Encrypted attachments getting quarantined (PureMessage for Unix)

Hi Pubudu,

I hope your users are using better encryption then what winzip and excel provide. It's pretty weak and easy to break.

That being said, I have added to my policy the following. This is just after the suspicious attachment statement:

      # attr NAME=If Cannot Scan Attachment
        if allof(pmx_cantscan,
                 address :all :memberof :comparator "i;ascii-casemap" ["to",
                                                                       "cc",
                                                                       "bcc"]
                         ["encrypted-archives"])
        {
            pmx_mark "pmx_reason" "CantScan";
        }

You will notice I went a step further by creating a group called ``encrypted-archives'' that only a few people here are part of . It sounds like you don't mind if everyone is encrypting files, so you probably don't want that.

I hope that helps :-)

Erric

I have the same problem. Please tell me which file I need to edit in order to add the code offerred in the solution. Also, is there a reference for writing such expressions?

Hi Ace,

You can actually do this from the web GUI and it's a lot easier if you are not familar with the command line.

If you are familar with the command line tools, then it's most likely in /opt/pmx/etc/policy.siv

If you commit changes to this file, you will need to restart the milter process in order for them to take effect.

Erric

Thanks for the quick reply, Erric.

I left out a crucial piece of information: I am running PureMessage for Microsoft Exchange V3.1.  Whereas it has a GUI, it is not a Web GUI and, more importantly, I believe I drilled down into every screen and I could not find a place to define an exclusion.

Do you know the right incantation for this environment?

   Ace

Ace,

I'm sorry but I've never used the windows version of PM so I wouldn't know where to begin.

However, I would imagine there is a way to control the e-mail policy on the windows version. I will also mention that I created the rule above; it wasn't included in the Policy.

Good Luck!

Erric

Within Puremessage for Exchange, encrypted attachments are handled via the Transport (SMTP) Scanner under the Anti-Virus Options through the System Configuration options. You can verify how your policy is configured to handle certain extensions there.

Based on the Suspect flag, the policy is properly handling the encrypted section but somehow the Content section of the SMTP scan is then get triggered. You can review how suspicious attachments are being handled through this part of the policy, allowing you to choose with extensions should be flagged and potentially which ones can be exempted. Section 5.5.5.2 and 5.5.5.3 cover the appropriate suspect rules, focusing on what to do based on name and type.

If this problem still persist and you continue to run into any difficulties, you should then open a case with our support team, who can help review your policy along with the rest of your Puremessage configuration to see what's going on.