Symantec Encryption Management Server does not distinguish between Active Directory accounts that are mail-enabled and mail-disabled.

This can result in some unexpected effects. For example, in the following scenario SEMS will attempt to send an encrypted message to all users in a mail-disabled Security Group even though the message was intended for only one recipient:

1. Active Directory contains mail-enabled user accounts named User1, User2 and User3 with email addresses of [email protected], [email protected] and [email protected].
2. User1 and User3 exist in SEMS but User2 does not.
3. A mail-disabled Security Group named Group1 exists in Active Directory which also has the value [email protected] in its E-mail field.
4. Group1 has User1 and User2 as members.
5. SEMS is configured to send encrypted mail to managed domains (the default rule No Encryption for Regular Internal Users is disabled).
6. User3 sends an encrypted message to User1 using Encryption Desktop.
7. SEMS attempts to send the message to the members of Group1, ie, User1 and User2.
8. The message fails to be sent because User2 does not exist in SEMS.
9. Note that if User2 did exist in SEMS, the message would be sent to User1 and User2, even though it was not intended for User2.

If Encryption Desktop has debug logging enabled then entries similar to the following will be seen in the log.  Observe that the mail-disabled Security Group is treated as a mail-enabled Distribution Group:

DE 10:48:17 MAPI Proxy: evaluating rule Expand Mailing Lists: match

DE 10:48:17 MAPI Proxy: Expanding distribution list [email protected]

DE 10:48:17 Received getinfoforaddress request

DE 10:48:17 >> sSoapContextForThread

DE 10:48:17 << sSoapContextForThread, context already created

DE 10:48:17 Plugin: sending response body, 50 bytes

DE 10:48:17 Plugin: sent body, header err = 0

DE 10:48:17 MAPI Proxy: Distribution list [email protected] contains 2 addresses

DE 10:48:17 MAPI Proxy: [0] [email protected]

DE 10:48:17 MAPI Proxy: [1] [email protected]

One of the properties of an Active Directory account is the E-mail field. In Active Directory 2003 this appears in the General tab of the account properties. For accounts that are mail-disabled, you can enter nearly any value into this field, including the email address of a mail-enabled Active Directory user. Active Directory 2003 issues a warning if you enter the email address of an existing account but does not prevent you from entering the duplicate email address.

This means that you can have duplicate email addresses in Active Directory and because SEMS does not distinguish between mail-enabled and mail-disabled Active Directory accounts, unpredictable effects can occur.

SEMS is working as designed. Email addresses in Active Directory have to be unique and must not be duplicated.

Therefore, ensure that the E-mail field of Active Directory mail-disabled Security Groups and other mail-disabled Active Directory accounts do not contain identical email addresses to those of mail-enabled Active Directory accounts. This can be accomplished either by deleting such email addresses or renaming them.  For example, you could rename the email address of a mail-disabled Security Group from [email protected] to -[email protected]-.

Applies To

Active Directory 2003 (other versions are probably affected).

Symantec Encryption Management Server 3.x with Directory Synchronization enabled.

PGP Universal Server 3.x with Directory Synchronization enabled.