If the PGP Encryption Server (Symantec Encryption Management Server) cannot make outbound HTTP connections, an inbound message that is S/MIME signed and/or S/MIME encrypted, is deferred. The sending mail server therefore keeps trying to send the message. This occurs even though the inbound message is successfully processed by Encryption Management Server and successfully passed to its Inbound mail proxy.
The result is that the recipient receives the same message multiple times.
In a configuration such as this:
Internet -> SMTP mail server -> PGP Encryption Server -> Microsoft Exchange Server
This error appears in the PGP Encryption Server mail log. The message is proxied successfully to the Exchange Server but the transmission channel from the SMTP mail server is not closed properly:
2018/04/20 15:28:36 +01:00 NOTICE pgp/messaging: SMTP-00000: passing through unmodified
2018/04/20 15:28:36 +01:00 ERROR pgp/messaging: SMTP-00000: error handling SMTP DATA event: write failed
2018/04/20 15:28:37 +01:00 ERROR pgp/messaging: SMTP-00000: pgpproxy: error reading/processing message error=-11989 (write failed)
Symantec Encryption Management Server 10.5 and above.
When PGP Encryption Server (Symantec Encryption Management Server) processes an S/MIME signed and/or encrypted message, it checks with the Certificate Authority that issued the certificate whether the certificate used to sign and/or encrypt the message is revoked. Revoked certificates are invalid.
There are two mechanisms used to check whether S/MIME certificates are revoked:
If the PGP Encryption Server cannot make outbound HTTP connections it causes problems with S/MIME mail processing.
There are two main solutions to this issue:
If the PGP Encryption Server can make outbound HTTP connections, these configuration options are also available:
Please open a case with Technical Support if you wish to make any of the above configuration changes.
It is important to note that in order for the PGP Encryption Server to be able to complete the certificate revocation check, it must trust the certificates in the certificate chain of the sender's personal certificate. To trust the issuing certificates, please do the following: