A remote Encryption Management Server is known to permit key searches but the local Encryption Management Server cannot connect.
By default, when an internal user tries to send an encrypted message, Encryption Management Server will attempt to retrieve the recipient's public key by doing a key search.
For example, if the recipient's email address is
[email protected], Encryption Management Server will attempt to connect to the host
keys.example.org on the LDAP port 389 and perform a search.
The Mail log will contain an information message like this:
key search <[email protected]> [keys.example.org]: Could not get recipient encryption key: server open failed
Normally there are three potential reasons for this issue:
keys.example.org, it fails and cannot perform a key lookup on the remote host.
If a local firewall is blocking Encryption Management Server from connecting to remote hosts on LDAP port 389 then the firewall rules need changing in order to allow this.
If the Default Gateway cannot route traffic to remote hosts then the Default Gateway needs to be changed. This may require manual routes to be configured for local subnets.
If Encryption Management Server cannot resolve external DNS names then the DNS settings need to be changed. Encryption Management Server needs to be able to resolve both internal and external DNS names.
It needs to resolve internal names so that, for example, it can communicate successfully with other cluster members. Both forward and reverse DNS lookups need to work correctly between cluster members. For example, in a cluster that included the host
sems1.example.net with an IP address of
10.10.10.10, running this command from another cluster member should return the IP address
In addition, running this command should return the name
It needs to also be able to resolve external names. For example, if a remote Encryption Management Server had the public name
keys.example.org, running this command should return its public IP address:
Encryption Management Server can point to multiple DNS servers. However, only the first DNS server will be used unless it is unreachable. Therefore the first DNS server in the list needs to be able to resolve both internal and external names.
This means that Encryption Management Server will not work correctly if some DNS servers in its list can resolve only internal names and other DNS servers in its list can resolve only external names.