Issue:
Why is F-Secure Email and Server Security dropping password protected attachments?
Resolution:
If password protected attachments are being dropped from emails, you should review actions that are taken when emails include archived files. You can review and change the settings by following these steps:
- Log in to the Email and Server Security Web Console
- Select Email traffic scanning from the menu
- Select Incoming mail
On this page you will find the following settings for archived files:
- Action on archives with disallowed files
- Action on max nested archives
- Action on password protected archives
Make sure that password protected archives are allowed to pass through if you do not want them to be dropped.
The archived attachments can also be dropped if you have active match lists that are triggered for your email route as you have configured. If inbound archived attachments are dropped, they are most likely triggering the 'Disallowed Inbound Files' match list. You can from the above mentioned Incoming mail settings page check the setting for list of files to scan inside archives. This setting shows which match list it currently uses.
The match list can be found in F-Secure Email and Server Security Web GUI:
- Go to the Settings page
- Select List and templates
When a match list is active for incoming email traffic, when a user sends an attachment file that is included in this list, the rule will be triggered and the file is dropped.
If a file is being dropped, you can verify it from the logfile.log. Here are two example entries from the logfile log:
Example 1: conditionReason: Attachment 'password_protected_example.docx' matches 'Disallowed Files Internal' stripping condition; Real type: application/msword; description: Microsoft Compound Document;Microsoft Word Document; password protected; extensions: DOC DOT
Example2: Attachment '2019-04-18_examplefile.pptx' matches 'Disallowed Inbound Files' stripping condition; Real type: application/msword; description: Microsoft Compound Document;Microsoft Word Document; password protected; extensions: DOC DOT Action: Message stopped
To allow the files in the examples, you would need to remove the *.doc extension from the disallowed files match list.
Article no: 000011451