Troubleshooting: Mailflow with PGP Encryption Server.
search cancel

Troubleshooting: Mailflow with PGP Encryption Server.

book

Article ID: 153426

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption PGP Key Management Server PGP Key Mgmt Client Access and CLI API Desktop Email Encryption Drive Encryption Endpoint Encryption File Share Encryption PGP Command Line PGP SDK

Issue/Introduction

This article shows some general troubleshooting steps with PGP Messaging in an environment with the PGP Encryption Server.

Resolution

Your first stop are the mail logs. They display information regarding email messages for clients, including mail proxy activities, Key lookups, policy matching and resulting actions. They may give you additional help about some common issues.

To view the mail logs:

  1. Access the PGP Encryption Server administrative interface.
  2. Click the Reporting card and select the Logs tab.
  3. If not already selected, click the drop down arrow and select Mail. The Mail logs are displayed.

 

Common issues that you may face:

Scenario 1: Mail Queue gets filled:

  1. Check server mail queue for possible reasons message is queued.
  2. If you are using external keyservers (including global directory keyserver.pgp.com) for key searches, make sure your firewall allows you to contact those on port 389 or 636 for LDAPS.

To view the Mail Queue:

  1. Access the Symantec Encryption Management Server administrative interface.
  2. Click the Mail tab and select the Mail Queue tab.

You can click on individual mails that are queued to get hints as to why the email may have queued.  Since SEMS is a proxy server, connecting to port 25 on SEMS outbound is one step, but the next steps is for SEMS to connect to the next hop on the same port.  Until SEMS can connect to the next hop outbound, the emails will not send.

 

 

Scenario 2: Mail does not get encrypted or processed at all:

  1. Confirm that the Learn Mode is disabled on the server. Learn Mode is configured by clicking the Mail Processing Settings button on the Mail -> Proxies tab.
  2. Verify you have a valid license for the PGP Encryption Server that includes Mail Proxies.
  3. Examine Mail Policy and rules on the server if messages are processed but not as expected. Click the Policy card and select the Mail Policy tab. Confirm the Mail Policy that matched the message (see the logs for this) is the one that should have matched. If not, try to find out why previous policies did not match.
  4. In case there are no log events at all, check whether mail is being routed through the Symantec Encryption Management Server. Check the settings on the Mail -> Mail Routes tab on the server.

 

Scenario 3: Mail Looping

  1. Check whether your mail proxies could cause a mail to loop form between a proxy our route that you entered and also if that other gateway is set for sending messages to this server on specific conditions.

Mail Looping is frequently encountered when you have a unified proxy (using one interface) when the incoming hop is the same as the outgoing hop.  Consider the example for outbound:

 

MTA --> SEMS --> MTA --> Internet

If the MTA is 192.167.1.100, and is the same IP sending to PGP Encryption Server as PGP Encryption Server sends to outbound, the MTA needs to have logic to know that the message is destined for outbound and not send back to PGP Encryption Server.

 

The same sort of scenario can sometimes cause directional email issues where an inbound email is actually going to the outbound proxy.  It is sometimes necessary in these situations to have 2 interfaces on PGP Encryption Server and create a proxy for inbound and a proxy for outbound (different IP addresses for SEMS) so that the MTA can then distinguish exactly which interface to send to for inbound and which to send for outbound.

 

Scenario 4: Email Logs are not showing proper traffic
There may be situations where you are sending email outbound and the email is not processing properly.  When reviewing these types of issues, make note of all the IP addresses and the hostnames associated to those IP addresses.

Then when the message is sent outbound, once the email arrives, check the mail headers to see if the message was processed by the PGP server.  If it does have a header for the PGP server, make note of the FQDN associated to it and make sure it lines up with the IP address that should be used.

Checking DNS entries to make sure these are resolving properly is also useful.

Be careful if you are doing hostame resolutions using host files, these can mislead you to think DNS is not configured properly when it is.

 

 

 

Scenario 5: Enrollment Messages

  1. If the client enrollment via email fails due the client does not receive any message, please check the mail route on Mail -> Mail Routes tab on the server. A server that is able to send messages to your clients must be specified for your domain.

 

If you are still running into any issues, reach out to Broadcom Encryption Support for further guidance.

 

Note: The PGP Server can be configured to not attempt to validate SMIME-signed emails and if this is needed, reach out to Broadcom Encryption Support for further guidance. 

Applies To

PGP Encryption Server 10.x and above

 

Additional Information