Troubleshooting: Mailflow with Symantec Encryption Management Server (PGP Server)
search cancel

Troubleshooting: Mailflow with Symantec Encryption Management Server (PGP Server)

book

Article ID: 153426

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption PGP Key Management Server PGP Key Mgmt Client Access and CLI API Desktop Email Encryption Drive Encryption Endpoint Encryption File Share Encryption PGP Command Line PGP SDK

Issue/Introduction

This article shows some general troubleshooting steps with PGP Messaging in an environment with the Symantec Encryption Management Server (SEMS).

Resolution

Your first stop are the mail logs. They display information regarding email messages for clients, including mail proxy activities, Key lookups, policy matching and resulting actions. They may give you additional help about some common issues.

To view the mail logs:

  1. Access the PGP Universal Server administrative interface.
  2. Click the Reporting card and select the Logs tab.
  3. If not already selected, click the drop down arrow and select Mail. The Mail logs are displayed.

 

Common issues that you may face:

Scenario 1: Mail Queue gets filled:

  1. Check server mail queue for possible reasons message is queued.
  2. If you are using external keyservers (including global directory keyserver.pgp.com) for key searches, make sure your firewall allows you to contact those on port 389 or 636 for LDAPS.

To view the Mail Queue:

  1. Access the Symantec Encryption Management Server administrative interface.
  2. Click the Mail tab and select the Mail Queue tab.

You can click on individual mails that are queued to get hints as to why the email may have queued.  Since SEMS is a proxy server, connecting to port 25 on SEMS outbound is one step, but the next steps is for SEMS to connect to the next hop on the same port.  Until SEMS can connect to the next hop outbound, the emails will not send.

 

 

Scenario 2: Mail does not get encrypted or processed at all:

  1. Confirm that the Learn Mode is disabled on the server. Learn Mode is configured by clicking the Mail Processing Settings button on the Mail -> Proxies tab.
  2. Verify you have a valid license for the Symantec Encryption Management Server that includes Mail Proxies.
  3. Examine Mail Policy and rules on the server if messages are processed but not as expected. Click the Policy card and select the Mail Policy tab. Confirm the Mail Policy that matched the message (see the logs for this) is the one that should have matched. If not, try to find out why previous policies did not match.
  4. In case there are no log events at all, check whether mail is being routed through the Symantec Encryption Management Server. Check the settings on the Mail -> Mail Routes tab on the server.

 

Scenario 3: Mail Looping

  1. Check whether your mail proxies could cause a mail to loop form between a proxy our route that you entered and also if that other gateway is set for sending messages to this server on specific conditions.

Mail Looping is frequently encountered when you have a unified proxy (using one interface) when the incoming hop is the same as the outgoing hop.  Consider the example for outbound:

 

MTA --> SEMS --> MTA --> Internet

If the MTA is 192.167.1.100, and is the same IP sending to SEMS as SEMS sends to outbound, the MTA needs to have logic to know that the message is destined for outbound and not send back to SEMS.

 

The same sort of scenario can sometimes cause directional email issues where an inbound email is actually going to the outbound proxy.  It is sometimes necessary in these situations to have 2 interfaces on SEMS and create a proxy for inbound and a proxy for outbound (different IP addresses for SEMS) so that the MTA can then distinguish exactly which interface to send to for inbound and which to send for outbound.

 

Scenario 4: Email Logs are not showing proper traffic
There may be situations where you are sending email outbound and the email is not processing properly.  When reviewing these types of issues, make note of all the IP addresses and the hostnames associated to those IP addresses.

Then when the message is sent outbound, once the email arrives, check the mail headers to see if the message was processed by the PGP server.  If it does have a header for the PGP server, make note of the FQDN associated to it and make sure it lines up with the IP address that should be used.

Checking DNS entries to make sure these are resolving properly is also useful.

Be careful if you are doing hostame resolutions using host files, these can mislead you to think DNS is not configured properly when it is.

 

 

 

Scenario 5: Enrollment Messages

  1. If the client enrollment via email fails due the client does not receive any message, please check the mail route on Mail -> Mail Routes tab on the server. A server that is able to send messages to your clients must be specified for your domain.

 

If you are still running into any issues, reach out to Symantec Encryption Support for further guidance.

 

Note: The PGP Server can be configured to not attempt to validate SMIME-signed emails and if this is needed, reach out to Symantec Encryption Support for further guidance. 

Applies To

Symantec Encryption Management Server (formerly known as PGP Universal Server)

 

Additional Information

153426 - Troubleshooting: Mailflow with Symantec Encryption Management Server (PGP Server)

150133 - Header and body flags that indicate PGP encrypted email for SPAM filter and mail server configuration

180151 - HOW TO: Create Policy Chains to Set Mail Policy in PGP Server (Symantec Encryption Management Server)

181072 - Configuring Mail Proxies with the PGP Server (Symantec Encryption Management Server)

156100 - Emails going to exception chain on the PGP Server (Symantec Encryption Management Server)

Powered by Wolken Software