Workaround bypass organization auto-added "warning" text

Hello,

my organization is automatically adding the following line :

[VIGILANCE]: courriel externe | external e-mail | correo electronico externo.

at the begining of each e-mail coming from outside the authorized compagny domains.

This mess-up GpgOL features which of course fail message authentification as it has been modified.

What do you think is the best way going around this nasty side effect ? Could an option be implemented/added for trying a second stage validation of the message removing some template text ?

Regards

Hi Mathieu,

my suggestion is: add the `[VIGILANCE]’ (a short version)
at the beginning of the subject header.

(As GpgOL is Free Software, it is in principle possible to implement something that removes a certain line before validation, but it probably is not a good idea as you would need to maintain this patch and build your own version of GpgOL.)

Another radical idea would be, to try using MIME to add the warning.

Overall I doubt the effectiveness of the line as it is now.
Maybe it would be better if the email server would only mark or just bounce emails that claim to come from within our organisation, but are not (the Kolab 2 Server did that).

Best Regards,
Bernhard

Just as a note:

Another radical idea would be, to try using MIME to add the warning.

That would currently not work because GpgOL uses a simple MIME parser both for security and because we cannot properly show multiple mime parts with a different encryption status so GpgOL only looks at the top level mime part and if an multipart/signed or multipart/encrypted message then becomes multipart/mixed because of an added mime part that is an issue.

There is a long standing task in GpgOL to at least handle mailman modified mails but its not done yet. I guess that would be similar.

(I know that the simple parser probably does not allow for this. It is good that Mailman style modification is on the roadmap. :slight_smile: )

Hello, thank you for your answers.
I also noticed that the mail system is tampering with url and modifying them so I guess that would be really hard to work around this.
The best way I found so far is described in the attached pdf. It is to save the attachement shown as the original message attachement file, and then double click it from ouside outlook.
The only missing point when going that way is the gpgol toolbar icon that seems to stay on the “insecure” behaviour while safety tags on the message are correct.
I hope this helps and can provide additionnal test results if needed.
Regards

gpg4win_outlook_behaviour_report.pdf (454 KB)