search cancel

Desktop client encrypts messages to S/MIME certificates found in the Key Cache even if there is no certificate bundled in the user key


Article ID: 162608


Updated On:


Desktop Email Encryption Encryption Management Server


When a Symantec Encryption Desktop client is managed by a Symantec Encryption Management Server and is configured with Messaging (Email Encryption), the client encrypts emails to recipients by requesting keys from Encryption Management Server. Encryption Desktop performs a key lookup and if available will encrypt the message using keys present in the key cache (found in the mail flow) or to the keys of External Users.

The issue arises if the key found is an S/MIME certificate (X.509) and the user key is only a PGP key (without a certificate attached). In these circumstances, the client will encrypt the message to the recipient's keys but will not be able to encrypt to the sender's keys.

The result is that the sender will not be able to open the message in their mail client's Sent Items.

When sending the message:

Email Info MAPI Proxy: Rejecting key "SENDER-Domain2 (SENDER - Domain2) <[email protected]>" (KeyID: 0xBBBBBBBB) because it has no valid certificate for S/MIME encryption
Email Info Encrypting S/MIME message to [email protected] with key(s):
Email Info 'RECIPIENT - Domain1 <[email protected]>'(0xEEEEEEEE)
Email Warning Not encrypting to key 'SENDER (SENDER-Domain2)<[email protected]>'(0xBBBBBBBB); no X.509 certificate on key


When attempting to read the message from Sent Items:

Email Info Processing message from SENDER (SENDER-Domain 2) <[email protected]> with subject: <message subject>
Email Error MAPI Proxy: Decryption failed with error: no secret key found


While sending the encrypted message, it is encrypted to the sender's and recipient's key, but as the sender does not have an X.509 certificate the message is not encrypted with the sender's key. This is expected behavior.

To mitigate this behavior there are two options:

  • add an S/MIME certificate to the user key


  • enable the following option in the user's Consumer policy: "Encrypt and Sign email stored in IMAP/MAPI sent message folders"