Is NOT using TNEF a security risk?

Not open for further replies.


My IS dept claims that not using tnef is a security risk. Is that true? All my searches for tnef security come up neutral or implicate tnef as the risk.
I am a customer service professional in a service organization. I must send Word and PDF documents to customers I serve. Since May (when Exchange 2010 was installed) my attachments to GroupWise customers arrive renamed " tnef.001" , where the number increases with the number of attachments in the same e-mail. This was not an issue before in Exchange 2007, because tnef was off, as evidenced by Outlook voting buttons not working. My attempts to send as plain text still result in tnef.001 attachments. Exchange Server is over riding my settings. Our IS dept. refuses to set e-mail leaving our domain to tnef off (the simple solution). They claim it is a security risk.

AndyD_ [MVP]

What are they basing that on? If anything, I would recommend that all your clients use HTML as their default formatting and leave the default content type for remote domains set to MIMEHTMLText. ( which is the default for new Exchange 2010 Orgs)

Let me guess, HTML is the security risk?


The deployed Outlook clients are HTML by default. Exchange over rides any attempts to adjust from the client. Test e-mails sent in each format; plain, HTML and RTF all had the same results, attachments renamed tnef.001. I could send instructions with each e-mail on how to save, rename and open my attachments, but that would make us look like fools to all the customers that do not have problems.
IS does not offer any specific reason(s) about this alleged security issue. My dozen or so helpdesk requests since May got replied to with, " This is a GroupWise problem!" or some similar arrogantly ignorant response. The Dilbert character Mordac must be derived from our IS dept.
My coworkers and I have renamed our Information Systems department (IS) to Technology Systems Administrators (TSA).
What I hope to achieve with this post, is to get information supporting my request to IS in the form of expert replies. I posted another question about the possibility of given exeption to a single mailbox as well this post.
I do not sleep well at night, because of my concerns about how this affects my customers.Jeff @ Hi-Def_PCs

AndyD_ [MVP]

Can you confirm that TNEFEnabled is set to $true for all remote domains?

The defualt is $null which would allow Outlook settings to take precedence.

At the very minimum, your IT dept could create exceptions for those remote domains that you identify and set their settings to the defaults.


I am sure they are aware of that, because I have sent them the documentation describing the procedure from Microsoft web pages in several of my helpdesk trouble calls. The frustration is knowing they know and yet they refuse, sighting it"s a security issue. However, I cannot locate anything that supports their claim it is. (see Mordac) My Internet searches actually point to tnef as being the potential security issue instead.
That is why I asked the question; " Is NOT using TNEF a security risk?" . My hope was to receive expert replies saying it is not a risk. That will be the ONLY way I can convince the agency director that our IS dept is full of it, so would over rule the to allow me to serve our customers.Jeff @ Hi-Def_PCs

AndyD_ [MVP]

Well, FWIW, Microsoft recommends you use HTML. I dont see how sending a message in another format other than RTF poses a security risk . For every exploit, you have probably found a similar one for RTF messages.

This sounds less about security and more about control.


AndyD, I beleive you are right about the control issue. See Sinfeld's Soup Nazi.
Just to add some more to the pile, our IS department says turning tnef off would create instability in the system. Don't light a match too close to that statement! Jeff @ Hi-Def_PCs


Per my research, there"s no official statement on “Is NOT using TNEF a security risk”. Whether “disable TNEF” will make a security breach or not

In TechNet article: “Understanding Content Conversion”, Plain text and HTML format are all listed as the available formats in the exchange product. If not use TNEF would create instability in the system, I think that other two formats won"t be as the available ones

However, your IS department may not only consider the impact (disable TNEF) on the exchange/mail solely. It"s possible that other products rely on the TNEF format messages in your organization, other customer domains reply on the TNEF format messages



To be clear, I'm asking that TNEF by turned off only for mail leaving our domain. Internal needs for TNEF would still be met. I have sent attachments to friends in security environments with their own Exchange servers to forward to the same GroupWise customers. They all arrived properly, because TNEF is not forced on. Lastly I have requested comment from the mail admins at those secure companies about their beliefs on TNEF. I"ll update this thread when they reply.

Jeff @ Hi-Def_PCs
Not open for further replies.
Thread starter Similar threads Forum Replies Date
pcunite Outlook 2019/O365 Build 13127.20408 errors when using MAPI calls Using Outlook 0
B Change Font and Font size using VBA Outlook VBA and Custom Forms 9
M Outlook 2013 reminder email by using Outlook vba Outlook VBA and Custom Forms 2
X Using Outlook 2013 and Outlook 365 Using Outlook 1
A Going to folder using shortcuts Using Outlook 3
A Outlook replies not using "delivered to" address in From Using Outlook 1
Terry Sullivan E-Mails Sent Using a Group Box Result in 70 Kickbacks Using Outlook 5
O Email not leaving Outbox when using Excel VBA to sync Outlook account Outlook VBA and Custom Forms 4
K Using Outlook 2016 to draw Using Outlook 1
O Outlook 365 - suddenly unable to send using Gmail POP3 Using Outlook 10
N Disable Auto Read Receipts sent after using Advanced Find Using Outlook 4
G Outlook 2016 sync contacts directly between phone and computer using outlook 2016 Using Outlook 0
L Moving emails with similar subject and find the timings between the emails using outlook VBA macro Outlook VBA and Custom Forms 1
O Save attachments using hotkey without changing attributes Outlook VBA and Custom Forms 1
J Add an Attachment Using an Array and Match first 17 Letters to Matching Template .oft to Send eMail Outlook VBA and Custom Forms 2
A Edit subject - and change conversationTopic - using VBA and redemption Outlook VBA and Custom Forms 2
A Using or not using apostrophes in search terms has this changed? Using Outlook 0
O Office 365 using POP3 on both laptop and desktop Using Outlook 0
M Using field names to capture a data element Using Outlook 0
B Vba to monitor time to respond to emails using a shared mailbox Outlook VBA and Custom Forms 5
B Looking to get the Recipient email address (or even the "friendly name") from an email I am replying to using VBA Outlook VBA and Custom Forms 4
D Using a VBA Custom Form to Send Reoccurring Email Upon Task Completion Outlook VBA and Custom Forms 4
Z Adding dropdown list using custom form Outlook VBA and Custom Forms 7
O Using .OST and .PST mail thru different providers Using Outlook 5
N Open & Save VBAProject.Otm using VBA Code Outlook VBA and Custom Forms 1
D Remove text in subject using VBA Outlook VBA and Custom Forms 4
P How to export voting results using VBA? Outlook VBA and Custom Forms 2
E Using the Like operator properly Outlook VBA and Custom Forms 1
R Using "check for duplicates" for existing contacts Using Outlook 2
S Find a cell value in excel using outlook vba Using Outlook 1
N Using email notification to update calendar events? Outlook VBA and Custom Forms 4
S Macro using .SendUsingAccount only works the first time, after starting Outlook Outlook VBA and Custom Forms 4
C Sync Calendars using WiFI Using Outlook 3
A Capturing Send Variables without using Application_ItemSend in ThisOutlookSession Outlook VBA and Custom Forms 8
L Using alpha numeric in email address Using Outlook 5
Sabastian Samuel HOW DO I FORWARD AN EMAIL WITH MACRO using an email that in the body of another email Outlook VBA and Custom Forms 3
D create an html table in outlook custom form 2010 using vba in MsAccess Outlook VBA and Custom Forms 7
D Print Attachments only in selected emails using a macro Outlook VBA and Custom Forms 3
B query outlook using vba Outlook VBA and Custom Forms 13
M Using conditional formatting on a shared calendar with categories Using Outlook 6
e_a_g_l_e_p_i A question about installing office 2013 Pro and using my .pst from office 2010 Using Outlook 12
A Forward Outlook Email by Filtering using Macro Rule Outlook VBA and Custom Forms 44
O How to paste website content using a specific font and removing URLs Using Outlook 2
P Replying to calendar item using VBA Outlook VBA and Custom Forms 4
N Export details to a excel spreadsheet using macros Using Outlook 0
R Toggle the Reading Pane using Keyboard Shortcut Using Outlook 0
S Error using AddressEntry.GetContact - need help Outlook VBA and Custom Forms 2
H Change Default Email Account Using VBA Outlook VBA and Custom Forms 5
S Outlook [Online - Office365] perfomance is getting affected when accessing the mails using Redemptio Using Outlook 1
M Using Outlook with Yahoo email Using Outlook 6
Similar threads