Pete Freitag Pete Freitag

Don't block S/MIME on your mail server

Updated on December 06, 2023
By Pete Freitag

With all the viruses out there these days, many mail servers simply block all attachments, or only allow a small set through. One set of attachment extensions that you don't want to block however are the extensions defined in RFC 2311 § 3.2.1 for S/MIME.

   MIME Type                      File Extension

   application/pkcs7-mime              .p7m
   (signedData, envelopedData)

   application/pkcs7-mime              .p7c
   (degenerate signedData
   "certs-only" message)

   application/pkcs7-signature         .p7s

   application/pkcs10                  .p10

S/MIME allows people to sign or encrypt email messages. A S/MIME signature is created by basically creating a checksum (MD5, or SHA1), then the checksum is signed (RSA or DSA - S/MIME is also used for PGP).

Even if you don't sign or encrypt email yourself, its not a good practice to block these attachments - you may prevent someone (like me) who signs all their email from reaching you. Also S/MIME signatures are a good way for companies like PayPal who are plagued with Phishing scams to send trusted email to their customers. Just last week, I got an email from PayPal, which turns out was actually from PayPal - but I had to view the message source to confirm this. If they had signed the message I would know instantly.

Don't block S/MIME on your mail server was first published on November 23, 2004.

Discuss / Follow me on Twitter ↯


Sorry to say, Peter, but S/MIME has not gotten any traction. DomainKeys, on the other hand, is designed to be added to a message without modifying it.
by Russ Nelson on 11/24/2004 at 12:15:38 AM UTC
Russ, I'm very familiar with DomainKeys as well, while it is in fact a less obtrusive method of signing messages, they only work on the domain level, and don't allow you to encrypt the message. With S/MIME you can sign messages on a user level (you could do this with DomainKeys as well, if you created a selector dns record for every user, but that is not a good solution) which has its advantages, and you can also ofcourse encrypt messages.

S/MIME also has the advantage of being builtin to most email clients - where is the thunderbird domainkeys extension? Yahoo! has only just started signing their outgoing email with domainkeys, and has not implemented any verification yet (I know this because I have sent fake domainkeys signatures to them, and they still let the message through). And Google GMail's is missing the Policy DNS record.

I like DomainKeys, but it doesn't replace S/MIME, and is a bleeding edge technology. My point is still that you don't want to be blocking these attachments on your mail server, because S/MUME is not going to go away.
by Pete Freitag on 11/24/2004 at 11:03:38 AM UTC