Mime Compatibility with Symantec PGP
Open, Needs TriagePublic

Description

This was tested to allow for Symantec encryption desktop to auto decrypt mail in outlook.
The auto decryption in Symantec handles attachments correctly if they are pre-encrypted before attaching using gpgol.

The two changes are for the mime mail headers.

src/mimemaker.cpp - Starting Line 1634

rc = write_multistring (sink,
                        "Content-Type: application/pgp-encrypted; name=\"Version.txt\"\r\n"
                        "Content-Description: Version.txt\r\n"
                        "Content-Disposition: attachment; filename=\"Version.txt\"; size=12;\r\n"
                        "Content-Transfer-Encoding: base64\r\n"
                        "\r\n"
                        "VmVyc2lvbjogMQ0K\r\n", NULL); /*Version: 1<cr><nl>*/

src/mimemaker.h - Line 34

#define OPENPGP_ENC_NAME "Message.pgp"

Details

External Link
https://github.com/gpg/gpgol
Version
GpgOL 2.4.6-beta1
james created this task.Jan 12 2020, 5:28 AM
werner added a subscriber: werner.Jan 13 2020, 9:14 AM

Using base64 encoding for a fixed format part in us-ascii is not a good idea because in practise many PGP/MIME decoders won't be able to detect and then decyrypt such a message.

james added a comment.Jan 14 2020, 5:50 PM

The base64 for the version is not needed. I rebuilt and did a test for that. I was testing with Outlook 2016 to Outlook.com to another exchange server. One of the servers in the chain is converting the mime parts to base64.
The MAPI headers in gpgol are causing the auto-decryption of Symantec to stop checking for the MIME attachments. On internal emails the MAPI format is retained and that causes an issue with the symantec client. When they leave the exchange server the base MIME format is what is sent and that works with the Symantec client.

I did run into issues with outlook auto picking attachment names. The extra descriptors help with the attachment names for the Symantec client to double-click to open the Message.pgp attachment. The Message.pgp appears to be the flag for the Symantec client to open it in the PGP Viewer tool as an email message.

Here is what I successful built and tested to have the Symantec client work with external email, and also double click to open on internal mail:

src/mimemaker.h - Line 34

#define OPENPGP_ENC_NAME "Message.pgp"

src/mimemaker.cpp - Starting Line 1634

rc = write_multistring (sink,

"Content-Type: application/pgp-encrypted; name=\" Version.txt\"\r\n"
"Content-Description: Version.txt\r\n"
"Content-Disposition: attachment; filename=\"Version.txt\"\r\n"
"\r\n"
"Version: 1\r\n", NULL);

if (rc)

return rc;

/* And start the second part. */
rc = write_boundary (sink, boundary, 0);

if (rc)

return rc;

rc = write_multistring (sink,

"Content-Type: application/octet-stream; name=\"" OPENPGP_ENC_NAME "\"\r\n"
"Content-Description: " OPENPGP_ENC_NAME "\r\n"
"Content-Disposition: attachment;\r\n"
"\tfilename=\"" OPENPGP_ENC_NAME "\"\r\n"
"Content-Transfer-Encoding: 7bit\r\n"
"\r\n", NULL);

Is this about any special version of Symantec? As far as I knew Symantec Endpoint Security Desktop (or whatever they call it nowadays) supports reading PGP/MIME and even sending it if forced.

Why doesn't it have such problems with other Mail clients sending PGP/MIME Mails?

james added a comment.Jan 17 2020, 6:12 PM

It can force it on the outbound. https://support.symantec.com/us/en/article.tech164655.html
It also allow SIMME pass-through. https://support.symantec.com/us/en/article.tech166867.html

From my observations it also only likes the Message.pgp name for the attachment to decode it in outlook or the PGPViewer Tool.

It also treats the SMIME in two ways depending on the SMIME pass-through setting.

  1. If the symantec client is set for pass-through it presents just the Version.txt and Message.pgp.
  2. If it is set for the default to process the SMIME message it presents the GpgOL_MIME_structure.txt

The symantec plugin appears to only process the MIME message if it only contains the Version.txt and the Message.pgp.