoding for a fixed format part in us-ascii is not a good idea because in practise many PGP/MIME decoders won't be able to detect and then decyrypt such a message.

james added a comment.Jan 14 2020, 5:50 PM

The base64 for the version is not needed. I rebuilt and did a test for that. I was testing with Outlook 2016 to Outlook.com to another exchange server. One of the servers in the chain is converting the mime parts to base64.
The MAPI headers in gpgol are causing the auto-decryption of Symantec to stop checking for the MIME attachments. On internal emails the MAPI format is retained and that causes an issue with the symantec client. When they leave the exchange server the base MIME format is what is sent and that works with the Symantec client.

I did run into issues with outlook auto picking attachment names. The extra descriptors help with the attachment names for the Symantec client to double-click to open the Message.pgp attachment. The Message.pgp appears to be the flag for the Symantec client to open it in the PGP Viewer tool as an email message.

Here is what I successful built and tested to have the Symantec client work with external email, and also double click to open on internal mail:

src/mimemaker.h - Line 34

#define OPENPGP_ENC_NAME "Message.pgp"

src/mimemaker.cpp - Starting Line 1634

rc = write_multistring (sink,

"Content-Type: application/pgp-encrypted; name=\" Version.txt\"\r\n"
"Content-Description: Version.txt\r\n"
"Content-Disposition: attachment; filename=\"Version.txt\"\r\n"
"\r\n"
"Version: 1\r\n", NULL);

if (rc)

return rc;

/* And start the second part. */
rc = write_boundary (sink, boundary, 0);

if (rc)

return rc;

rc = write_multistring (sink,

"Content-Type: application/octet-stream; name=\"" OPENPGP_ENC_NAME "\"\r\n"
"Content-Description: " OPENPGP_ENC_NAME "\r\n"
"Content-Disposition: attachment;\r\n"
"\tfilename=\"" OPENPGP_ENC_NAME "\"\r\n"
"Content-Transfer-Encoding: 7bit\r\n"
"\r\n", NULL);
aheinecke added a subscriber: aheinecke.Jan 16 2020, 1:32 PM

Is this about any special version of Symantec? As far as I knew Symantec Endpoint Security Desktop (or whatever they call it nowadays) supports reading PGP/MIME and even sending it if forced.

Why doesn't it have such problems with other Mail clients sending PGP/MIME Mails?

james added a comment.Jan 17 2020, 6:12 PM

It can force it on the outbound. https://support.symantec.com/us/en/article.tech164655.html
It also allow SIMME pass-through. https://support.symantec.com/us/en/article.tech166867.html

From my observations it also only likes the Message.pgp name for the attachment to decode it in outlook or the PGPViewer Tool.

It also treats the SMIME in two ways depending on the SMIME pass-through setting.

  1. If the symantec client is set for pass-through it presents just the Version.txt and Message.pgp.
  2. If it is set for the default to process the SMIME message it presents the GpgOL_MIME_structure.txt

The symantec plugin appears to only process the MIME message if it only contains the Version.txt and the Message.pgp.

aheinecke claimed this task.May 8 2020, 3:27 PM
aheinecke triaged this task as Normal priority.

I'm not sure what to do here. The problem is that all users in clients without PGP/MIME Support will see the attachment names. That is why we use the names as they are.

While I want to be compatible with as much as possible I don't really feel that we should change our code for a broken implementation. Our mails are PGP/MIME RFC Compliant and the RFC says nothing about the names. So it feels kinda stupid to support a client that does not check the MIME Types but rather uses filenames to identify stuff,...

Maybe a good solution is to have an option in the debug page to change it, like we have an option to send PGP/Inline.