S/MIME certificates include a reference to a CRL (Certificate Revocation List) or OCSP (Online Certificate Status Protocol) distribution point.

The CRL distribution point is defined in the CRL Distribution Points field within the certificate and lists a URL accessible over HTTP, LDAP or both.  

The OCSP distribution point is defined in the Authority Information Access field and lists a URL accessible over HTTP.

If neither the CRL or OCSP distribution points for a certificate can be accessed by the PGP Encryption Server (Symantec Encryption Management Server), messages can still be encrypted using the revoked certificate. This is the case if, for example, the PGP Encryption Server is blocked by a firewall from connecting to remote hosts over HTTP and/or LDAP.

The Mail log will contain the following records when the CRL and OCSP distribution points are unavailable:

2016/04/26 17:35:49 +01:00  INFO   pgp/messaging[2017]:       SMTP-00001: Unable to find valid OCSP server

2016/04/26 17:35:49 +01:00  WARN   pgp/messaging[2017]:       SMTP-00001: Could not retrieve URL http://server.name:80/crlfile.crl: couldn't connect to server/ 

where server.name is the DNS name of the server containing the CRL and crlfile.crl is the name of the CRL file.

The PGP Encryption Server needs to be able to access URLs using HTTP or LDAP in order to be able to determine whether an S/MIME certificate is revoked. Please ensure that outbound HTTP and LDAP are not blocked by a firewall if this functionality is required.

By design, The PGP Server will encrypt using an S/MIME certificate if its revocation status cannot be discovered using CRL or OCSP.

235862 - Symantec Encryption Management Server unable to process mail when using OCSP

171558 - Inbound S/MIME messages fail to be decrypted if Encryption Management Server cannot make outbound HTTP connections

174739 - Encryption Management Server enables the Certificate Revocation Service by default