Symantec Encryption Desktop, or PGP Desktop has the capability to automatically encrypt and decrypt emails using the PGP Messaging service.
This messaging service will process mail in one of two ways:
Method 1: Proxy of POP/IMAP/SMTP (PGPlsp.dll)
When using Method 1, the proxy should automatically detect the email account configured in the mail client, such as Outlook or Thunderbird. This is done via a Proxy, which means that as mail is downloaded to the mail client, the PGP Messaging service will detect encrypted content and decrypt it on the fly. The result is a decrypted email that will remain decrypted on the mail client. IMAP is typically recommended for using the proxy.
Method 2: MAPI Hook (PGPMapih.dll)
When using Method 2 listed above, we actually have DLL that handles encryption/decryption operations automatically. This method supports only Exchange with Outlook as our driver is hard coded to "hook" in to the Outlook operations to "render" emails decrypted. If PGP Desktop is not available, the emails remain encrypted until it is then decrypted, at which time it is "rendered" decrypted so you can see the message automatically. For encryption, the message is actually encrypted before the message is sent.
When you first install PGP Desktop (Symantec Encryption Desktop), upon reboot, when you launch the Email client, two things can happen depending on the method being used as mentioned in the Introduction of this article.
If you are using Method 1, for POP/IMAP/SMTP, our Proxy service will automatically detect your email account. For this to work, SSL/TLS must be disabled in the Email Client. Before doing anything, confirm that without PGP Desktop installed, the Emails are sending just fine. Once this is done, then install PGP Desktop. Then disable SSL/TLS for the accounts in Outlook. PGP Desktop will actually "Proxy" TLS for the emails automatically.
Use the following steps to troubleshoot PGP Messaging:
If you are using Method 2, or MAPI, this means you are using Outlook with Microsoft Exchange. In this method, our DLL should automatically be invoked, so that when you send a new email, the driver should then automatically encrypt the message.
If you have any security software that could block any of the above two DLLs for messaging, allow them so that our automatic email encryption and decryption can work properly.
For both of these files, add the following exclusions:
In addition to the above DLLs that are used specifically for messaging, see the following article for other exclusions you may need to add to ensure security software does not block the encryption services:
For this scenario, we typically recommend approving each pop-up and eventually these will stop. This pop-up happens for POP/IMAP configurations and will happen for each mailserver the PGP proxy service detects. For example, the mailserver FQDN may be "mail.example.com", but the DNS records may point to three different mailservers. You may get three different popups for this.
For Gmail, there are infinite mailservers, so you may just need to keep approving. Check the Additional Information section of this article for information on how to configure Gmail with PGP.
For more information on how to configure Gmail with the PGP messaging service, see the following article:
191087 - How to configure Symantec Encryption Desktop to automatically encrypt Gmail in Outlook
For this scenario, quit the PGP services, and then delete the "PGPprefs.xml" and "PGPpolicy.xml" files in %appdata%\PGP Corporation\PGP
Relaunch the software and go through the setup again. For further assistance on this, contact Symantec Encryption Support.
Scenario 4: Message Appears: Unable to Secure Messages
A Pop Up appears stating the "Encryption Desktop is unable to secure your messages because PGP Services are not running.":
It is best to choose "Secure Messages" to be able to send encrypted email. Choose the Allow Unsecured messages if you don't want to encrypt any emails.
If you want to block emails, you can choose the "Prohibit" option.
Disabling the PGP Plug-ins for Outlook
If you would like to disable the PGP Plug-ins in Outlook, click the padlock icon by the time, then go to Options:
Once you're in Options, click on Messaging, and then uncheck the box "Enable PGP encrypt and sign buttons in Outlook"
Sometimes plug-ins is a good troubleshooting step to see if there are any conflicts going on.
If you have a PGP Server, you can go into the Consumer Policy, and uncheck the option for plug-ins:
In addition to these, if you open Outlook, click on the Add-ins, you can see the plug-ins that are loaded and once you uncheck, ensure they are no longer loaded:
If you have a sender using GPG and PGP Desktop Email Encryption is not decrypting these messages, check Outlook to see which file types are received.
You may receive .txt attachments that are not being recognized by the PGP Desktop software:
Item 1: Exit the PGP Services, close Outlook and re-open Outlook (don't re-open PGP Desktop) and click on the encrypted message to see which file attachments you are seeing:
If you see a .dat file, make note of it, this may mean the encoding is using TNEF, which may be part of this issue.
If you are seeing the above attachment, it is likely the PGP Desktop is not recognizing the encryption content.
Check with the Sender and see if it is possible to switch the "Rich Text" format to "Convert to HTML format":
(Open Outlook, go to Options, and click on the Mail category)
Once the setting to "Convert to HTML format" is selected, and Outlook is re-launched, then re-launch PGP Desktop and re-test.
Item 2: If that is still not working, and you have an Exchange Server, check on the mailserver system to see if "TNEFEnabled" is Enabled.
If it is, see if it is a possibility to disable and have the sender resend the encrypted message:
Ensure the "
TNEFEnabled" is set to blank or false:
This will allow for better compatibility between the two applications. If this is enabled, you may end up with a "winmail.dat" file or "Untitled attachment 00001.dat" or similar and this may be causing some decryption issues.
TNEF may reduce some Exchange functionality such as "Voting" buttons or other, so discuss with the mail team about this setting. The above setting is related only for email within the same domain.
TNEFEnabled should not be used when sending outside of the domain--this can cause other interoperability issues, not just with PGP.
Evidence of this is the winmail.dat, which contains information that only Outlook understands. Not all outside entities use Outlook, so disabling it will prevent these types of issues.
At a very minimum, test disabling this to ensure the recipient does not end up with a .dat file, which appears to cause these issues.
The following knowledge base article from Microsoft details how to verify your Outlook and Exchange configuration to prevent this from happening:
If you are still having issues after adjusting the settings when sending from GPG to PGP, check the settings within GPG for the following option:
Make sure to not attach any files to the email, and send only text within the email to confirm decryption is working.
Then reach out to Symantec Encryption Support with the results of the above tests to help improve interoperability between the two products.
See also the following articles related to .dat files and encryption:
163281 - PGP Server cannot decrypt an attachment attached to a Rich Text Format message (Symantec Encryption Management Server)
155940 - Unable to Decrypt with PGP Desktop - Email messages and attachments are converted to winmail.dat files