Unable to send to additional recipients using PGP Web Email Protection Secure Inbox

Products

Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK Mobile Encryption for iOS

Issue/Introduction

Symantec Encryption Management Server (PGP Server) has the ability to send secured content to external recipients who do not have any encryption keys or software installed. This is achieved through PDF Email Protection or Web Email Protection (WEP). When the internal recipient sends to an external recipient, the PGP Server will check how the message should be secured. If Web Email Protection is the secure option to use then the external recipient will receive an email notification with a link to login to view the message securely.

When the External WEP user logs in to their WEP Inbox, the message can then be viewed securely via a secure web portal. The External WEP user can then reply from within the secure inbox to send a secure response to the original recipients. If there are other users that are added, these emails may not send and the following error may be received:

"The following addresses were not on the original recipient list and are not managed by the Symantec Encryption Server"

This article will cover why this message will show up and what you can do to avoid it for your External WEP recipients.

Resolution

What the message indicates is that the External WEP user is trying to include additional recipients that were not part of the original sender list when sending with Web Email Protection with the PGP server.

Consider the following scenarios that can occur when this error is observed and how to avoid it:

Scenario 1: External Users want to add more External Users to their WEP Email (Additional external users are NOT enrolled to the PGP WEP Email Service):

The Internal user is [email protected], and they sent to two external recipients: [email protected], and [email protected].
Then [email protected] wants to include a recipient [email protected].

Note: The user [email protected] has never enrolled to the WEP Email service.

The above scenario will not work as [email protected] was not included in the original sender list and has never enrolled to the WEP service. When the users are included in these secure WEP email messages, the external users will go through a type of "Enrollment" process where they get their own WEP account created. Once the account is created, then these users have a way to receive secure data via their own secure WEP Inbox. The idea behind this is to prevent secure data from being sent to users in an unsecured manner.

Scenario 2: External Users want to add more External Users to the WEP Email (Additional external user IS enrolled to WEP Email):

The Internal user is [email protected], and they sent to two external recipients: [email protected], and [email protected]. Both of these accounts are enrolled to the PGP WEP service.
Then [email protected] wants to include a new recipient [email protected].

Note: The user [email protected] has already enrolled to the WEP Email service and already has an account.

In the above scenario, the [email protected] user already has a WEP account and so they can be added into a WEP Email thread as this provides a way for the PGP Server to send the messages secured to the users.

To avoid external users running into the error message listed above, the best action to take is to have the internal user first send an individual email to the external recipient securely to ensure they are enrolled to the PGP WEP service and can login to their own WEP account. Once the external user has confirmed they were able to do so, then they will be able to receive future secured WEP Email content into their own WEP Inbox. This allows all the sensitive data to stay within the confines of the secure WEP inbox for all of these interactions.

Note: Once an email has arrived to the secure WEP Inbox, it is not possible to forward or send to other users who have not already enrolled to the PGP WEP service and this is why the message above appears. The internal user must first invite the external user to create their WEP account.

For further guidance, contact your PGP Server Administrator, or Symantec Encryption Support for further guidance.

Additional Information

153269 - Symantec Encryption Management Server Web Email Protection Troubleshooting

153690 - PGP: Message is blocked by policy - recipient key not found