Troubleshoot Failed to Open Encrypted Emails Processed by Mimecast Secure Email Gateway

Available Languages

Download Options

  • PDF     (170.9 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (195.6 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (169.4 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 31, 2022
Document ID:218005

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes an issue with Cisco Secure Email Encryption Service (formerly Cisco Registered Envelope Service) encrypted emails if the entity that receives the emails has a Mimecast Secure Email Gateway and URL rewrites are enabled.

    Problem

    Two separate behaviors have been observed in the field in regards to Mimecast and Cisco Secure Email Encryption integration.

    • Mimecast changes the backward slash to a forward slash, which results in a browser redirect failure.
    • Mimecast rewrites the URL in the attachment and corrupts the payload.

    Browser Redirect Issue

    Description

    Mimecast Secure Email Gateway changes the backward slash to a forward slash in the securedoc.html attachment, which then corrupts the payload and causes end-users to fail to open messages.

    Symptoms

    General symptoms include end-users that are not able to enter their passwords or that the password field produces errors.

       password-error-screenshot

      

    Identify the Issue

    1. Request any impacted end-users to share the securedoc.html

    2. Open the securedoc.html file in your text editor of choice (For example, Notepad++) or share it with Cisco TAC and search for the string: BrowserRedirect

    3. Review the full URL with the BrowserRedirect and confirm whether there is a backward or forward slash at the end. 

                 a. Correct URL (Ends with Backward Slash) - java.sun.com/webapps/getjava/BrowserRedirect\

         b. Problematic URL (Ends with Forward Slash) - java.sun.com/webapps/getjava/BrowserRedirect/

    4. An incorrect URL ends with a forward slash and allows us to confirm the problematic behavior.

    Solution

    1. An encryption (PXE) engine update has been released that includes a fix that resolves the issue. Please run updatenow force from the CLI to trigger the update.

    (Machine esa.example.com)> updatenow force

    Success - Force update for all components requested

    2. Once an update has been started, you can then use the encryptionstatus command to confirm the update has been applied. 

    (Machine esa.example.com)> encryptionstatus

    Component Version Last Updated
    PXE Engine 8.1.5.007 29 Jul 2022 16:58 (GMT +00:00)
    Domain Mappings File 1.0.0 Never updated

               

    3. If successful, the PXE Engine output shows the current date and time.

    (Machine esa.example.com)> encryptionstatus

    Component Version Last Updated
    PXE Engine 8.1.5.007 29 Jul 2022 16:58 (GMT +00:00)
    Domain Mappings File 1.0.0 Never updated

    URL Rewrite Issue

             

    Description

    Mimecast Secure Email Gateway rewrites the URLs in the securedoc.html attachment, which then corrupts the payload and causes end-users to fail to open messages.

    Symptoms

              

    General symptoms include end-users that are not able to enter their passwords or that the password field produces errors. 

       password-error-screenshot

      

      

    Identify the Issue

    1. Request any impacted end-users to share the securedoc.html

    2. Open the securedoc.html file in your text editor of choice (For example, Notepad++) or share it with Cisco TAC and search for the string: protect-us.mimecast.com

    3. Review the rewritten URLs and refer to the image for a before and after comparison. 

    cres-mimecast-url-comparisons

    4. When the securedoc.html attachment is sent through the Mimecast Secure Email Gateway, the referenced URLs are rewritten incorrectly which then causes the HTML syntax to break. Due to this, end-users are unable to open the encrypted emails. 

                         

    For example: 

                                       

    https://res.cisco.com:443/websafe/help?topic=AddrNotShown',{'localeUI':getLocale()}) is rewritten to https://protect-us.mimecast.com/s/fQ-lCkRMXRUn3B5DDIQIC_L?domain=res.cisco.com':getLocale()}). As you can see, after the URLs are rewritten, the localeUI field is removed. 

                    

    Solutions

    1. Forward the email in question to mobile@res.cisco.com. When received, end-users would then be able to click on the link and successfully decrypt the email. 

    or

    2. Enable the Easy Open feature. Encrypted emails would be sent to the recipients with a view link in the body of the email. End-users would then be able to click on the link and decrypt the email.

    or

    3. Bypass the sender domain of res.cisco.com on the Mimecast Secure Email Gateway. 

    Additional Information

    Cisco Secure Email Gateway Documentation

    Secure Email Cloud Gateway Documentation

    Cisco Secure Email and Web Manager Documentation

    Cisco Secure Product Documentation

    Revision History

    Revision Publish Date Comments
    1.0
    31-Jul-2022
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Muthu Natesan
      Cisco Software Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products