Watchguard XTM330 SMTP Proxy Question

Today a weird thing happened; we received an email with several attachments directed to one user and with copy to that user's secretary.

The email received by the secretary had all the  attachments stripped and only received a message.txt (The usual attachment that the UTM uses when stripping a file) detailing that the file "winmail.dat" had been stripped.

The WatchGuard Firebox that protects your network has detected a message that may not be safe.

Cause : The file type may not be safe.
Content type : application/ms-tnef
File name    : winmail.dat
Virus status : No information.
Action       : The Firebox deleted winmail.dat.

Your network administrator can not restore this attachment.

I know about winmail.dat attachments so we informed the sender to not use RTF when sending emails, but my concern is that while the secretary did not get any attachments the other user did get them with no problem.

So my question is:

Does the same email directed to one user and with copy to another have different rules for stripping?

Why did one user receive the attachments and the other just the txt explaining the deletion of the winmail.dat?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
winmail.dat is safe to let through. It's created by Outlook clients that aren't communicating via Exchange, where the message is composed using Word. It contains RTF formatting information, etc., so that mail created in RTF format (as opposed to plain text or HTML) will look the same on the receiving side as the sending side. Mail clients that don't support winmail.dat receive superfluous winmail.dat attachments

See if this helps

I assuming the users ares still in the same domain on the same policy going through the same SMTP proxy. at times you may want to recreate the smtp proxy, the sending of to and cc is a good test as well for consistency of the policy enforced to all recipients.

Also to make sure if WG is the culprit disable your current SMTP proxy service; add a filtered SMTP service and configure to allow traffic to the server [proper NAT]; now check is the email still stripped; if yes; then WG is not at fault.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.