PDF Email Protection users cannot logon to Web Email Protection when they click on the Secure Reply link

book

Article ID: 171213

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

If the PDF Email Protection Secure Reply feature is enabled, when PDF Email Protection users receive an email message with a password protected PDF attachment, a link is included in the body of the message that enables the user to logon to the Web Email Protection portal and reply securely.

When the user clicks on the link and logs on, a new reply to the message they were sent is created automatically and they can compose and then send their response.

When the user clicks on the link, they must authenticate with their email address and passphrase.

Some PDF Email Protection users find that when they try to authenticate, their credentials are not accepted even if they enter their email address and password correctly. By default, they are locked out of their account after three unsuccessful attempts to authenticate.

By default, when a user fails to authenticate three times, Encryption Management Server sends them an email message with a link to unlock their account. Some users who find they cannot authenticate after clicking on the Secure Reply link find too that they are not sent the message with the unlock link.

The Web Email Protection log will contain entries like this when the user fails to authenticate and a message containing the account unlock link is sent. Note that the log states that [email protected] failed to login yet the account unlock email is sent to [email protected]:

2018/03/12 11:04:41 +00:00  INFO   pgp/wm[2002]: 192.168.1.202 [email protected] Failed login
2018/03/12 11:04:41 +00:00  NOTICE pgp/wm[2002]: Sent account unlock email to [[email protected]] for user [user1]

Cause

The Message Template used to send PDF Email Protection messages containing a Secure Reply link is:

New PDF Email Protection Message Notification + Secure Reply

The variable within the template used for the Secure Reply link is:

$URL_SECURE_REPLY

The link that is sent to the PDF Email Protection user has a unique reference to the user account database record embedded within it.

Unless the email address that the user enters in the Web Email Protection logon page matches the email address that is associated with the Secure Reply link, the user will be unable to authenticate, even if the passphrase is correct.

In such situations, the Web Email Protection user will often enter their correct passphrase a sufficient number of times to be locked out. If this occurs they will be unable to unlock their account and the Encryption Management Server administrator will need to unlock it.

A user may have access to the secure reply URL of another user under the following circumstances:

  1. The PDF Email Protection user has multiple email addresses associated with their mailbox.
  2. Multiple PDF Email Protection users are using a shared mailbox.
  3. The PDF Email Protection user forwards a PDF Email Protection message to another PDF Email Protection user.

Environment

Encryption Management Server prior to release 3.4.2 MP1 with PDF Email Protection enabled in consumer policy and this option enabled in the PDF Email Protection policy:

Provide users with the option to save Secure Reply messages on the server

Resolution

Upgrade to release 3.4.2 MP4 or above.

In release 3.4.2 MP4 and above, if a PDF Email Protection user clicks on the secure reply URL sent to a different user and enters their own valid email address and passphrase then the following message is displayed to the user:

Access Restricted
The requested resource is not available for this account. Please verify the account name and try again.

The Web Email Protection log will also contain the above entry and an entry like this:
Secure reply link intended for [[email protected]] but login attempt by [[email protected]].

In releases prior to 3.4.2 MP4, PDF Email Protection users should be encouraged to logon to the Web Email Protection portal using only the email address that the PDF Email Protection message was sent to. Adding a sentence like this to the New PDF Email Protection Message Notification + Secure Reply Message Template might encourage this:

Note that you can only reply securely if you log in using the email address that this message was sent to.

Note that in releases 3.4.2 MP1, 3.4.2 MP2 and 3.4.2 MP3 the user will be unable to login if they enter their email address in a different case to the way it is stored in the Encryption Management Server database. For example, if the user enters [email protected] but the database contains [email protected] they will be unable to login. This was resolved in release 3.4.2 MP4.