Inbound messages are received multiple times if Encryption Management Server cannot make outbound HTTP connections

book

Article ID: 171558

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption Encryption Management Server Powered by PGP Technology Gateway Email Encryption Powered by PGP Technology

Issue/Introduction

If Encryption Management Server cannot make outbound http connections, an inbound message that is S/MIME signed and/or S/MIME encrypted, is deferred. The sending mail server therefore keeps trying to send the message. This occurs even though the inbound message is successfully processed by Encryption Management Server and successfully passed to its Inbound mail proxy.

The result is that the recipient receives the same message multiple times.

In a configuration such as this:

Internet -> SMTP mail server -> Encryption Management Server -> Microsoft Exchange Server

This error appears in the Encryption Management Server mail log. The message is proxied successfully to the Exchange Server but the transmission channel from the SMTP mail server is not closed properly:
2018/04/20 15:28:36 +01:00  NOTICE pgp/messaging[25146]:       SMTP-00000: passing through unmodified
2018/04/20 15:28:36 +01:00  ERROR  pgp/messaging[25146]:       SMTP-00000: error handling SMTP DATA event: write failed
2018/04/20 15:28:37 +01:00  ERROR  pgp/messaging[25146]:       SMTP-00000: pgpproxy: error reading/processing message error=-11989 (write failed)

Cause

When Encryption Management Server processes an S/MIME signed and/or encrypted message, it checks whether the certificates that it observes in the mail flow are revoked. Revoked certificates should not be used.

There are two mechanisms used to check whether S/MIME certificates are revoked:

  1. CRL (Certificate Revocation List). The list is downloaded from a remote host over HTTP or LDAP. However, LDAP is not supported by all Certificate Authorities. Encryption Management Server can only process CRL files that are under 1 MB in size.
  2. OCSP (Online Certificate Status Protocol). The service runs on a remote host and Encryption Management Server connects to it.

Both mechanisms require that the host checking the certificates can connect over HTTP to a remote host.

If Encryption Management Server cannot make outbound http connections it causes problems with S/MIME mail processing.

Environment

Symantec Encryption Management Server 3.4.2 and above.

Resolution

There are two possible solutions to this issue:

  1. Ensure that Encryption Management Server can make outbound HTTP connections. This is the preferred solution because it is clearly best practice to check whether S/MIME certificates are revoked and this can only be done using outbound HTTP connections. Permitting only outbound LDAP will usually not be sufficient because not all Certificate Authorities support LDAP.
  2. If it is not possible to permit Encryption Management Server to make outbound HTTP connections, configure Encryption Management Server to check certificate revocation status using only CRL and not OCSP. This configuration option is available only in Encryption Management Server release 3.4 MP1 and above. This will resolve the issue with email messages not being proxied properly, though clearly certificate revocation status will not be checked. Please contact Technical Support if you wish to use this option. Note, however, that Encryption Management Server can only process CRL files that are under 1 MB in size. 

Note too that in order for Encryption Management Server to check for revoked certificates using OCSP, Encryption Management Server must trust the certificates in the certificate chain of the sender's personal certificate:

  1. From the Administration console, navigate to Keys / Trusted Keys.
  2. Click on the Add Trusted Key button.
  3. Import the relevant root certificate and all intermediate certificates.
  4. Enable the option Trust key for verifying mail encryption keys.
  5. Optionally, enable the option Trust key for verifying SSL/TLS certificates.
  6. Click the Save button.