search cancel

Email messages loop between Encryption Management Server and its proxy


Article ID: 216698


Updated On:


Encryption Management Server Encryption Management Server Powered by PGP Technology Gateway Email Encryption Gateway Email Encryption Powered by PGP Technology


If Encryption Management Server is configured to proxy both inbound and outbound email to an MTA such as Symantec Messaging Gateway or Cisco IronPort which routes email based on rules, some email messages may get caught in a loop. For example:

  1. The MTA routes an inbound message to Encryption Management Server because it has a *.pgp attachment.
  2. Encryption Management Server cannot decrypt the message and passes it back without modification to the MTA.
  3. Because the *.pgp attachment is still present, the MTA routes the message back to Encryption Management Server.


Symantec Encryption Management Server 3.4.2 and above.


Rather than relying solely on, for example, message attachment names, create a rule in Encryption Management Server to add a unique X-Header to each message that is processed.

The MTA will be able to use the presence of the X-Header in its rules to determine whether Encryption Management Server has processed the message.

Note that by default, this X-Header is added to every message that Encryption Management Server processes:

X-PGP-Universal: processed;

However, if a third party uses Encryption Management Server, email sent from them will also contain that X-Header so it cannot be relied on by itself under all circumstances.

To add a unique X-Header, do this from the Encryption Management Server administration console:

  1. Navigate to Mail / Mail Policy.
  2. Click on the Default policy chain.
  3. Click on the Add Rule button.
  4. Give the rule a name and, optionally, a description. For example, Add X-Header.
  5. Select the condition The condition is always true.
  6. Select the Action Add message header.
  7. Give the header a name. For example, X-identifier-PGP where identifier is very likely to be unique to your organization.
  8. Give the header a value. For example, 1.
  9. Enable the option Replace existing message headers with the same name:
  10. Click the Save button to save the rule.
  11. Click on the number of the new rule and select 1 to make it the first rule:

By adding the new rule to the Default policy chain, the X-Header will be added to both inbound and outbound messages. An alternative would be to add different X-Headers to the Outbound and Inbound policy chains.