By default, when an internal user tries to send an encrypted email message to an external user, Encryption Management Server will try to perform a key lookup for the external user's public key. For example, if an internal user sends a message to
[email protected], Encryption Management Server will attempt to connect to the host
keys.example.com on LDAP port 389 and search for the public key of [email protected]
Again by default, remote hosts can perform searches for public keys on Encryption Management Server, provided that:
Therefore, when two organizations both use Encryption Management Server, key lookups in either direction can occur automatically.
The keyserver service is designed so that public keys can be accessed easily by a variety of applications. Therefore it is deliberately flexible and allows key searches to be carried out using wildcard characters. For example, it will allow searches on
email@example.com and return all email addresses starting with the letter
u. By default it will return up to 100 results.
However, not all organizations are comfortable with this level of flexibility.
This is by design.
Encryption Management Server 3.3 and above.
The number of results that the keyserver service returns can be reduced to 1, though to prevent issues with users that have more than one key, in practice a limit of 10 is more reasonable.
In addition, Encryption Management Server 3.3.2 MP13 and above allows searches using wildcard characters to be disabled.
Note that automatic key searches by remote hosts running Encryption Management Server always use the full email address so disabling wild card searches will have no effect on such searches and not cause any problems. Only key searches by applications that use wildcard characters will be affected.
Please contact Symantec Technical Support for assistance in implementing these changes.