Internal users appear in the Encryption Management Server administration console under Consumers / Users / Internal Users with no data in the the following fields:
In other words, they are blank internal users.
The Mail log shows the following sequence of entries:
2018/02/22 15:16:52 +00:00 ERROR pgp/messaging: SMTP-00000: SQL command execution error: ERROR: value too long for type character varying(64)
2018/02/22 15:16:52 +00:00 ERROR pgp/messaging: SMTP-00000: error handling SMTP DATA event: unknown error
2018/02/22 15:16:52 +00:00 WARN pgp/messaging: SMTP-00000: unknown error
2018/02/22 15:16:52 +00:00 INFO pgp/messaging: SMTP-00000: pgpproxy: Error processing SMTP message, awaiting next client command. (-11980).
An Active Directory user with a User Principal Name (UPN) of over 64 characters has attempted to send an email message through Encryption Management Server. For example, a user with a UPN of
Encryption Management Server attempts to store the UPN in its database as the user's Username but this field will accept a maximum of 64 characters.
This results in a blank internal user record being created.
Note that the sending MTA (Mail Transfer Agent) receives the following response from Encryption Management Server:
451 Symantec Encryption Server: Error while processing (SMTP-00000)
Code 451 usually indicates a temporary problem and this may cause the MTA to try to resend the message for a certain period of time, often for several days. Each time the MTA tries to send the message, a new blank internal user will be created.
A single message from a user with a UPN of over 64 characters can therefore result in hundreds of blank internal users being created.
Encryption Management Server 3.4.2 MP1 and below using Directory Synchronization with Active Directory.
This issue was resolved in Encryption Management Server 3.4.2 MP2 so please upgrade.
In earlier releases, you can work around this issue by not using UPNs of over 64 characters in any Active Directory domain that Encryption Management Server uses for Directory Synchronization.
Note that in Active Directory Users and Computers, the UPN is called User logon name.