Insufficient time to warn all PDF Email Protection users of account deletion
Article ID: 238734
Updated On:
Products
Issue/Introduction
Starting with the PGP Server version 10.5.1 there is new functionality available and PDF Email Protection user accounts will be deleted after a specified inactivity period.
A PDF Email Protection account is classified as inactive if the user has not been sent a PDF Email Protection message and has not logged into the Web Email Protection portal within a certain period, 3 months by default.
Prior to a PDF Email Protection user account being deleted, by default a reminder is sent to the user 15 days prior to deletion, requesting that they login to the Web Email Protection portal and validate their account. This reminder uses the new template PDF Email Protection Account Expiration Warning which can be found in the management console by navigating to Mail > Message Templates.
Starting in release 10.5.1, the most recent date that each PDF Email Protection user is sent an email is captured. The initial last sent date for each PDF Email Protection user is set to the date that Encryption Management Server was installed or upgraded to release 10.5.1 or above. Therefore, by default, 75 days later, reminders will start to be sent to inactive PDF Email Protection users.
By default, a maximum of 10,000 email reminders will be sent each day. Note that if there are more than 10,000 users who need to be sent a reminder on one day, they will be scheduled to receive one in subsequent days.
Prior to release 10.5.1, PDF Email Protection accounts were never deleted. Therefore, in some environments, there may be very large numbers of inactive PDF Email Protection accounts.
The default limit of 10,000 daily reminders may not be sufficient to ensure that all PDF Email Protection users are notified of the pending deletion of their accounts. For example, the default settings will only allow a maximum of 150,000 (10,000 * 15) users to be notified. Clearly, because of the 10,000 maximum limit, 30,000 of those users will receive only 3 days notice (including weekends). Many users will therefore not have sufficient notice to login to the Web Email Protection portal even if they want to.
Environment
Symantec Encryption Management Server 10.5.1 and above.
Resolution
There are several options for ensuring that users receive sufficient notice of the pending deletion of their PDF Email Protection account. Note that all these settings will also apply to Web Email Protection accounts.
Before making any changes, it is helpful to know how long ago the PDF Email users were last seen. To discover this, SSH to Encryption Management Server and copy and paste the following query:
psql oviddb ovidr -xtc "
WITH pdf_user_last_seen AS (
SELECT greatest(created, last_access, last_received_mail_date) last_seen
FROM consumer co
JOIN boomerang_user bu ON bu.consumer_uuid = co.uuid
WHERE delivery_pref = 6),
total_pdf AS (
SELECT count(*) total_pdf_users
FROM pdf_user_last_seen),
over_7 AS (
SELECT count(*) last_seen_over_1_week_ago
FROM pdf_user_last_seen
WHERE last_seen < now() - INTERVAL '7 days'),
over_30 AS (
SELECT count(*) last_seen_over_1_month_ago
FROM pdf_user_last_seen
WHERE last_seen < now() - INTERVAL '30 days'),
over_60 AS (
SELECT count(*) last_seen_over_2_months_ago
FROM pdf_user_last_seen
WHERE last_seen < now() - INTERVAL '60 days'),
over_90 AS (
SELECT count(*) last_seen_over_3_months_ago
FROM pdf_user_last_seen
WHERE last_seen < now() - INTERVAL '90 days'),
over_180 AS (
SELECT count(*) last_seen_over_6_months_ago
FROM pdf_user_last_seen
WHERE last_seen < now() - INTERVAL '180 days'),
over_365 AS (
SELECT count(*) last_seen_over_1_year_ago
FROM pdf_user_last_seen
WHERE last_seen < now() - INTERVAL '365 days'),
over_730 AS (
SELECT count(*) last_seen_over_2_years_ago
FROM pdf_user_last_seen
WHERE last_seen < now() - INTERVAL '730 days')
SELECT *
FROM total_pdf, over_7, over_30, over_60, over_90, over_180, over_365, over_730"
The query will show the total number of PDF Email Protection users and how many were last seen over 1 week ago, over 1 month ago, over 2 months ago, over 3 months ago, over 6 months ago, over 1 year ago and over 2 years ago.
Right after you upgrade to 10.5.1 or above, the query above will not display any data. This is because the values which are used to populate "Last Seen" is considered new data. So one week after upgrading to release 10.5.1 or above, the number of users last seen over 1 week ago will be greater than zero and over time the other totals will be populated. This is because the data is being populated as time goes on.
Two months after upgrading, the figure for the number of users last seen over 2 months ago will be the maximum that would be deleted if the account inactivity expiration period is set to the default of 3 months. If this number exceeds 100,000 then you will probably want to make some of the configuration changes below.
1. Disable Reminders
In environments that have very large numbers of inactive PDF Email Protection accounts, the first time that accounts are purged will result in a high number of deletions.
The simplest and arguably the best option is therefore to disable the email reminders until this first batch of accounts has been purged.
After all, there is little or no benefit sending reminders to users who have probably been inactive for an extended period. Temporarily disabling reminders may well be the only change you need to make.
To disable reminders, ssh to Encryption Management Server and run the following commands.
Check reminders are enabled. If reminders are enabled this setting will be false:
# grep 'disable-expiration-reminder' /etc/ovid/prefs.xml
<disable-expiration-reminder>false</disable-expiration-reminder>
Before you make any of these changes, take a backup of the preferences by running the following command:
cp /etc/ovid/prefs.xml /etc/ovid/prefs.xml-backup-mm-dd
Once you run this, run the following command to show that no differences exist between the two. You can use this to compare your work:
diff /etc/ovid/prefs.xml /etc/ovid/prefs.xml-backup-mm-dd
Note: When you run the diff command above, there should be no output, this means there were not changes made.
Run this command again once you're finished, so you can see the changes that actually took place. If there were issues, you can restore the backup file.
If you need any further assistance, such as restoring the file above, please reach out to Symantec Encryption Support for further guidance.
If reminders are enabled, disable them:
sed -i 's|disable-expiration-reminder>false|disable-expiration-reminder>true|' /etc/ovid/prefs.xml
Replicate the setting to other cluster members:
pgprepctl file /etc/ovid/prefs.xml
After the initial batch of PDF Email Protection users has been deleted, enable reminders:
sed -i 's|disable-expiration-reminder>true|disable-expiration-reminder>false|' /etc/ovid/prefs.xml
pgprepctl file /etc/ovid/prefs.xml
2. Increase Account Inactivity Expiration
If you wish to send reminders prior to the initial purge or simply want to retain inactive PDF Email Protection accounts for longer than 3 months, consider increasing the account Inactivity Expiration value to 6 months or 1 year.
This will mean that users who are not sent many messages have more time during which to receive at least one message and therefore be classified as active.
To do this, navigate to Services / Web Email Protection and click on the Edit button. Click on the Options tab, change the Inactivity Expiration value and click Save. For example, to change it to 1 year do the following:
The Message Expiration value on the same page determines when Web Email Protection or PDF Email Protection messages (as distinct from accounts) are deleted. This setting does not need to be changed.
3. Increase the number of daily reminders
The default limit of 10,000 reminders per day can be increased. To do this, ssh to Encryption Management Server and run the following commands.
Check the current setting. By default it will be 10000:
# grep 'expiration-reminders-per-day' /etc/ovid/prefs.xml
<expiration-reminders-per-day>10000</expiration-reminders-per-day>
Increase the value to, for example, 100000:
sed -i 's|expiration-reminders-per-day>10000|expiration-reminders-per-day>100000|' /etc/ovid/prefs.xml
Replicate the setting to other cluster members:
pgprepctl file /etc/ovid/prefs.xml
Bear in mind that the more reminders you send each day, the greater the chance of the reminders being classified as spam. Please ensure that the email address being used to send the notifications, including reminders, is valid. See article 154712 for further information.
4. Increase the notification period
By default, reminders are sent 15 days prior to account deletion. You can increase this in order to provide more time for the outstanding reminders to be processed. To do this, ssh to Encryption Management Server and run the following commands.
Check the current setting. By default it will be 15 days:
# grep 'expiration-reminder-period' /etc/ovid/prefs.xml
<expiration-reminder-period>15</expiration-reminder-period>
Increase the value to, for example, 30:
sed -i 's|expiration-reminder-period>15|expiration-reminder-period>30|' /etc/ovid/prefs.xml
Replicate the setting to other cluster members:
pgprepctl file /etc/ovid/prefs.xml
Finally, after making the appropriate changes as mentioned above, it is important to note that in order for all of thee changes to take effect, you will need to run the following command:
pgpsysconf --restart pgpboomerangd
Once the command has successfully run, the server should be good to take the settings into effect. Please reach out to Symantec Encryption support if you need assistance or guidance with any of the above.
Feedback
