Attachments from Zertificon Gateway are not automatically decrypted


A colleague has the problem that attachments from the Zertificon gateway (Z1 SecureMail Gateway) of a mail partner are not automatically decrypted. The email itself is.

The attachments have to be saved first and decrypted manually. The key is therefore the same as for the email.

This gateway does something different. Does anyone know this problem?

Hi Marc,
it maybe that the gateway does not adhere to the OpenPGP/MIME standard
and instead encrypts the attachment separately. If so, there is not much that
GpgOL (the Outlook Add-in of Gpgg4win) can do about it.

To analyse, look at the raw structure of the email, if there is a seperate attachment
visible outside the encrypted part, then it would not be good use of MIME.

Does this answer help you already?

Thanks for the quick reply.

I have no idea if the gateway adheres to the standard. The company that uses the gateway says that it works with forty other companies, and I should ask here.

Maybe there is a setting for the Z1 gateway that someone here knows. I had never heard of the company Zertificon before. Is it known?

The mails have the usual encrypted mail text and after decryption the attachments remain attached to the mail as xxx.yyy.asc files.

Before decryption it looks like this:

-----END PGP MESSAGE-----=0A=

Content-Type: image/png;
Content-Transfer-Encoding: quoted-printable
Content-ID: image001.png@01D8C399.BD5EAA20
Content-Disposition: attachment;

Comment: Z1 SecureMail Gateway Processing Info=0A=

Hi Marc,

there are so many companies that I may have encountered Zertificon before
(our does not have hints about them). Note that most “Gateway” solution are not end to end cryptography.

I did a brief search on their website and it is unclear if they claim to adhere to OpenPGP /MIME (e.g. and rfc2015). I think this is a question they should be able to answer, by which standards they are sending out encrypted emails with attachments (and different encodings).

In order to work nicely according to OpenPGP/MIME it should have one email body with something like
Content-Type: multipart/encrypted; boundary=foo;
it seems in your example this is not the case.

The problem with this is, that the attachments could have been added during transport,
by a third party (and signed and encrypted). The user interface of Outlook/GpgOl cannot
nicely display the potential different signers, so there is a bit more of attach surface,
each attachment would habe to be verified by the user. So the current workflow
is the best we can do if we consider the usability.

Yes, it would be good and helpful if the Z1 gateway had an option to enable OpenPGP/MIME
for encryption of outgoing multipart MIME message.

Best Regards

Hi Bernhard,

Thank you for your detailed answer!

Yes, the company does not publish much information, but now I have something that I can ask them.

Best Regards,