ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Insufficient time to warn all PDF Email Protection users of account deletion

book

Article ID: 238734

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

Starting with release 10.5.1 of Encryption Management Server, PDF Email Protection user accounts will be deleted after a specified inactivity period.

A PDF Email Protection account is classified as inactive if the user has not been sent a PDF Email Protection message and has not logged into the Web Email Protection portal within a certain period, 3 months by default.

Prior to a PDF Email Protection user account being deleted, by default a reminder is sent to the user 15 days prior to deletion, requesting that they login to the Web Email Protection portal and validate their account. This reminder uses the new template PDF Email Protection Account Expiration Warning which can be found in the management console by navigating to Mail / Message Templates.

Starting in release 10.5.1, the most recent date that each PDF Email Protection user is sent an email is captured. The initial last sent date for each PDF Email Protection user is set to the date that Encryption Management Server was installed or upgraded to release 10.5.1 or above. Therefore, by default, 75 days later, reminders will start to be sent to inactive PDF Email Protection users. 

By default, a maximum of 10,000 email reminders will be sent each day. Note that if there are more than 10,000 users who need to be sent a reminder on one day, they will be scheduled to receive one in subsequent days.

Prior to release 10.5.1, PDF Email Protection accounts were never deleted. Therefore, in some environments, there may be very large numbers of inactive PDF Email Protection accounts.

The default limit of 10,000 daily reminders may not be sufficient to ensure that all PDF Email Protection users are notified of the pending deletion of their accounts. For example, the default settings will only allow a maximum of 150,000 (10,000 * 15) users to be notified. Clearly, because of the 10,000 maximum limit, 30,000 of those users will receive only 3 days notice (including weekends). Many users will therefore not have sufficient notice to login to the Web Email Protection portal even if they want to.

Environment

Symantec Encryption Management Server 10.5.1 and above.

Resolution

There are several options for ensuring that users receive sufficient notice of the pending deletion of their PDF Email Protection account. Note that all these settings will also apply to Web Email Protection accounts.

Before making any changes, it is helpful to know how long ago the PDF Email users were last seen. To discover this, ssh to Encryption Management Server and copy and paste the following query:

psql oviddb ovidr -xtc "
WITH pdf_user_last_seen AS (
  SELECT greatest(created, last_access, last_received_mail_date) last_seen
  FROM consumer co
  JOIN boomerang_user bu ON bu.consumer_uuid = co.uuid
  WHERE delivery_pref = 6), 
total_pdf AS (
  SELECT count(*) total_pdf_users
  FROM pdf_user_last_seen),
over_7 AS (
  SELECT count(*) last_seen_over_1_week_ago
  FROM pdf_user_last_seen
  WHERE last_seen < now() - INTERVAL '7 days'),
over_30 AS (
  SELECT count(*) last_seen_over_1_month_ago
  FROM pdf_user_last_seen
  WHERE last_seen < now() - INTERVAL '30 days'),
over_60 AS (
  SELECT count(*) last_seen_over_2_months_ago
  FROM pdf_user_last_seen
  WHERE last_seen < now() - INTERVAL '60 days'),
over_90 AS (
  SELECT count(*) last_seen_over_3_months_ago
  FROM pdf_user_last_seen
  WHERE last_seen < now() - INTERVAL '90 days'),
over_180 AS (
  SELECT count(*) last_seen_over_6_months_ago
  FROM pdf_user_last_seen
  WHERE last_seen < now() - INTERVAL '180 days'),
over_365 AS (
  SELECT count(*) last_seen_over_1_year_ago
  FROM pdf_user_last_seen
  WHERE last_seen < now() - INTERVAL '365 days'),
over_730 AS (
  SELECT count(*) last_seen_over_2_years_ago
  FROM pdf_user_last_seen
  WHERE last_seen < now() - INTERVAL '730 days')
SELECT * 
FROM total_pdf, over_7, over_30, over_60, over_90, over_180, over_365, over_730"

The query will show the total number of PDF Email Protection users and how many were last seen over 1 week ago, over 1 month ago, over 2 months ago, over 3 months ago, over 6 months ago, over 1 year ago and over 2 years ago.

One week after upgrading to release 10.5.1 or above, the number of users last seen over 1 week ago will be greater than zero and over time the other totals will be populated.

Two months after upgrading, the figure for the number of users last seen over 2 months ago will be the maximum that would be deleted if the account inactivity expiration period is set to  the default of 3 months. If this number exceeds 100,000 then you will probably want to make some of the configuration changes below.

 

1. Disable Reminders

In environments that have very large numbers of inactive PDF Email Protection accounts, the first time that accounts are purged will result in a high number of deletions.

The simplest and arguably the best option is therefore to disable the email reminders until this first batch of accounts has been purged.

After all, there is little or no benefit sending reminders to users who have probably been inactive for an extended period. Temporarily disabling reminders may well be the only change you need to make.

To disable reminders, ssh to Encryption Management Server and run the following commands.

Check reminders are enabled. If reminders are enabled this setting will be false:

# grep 'disable-expiration-reminder' /etc/ovid/prefs.xml
        <disable-expiration-reminder>false</disable-expiration-reminder>

If reminders are enabled, disable them:

sed -i 's|disable-expiration-reminder>false|disable-expiration-reminder>true|' /etc/ovid/prefs.xml

Replicate the setting to other cluster members:

pgprepctl file /etc/ovid/prefs.xml

After the initial batch of PDF Email Protection users has been deleted, enable reminders:

sed -i 's|disable-expiration-reminder>true|disable-expiration-reminder>false|' /etc/ovid/prefs.xml
pgprepctl file /etc/ovid/prefs.xml

 

2. Increase Account Inactivity Expiration

If you wish to send reminders prior to the initial purge or simply want to retain inactive PDF Email Protection accounts for longer than 3 months, consider increasing the account Inactivity Expiration value to 6 months or 1 year.

This will mean that users who are not sent many messages have more time during which to receive at least one message and therefore be classified as active.

To do this, navigate to Services / Web Email Protection and click on the Edit button. Click on the Options tab, change the Inactivity Expiration value and click Save. For example, to change it to 1 year do the following:

The Message Expiration value on the same page determines when Web Email Protection or PDF Email Protection messages (as distinct from accounts) are deleted. This setting does not need to be changed.

 

3. Increase the number of daily reminders

The default limit of 10,000 reminders per day can be increased. To do this, ssh to Encryption Management Server and run the following commands.

Check the current setting. By default it will be 10000:

# grep 'expiration-reminders-per-day' /etc/ovid/prefs.xml
      <expiration-reminders-per-day>10000</expiration-reminders-per-day>

Increase the value to, for example, 100000:

sed -i 's|expiration-reminders-per-day>10000|expiration-reminders-per-day>100000|' /etc/ovid/prefs.xml

Replicate the setting to other cluster members:

pgprepctl file /etc/ovid/prefs.xml

Bear in mind that the more reminders you send each day, the greater the chance of the reminders being classified as spam. Please ensure that the email address being used to send the notifications, including reminders, is valid. See article 154712 for further information.

 

4. Increase the notification period

By default, reminders are sent 15 days prior to account deletion. You can increase this in order to provide more time for the outstanding reminders to be processed. To do this, ssh to Encryption Management Server and run the following commands.

Check the current setting. By default it will be 15 days:

# grep 'expiration-reminder-period' /etc/ovid/prefs.xml
      <expiration-reminder-period>15</expiration-reminder-period>

Increase the value to, for example, 30:

sed -i 's|expiration-reminder-period>15|expiration-reminder-period>30|' /etc/ovid/prefs.xml

Replicate the setting to other cluster members:

pgprepctl file /etc/ovid/prefs.xml

Attachments