search cancel

Encryption Management Server does not decrypt inbound messages


Article ID: 176005


Updated On:


Encryption Management Server Gateway Email Encryption


Encrypted inbound messages passing through Encryption Management Server are not decrypted, even though Encryption Management Server contains the private key or certificate for the internal user.

In the Reporting / Logs page in the Encryption Management Server administration console, the Mail log contains entries like this for inbound mail:

SMTP-00000: recipient 1/1 ([email protected]): [Bcc] passing through unmodified [0x40dfc404]

Closer examination will show that the log does not contain any reference to policy rule match for the message. This means that no mail rules were matched and the message was delivered unmodified.

Note that you may also see [Bcc] appearing in the mail log without a hex value, like this:

SMTP-00001: recipient 1/1 ([email protected]): [Bcc] passing through unmodified

This means that the sender added the recipient's email address in the Bcc (blind carbon copy) field and therefore the recipient's email address is not present in the message data. In this case, the mail rules are processed as normal.


Symantec Encryption Management Server 3.3.2 MP13 and above.


An inbound message is being received from an IP address that is designated as a source IP for outbound messages.

By default, when you configure a proxy in the Mail / Proxies page of the Encryption Management Server administration console, an SMTP Proxy Type of Unified is used.

With a Unified proxy, inbound and outbound mail is processed using the same Encryption Management Server network interface. Because Encryption Management Server needs to distinguish between inbound and outbound messages arriving at the same interface, you therefore designate specific IP addresses as the source of outbound mail. Any other IP address is treated as sending inbound mail.

If an inbound message is sent to Encryption Management Server from an IP address that is designated as the source of outbound mail, Encryption Management Server will not apply mail rules to the message. One of the mail rules for inbound messages is Decrypt Message (SMTP). Therefore, the message will be delivered without being decrypted.


Ensure that inbound messages are sent only from IP addresses that are not designated as being the source of outbound messages.

If your Encryption Management Server has more than one network interface, consider using one interface for inbound mail and another interface for outbound mail. This involves changing the SMTP Proxy Type from the default of Unified to Inbound on one interface and Outbound on another interface.

If a network interface is dedicated to either Inbound or Outbound there is no need to specify source IP addresses because Encryption Management Server will treat all mail arriving on a particular interface as either inbound or outbound. In a complex email environment that is subject to changes, this can simplify the overall proxy configuration.