Pete Freitag Pete Freitag

Don't block S/MIME on your mail server


With all the viruses out there these days, many mail servers simply block all attachments, or only allow a small set through. One set of attachment extensions that you don't want to block however are the extensions defined in RFC 2311 § 3.2.1 for S/MIME.

   MIME Type                      File Extension

   application/pkcs7-mime              .p7m
   (signedData, envelopedData)

   application/pkcs7-mime              .p7c
   (degenerate signedData
   "certs-only" message)

   application/pkcs7-signature         .p7s

   application/pkcs10                  .p10

S/MIME allows people to sign or encrypt email messages. A S/MIME signature is created by basically creating a checksum (MD5, or SHA1), then the checksum is signed (RSA or DSA - S/MIME is also used for PGP).

Even if you don't sign or encrypt email yourself, its not a good practice to block these attachments - you may prevent someone (like me) who signs all their email from reaching you. Also S/MIME signatures are a good way for companies like PayPal who are plagued with Phishing scams to send trusted email to their customers. Just last week, I got an email from PayPal, which turns out was actually from PayPal - but I had to view the message source to confirm this. If they had signed the message I would know instantly.

Like this? Follow me ↯

Don't block S/MIME on your mail server was first published on November 23, 2004.


Sorry to say, Peter, but S/MIME has not gotten any traction. DomainKeys, on the other hand, is designed to be added to a message without modifying it.
by Russ Nelson on 11/24/2004 at 12:15:38 AM UTC
Russ, I'm very familiar with DomainKeys as well, while it is in fact a less obtrusive method of signing messages, they only work on the domain level, and don't allow you to encrypt the message. With S/MIME you can sign messages on a user level (you could do this with DomainKeys as well, if you created a selector dns record for every user, but that is not a good solution) which has its advantages, and you can also ofcourse encrypt messages.

S/MIME also has the advantage of being builtin to most email clients - where is the thunderbird domainkeys extension? Yahoo! has only just started signing their outgoing email with domainkeys, and has not implemented any verification yet (I know this because I have sent fake domainkeys signatures to them, and they still let the message through). And Google GMail's is missing the Policy DNS record.

I like DomainKeys, but it doesn't replace S/MIME, and is a bleeding edge technology. My point is still that you don't want to be blocking these attachments on your mail server, because S/MUME is not going to go away.
by Pete Freitag on 11/24/2004 at 11:03:38 AM UTC