Don't block S/MIME on your mail server
With all the viruses out there these days, many mail servers simply block all attachments, or only allow a small set through. One set of attachment extensions that you don't want to block however are the extensions defined in RFC 2311 § 3.2.1 for S/MIME.
MIME Type File Extension application/pkcs7-mime .p7m (signedData, envelopedData) application/pkcs7-mime .p7c (degenerate signedData "certs-only" message) application/pkcs7-signature .p7s application/pkcs10 .p10
S/MIME allows people to sign or encrypt email messages. A S/MIME signature is created by basically creating a checksum (MD5, or SHA1), then the checksum is signed (RSA or DSA - S/MIME is also used for PGP).
Even if you don't sign or encrypt email yourself, its not a good practice to block these attachments - you may prevent someone (like me) who signs all their email from reaching you. Also S/MIME signatures are a good way for companies like PayPal who are plagued with Phishing scams to send trusted email to their customers. Just last week, I got an email from PayPal, which turns out was actually from PayPal - but I had to view the message source to confirm this. If they had signed the message I would know instantly.
Like this? Follow me ↯Tweet Follow @pfreitag
Don't block S/MIME on your mail server was first published on November 23, 2004.
S/MIME also has the advantage of being builtin to most email clients - where is the thunderbird domainkeys extension? Yahoo! has only just started signing their outgoing email with domainkeys, and has not implemented any verification yet (I know this because I have sent fake domainkeys signatures to them, and they still let the message through). And Google GMail's is missing the Policy DNS record.
I like DomainKeys, but it doesn't replace S/MIME, and is a bleeding edge technology. My point is still that you don't want to be blocking these attachments on your mail server, because S/MUME is not going to go away.