ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Key searches fail in Encryption Management Server

book

Article ID: 161904

calendar_today

Updated On:

Products

Encryption Management Server

Issue/Introduction

Encryption Management Server 3.3.2 MP8 introduced a new configuration option designed to prevent the harvesting of email addresses by searching the keyserver for partial email addresses using wildcards.

However, in release 3.3.2 MP8, enabling this configuration option causes all key searches by email address to fail. This includes the key search that Encryption Management Server carries out by default on ldap://keys.$ADDRESS_DOMAIN:389 where $ADDRESS_DOMAIN is the email domain of the recipient, eg, ldap://keys.example.com:389

 

The Mail log will contain entries like this in debug mode when an LDAP key search fails.  Failed searches result in an entry being added to the negative cache entry:
2015/04/23 11:04:48 +01:00  DEBUG  pgp/messaging[17441]:       SMTP-00001: Looking for key(s) on LDAP PGP keyserver keys.example.com:389
2015/04/23 11:04:48 +01:00  DEBUG  pgp/messaging[17441]:       SMTP-00001: Adding negative cache entry for key <[email protected]> [keys.example.com]

Resolution

This issue is resolved in Encryption Management Server 3.3.2 MP9 and above, available to download from Symantec File Connect

In Symantec Encryption Management Server 3.3.2 MP9 and above, disabling LDAP substring searches does not prevent key lookups being made using a full email address.