This article will review what happens when Web Email Protection (WEP) Accounts Expire on the PGP Encryption Server (Symantec Encryption Management Server) as well as some of the default behavior.
Web Email Protection users have a lifespan that is determined by the organization as well as the activity status of the WEP inbox.
If a WEP user continues to login to their account, the account remains active on the SEMS.
If a user fails to login to their account for the configured amount of time, the user will receive a reminder 15 days before their account expires and the user must confirm (via clicking a link) their account is still active.
NOTE: If the Account "Inactivity Expiration" period is less than 3 weeks (by default), no reminder emails will be sent. This should be a rare scenario because most accounts in production are typically 90 days or longer.
For example, an organization may configure the expiration settings for the account for 90 days (Inactivity Expiration). If a user has not logged in to their account in 90 days, on day 75, the user should receive the reminder. If the user fails to confirm their account, on day 90, the account will be removed from the SEMS. When the account expires, all the email associated to that account is also removed.
There is a separate setting for the actual mail of an account (Message Expiration). For example, an account may not expire until 90 days of inactivity, but messages themselves will expire regardless of how active the account is if the organization hosting the WEP accounts determine this. For example, if messages expire every month, once a message reaches a month's age, the messages themselves will be cleaned up and the WEP account itself will remain.
All of the above are configurable on the PGP Encryption Server to meet your individual needs.
What happens if you would like to reduce the window of account expirations? For example, if your WEP accounts have an expiration date of 1 year, and you would like to move this to 6 months. What will happen when accounts will immediately enter the expiration period and subsequently bypass the 15-day reminder period?
When this happens, all the accounts that are expired immediately will *not* send out any reminder for the users, they will immediately be expired, and during the daily cleanup, the users accounts will be removed.
Any other accounts that enter the 15 day period will receive the reminders. The maximum number of reminder emails that can be sent per day via SEMS is 10,000. When this limit is reached, the server will process those messages and the users will receive the links. All users who click the reminder links will continue to use their account and everyone else will be cleaned up after the expiration period is reached.
As mentioned, by default, SEMS will send email reminders to WEP users telling them that their account will expire if they do not access their account.
The following configuration changes can be made to the reminders:
Web Email Protection Account Expiration Warning is the Message Template used for the reminders and the text of the message can be modified.
By default, the reminder message has a Subject of:
Warning: Symantec Web Email Protection Account Expiration
and the message body appears like this:
Your Symantec Web Email Protection account is about to expire.
In order to keep your account active and prevent your Symantec Web Email Protection messages from being deleted,
you must access your account by clicking on the following URL:
https://keys.example.org/b/b.e?r=user%40example.com&n=j0DYkCYEU6mNCR7LTy5arw%3D%3D
Many of the above parameters can be customized on the server to meet your needs for Web Email Protection account expiration notices, however, these must be made via SSH access to the Symantec Encryption Management server.
For assistance making the necessary adjustments to the parameters outside the regular UI, please contact Symantec Support.
Note: PDF Expiration is now available in PGP Server 10.5.1. For more information on this, see the KB in the "Additional Information" section below.