Internal users with no name or email address appear in Encryption Management Server

book

Article ID: 171072

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

Internal users appear in the Encryption Management Server administration console under Consumers / Users / Internal Users with no data in the the following fields:

  • Name
  • Username
  • Display Name
  • Managed Keys
  • Email Addresses

In other words, they are blank internal users.

The Mail log shows the following sequence of entries:

2018/02/22 15:16:52 +00:00  ERROR  pgp/messaging[3002]:       SMTP-00000: SQL command execution error: ERROR:  value too long for type character varying(64)
2018/02/22 15:16:52 +00:00  ERROR  pgp/messaging[3002]:       SMTP-00000: error handling SMTP DATA event: unknown error
2018/02/22 15:16:52 +00:00  WARN   pgp/messaging[3002]:       SMTP-00000: unknown error
2018/02/22 15:16:52 +00:00  INFO   pgp/messaging[3002]:       SMTP-00000: pgpproxy: Error processing SMTP message, awaiting next client command. (-11980).

Cause

An Active Directory user with a User Principal Name (UPN) of over 64 characters has attempted to send an email message through Encryption Management Server. For example, a user with a UPN of [email protected]m.

Encryption Management Server attempts to store the UPN in its database as the user's Username but this field will accept a maximum of 64 characters.

This results in a blank internal user record being created.

Note that the sending MTA (Mail Transfer Agent) receives the following response from Encryption Management Server:

451 Symantec Encryption Server: Error while processing (SMTP-00000)

Code 451 usually indicates a temporary problem and this may cause the MTA to try to resend the message for a certain period of time, often for several days. Each time the MTA tries to send the message, a new blank internal user will be created.

A single message from a user with a UPN of over 64 characters can therefore result in hundreds of blank internal users being created.

Environment

Encryption Management Server 3.4.2 MP1 and below using Directory Synchronization with Active Directory.

Resolution

This issue was resolved in Encryption Management Server 3.4.2 MP2 so please upgrade.

In earlier releases, you can work around this issue by not using UPNs of over 64 characters in any Active Directory domain that Encryption Management Server uses for Directory Synchronization.

Note that in Active Directory Users and Computers, the UPN is called User logon name.