I’m not a WatchGuard Sys Admin by training.  I have a CCNA but WatchGuard Firebox is a different animal in many respects.  I recently ran into a problem where the Gateway AntiVirus, specifically the SMTP Proxy, was stripping email attachments from one of our vendors.  The message the end user received was vague:

The WatchGuard Firebox that protects your network has detected a message that may not be safe.

Cause : The message format may not be safe.
Content type : (none)
File name    : some.pdf
Virus status : some.pdf
Action       : The Firebox deleted some.pdf.

Your network administrator cannot restore this attachment.

So I had to turn to the logs to determine why that particular attachment was being stripped but all other incoming PDFs were fine.  With my lack of experience reading WatchGuard logs it took some time to settle in on the “type=uuencode”.  I don’t think the log is particularly clear on why something was stripped in this case.  As you can see the log says ProxyStrip but there is no obvious reason.

Date-Time        2010-02-20 13:36:37
Type        Traffic
FireCluster        Primary
Message        ProxyStrip: SMTP Message format disp=ALLOW, direction=NA, pri=6, policy=SMTP-proxy-00, protocol=smtp/tcp, src_ip=10.0.0.1, src_port=2934, dst_ip=10.0.0.1, dst_port=25, src_ip_nat=0.0.0.0, src_port_nat=0, dst_ip_nat=0.0.0.0, dst_port_nat=0, src_intf=ISPProvider, dst_intf=Trusted, rc=592, proxy_act=SMTP-Incoming.2, file_name=some.pdf, sender=janedoe@email.com, type=uuencode, recipients=johndoe@email.org, tag=1006

Not knowing what uuencode was I did a google search on it.  Come to find out it’s an older encoding method that has largely been replaced by MIME.  Also, turns out there is a setting in the WatchGuard SMTP Proxy to allow uuencode attachments.  Can you guess if we were allowing them?

Anyway, hopefully this helps some other WatchGuard user out there.