Video Screencast Help

MAPI Proxy: Decryption aborted

Created: 04 Jul 2011 | 16 comments

 

My PC is running PGP Desktop 10.1.1. The server uses the latest Microsoft Exchange.

 

My private key and my public key are on the keyring. My public key has been correctly uploaded to the PGP Global Directory.

The person with whom I want to exchange secure e-mails has given me his public key. I have imported it on the keyring, and signed. The other person has also imported my public key.

I can send signed and encrypted e-mails to him. That means I have got my private key (since I can sign) and his public key (since I can encrypt to him). He receives encrypted e-mails from me and can decrypt them properly.

He can send me encrypted e-mails (since he has got my public key).

However, when I receive his encrypted e-mails, PGP does not decrypt it. According to PGP log: ”MAPI Proxy: Decryption aborted”.

Now, I have gone through all the discussions in PGP forums. Whatever was available on the Internet. It is not the typical PGP/MIME problem. His key and my key are properly set to ”PGP/MIME” encoding. It must be something else. Can it be that he is NOT encrypting to my public key? Perhaps somebody from PGP could send me an encrypted e-mail using my public key from the PGP Global Directory, as a test? Just to check if the problem is at my end.

When I try to open his message by PGP Viewer I get the following error message: "Error: missing one or more decryption keys"

Any ideas what the problem is?

Daimars Skutans

Comments 16 CommentsJump to latest comment

Tom Mc's picture

I'm not finding anything helpful for you with this.  However, be aware that Microsoft Exchange and Office software more recent than version 2007 is not yet supported, and your difficulty may be the result of this current incompatibility.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

daimars's picture

I'm running Microsoft Outlook 2003 on my PC, but the server uses Microsoft Exchange 2010. When I send signed and encrypted test e-mail messages to myself, the messages are read and decrypted properly. Is there no possibility to receive some encrypted e-mail message from PGP to see if there is the same problem with decryption? 

Many thanks,

Daimars Skutans

daimars.skutans@spilbridge.com

Tom Mc's picture

I just sent an encrypted message.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Tom Mc's picture

Was it successful?

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

tallbloke's picture

I am having the same problem.  We run MS Exchange 2010, Outlook 2007.

I see the problem from multiple senders attempting to PGP encrypt emails to me.  They have all imported my public key into their local keyring.  The same key is on their organisation's keyserver - I uploaded it myself, and have checked it several times.   When they send me an email marked for PGP encryption, it only occasionally works.  Same public key available to all, same sending organisation, same recipient.  Several senders have the same problem.

Assume for this example that someone has sent me one that is successfully decrypted in Outlook at my end.  They then send me another, sometimes 2-3 minutes later, it can't be decrypted.  The error in the log is as reported above - "MAPI Proxy: Decryption aborted".  When I try to open the pgp attachment from the email in the PGP Desktop Viewer, it reports that the email was encrypted to two unknown keys and that I have no private keys available to decrypt it.

At other times, I receive an encrypted message, it is successfully decrypted in Outlook (using the MAPI plugins, presumably), I then reply to the sender.  It is successfully encrypted and they can read it.  But if they then reply to my email again, 9 times out of 10, I can't read it.  It can't be decrypted due to exactly the same error as that reported above.

Additional data logged in the verbose PGP log during such decryption failures (the items in square brackets I have replaced for privacy reasons):

17:45:59 Email      Verbose    Looking for account data for mail server EMAIL; Account ID /o=[my company]/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=[my name]; user [my username]; and address [my email address]

17:45:59 Email      Verbose        Existing entry is [my email address]

 

This problem is hugely frustrating as I use the tool all the time to communicate securely with an external organisation.

Any ideas?

Tom Mc's picture

What PGP version are you using?

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

tallbloke's picture

Sorry, I should have said.

PGP Desktop 10.2.0 [Build 1672] (PGP SDK 4.2.0)

Tom Mc's picture

Does this Knowledge Base Article apply to your setting?

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Tom Mc's picture

Please also right click on your key in PGP Desktop, select Key Properties, and make sure Encoding is set to PGP/MIME.  I'd also suggest making sure People Pane is disabled in Outlook.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

tallbloke's picture

I looked at the Knowledge Base Article that you pointed me to.  I don't yet see how this would fix my problem.

The second point (about having MS Exchange components installed locally) is not true anyway.

The first point will turn off my ability to use PST files, which I do extensively.

I don't understand why turning off PST file use will fix this problem...plus it's intermittent.  So I am loath to install a hotfix or change registry settings unless it is clearly the solution.

I don't have People Pane enabled either.

What about other things like mixing Mail Sensitivity options (Normal/Confidential) on the Message Options page with the Encrypt button (MAPI dll?)?

tallbloke's picture

Also, I now know that the remote PGP version in use is 9.12, if that helps at all.

And I have my public key in both a corporate keyserver at the remote end and in the local keyring of the senders.  Perhaps a sync issue between the two, or some other difference?  The reported Key IDs are the same in both, however.

And when I try to open the .pgp file in PGP Viewer, the error says the object was encrypted to two unknown keys.  Not sure why TWO keys are unknown and not ONE (i.e. mine), and also if there is a method to find out which Key IDs it thinks are "unknown" - these are not logged.

Tom Mc's picture

In some dialogs, you can click on the unknown keys message with the result of it then showing the key ID's - this might possibly work for you.  I'm also wondering about the need to synch the keys.  When in a PGP managed environment, it may be possible for the keys to be updated, such as with new encryption subkeys, that are not included in the key of the local desktop's keyring.  If this is a PGP Universal managed environment, you may want to consider starting a new topic for this in that forum.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

tallbloke's picture

At my end, it's certainly not a PGP Universal managed environment.  We were asked, as suppliers to the organisation, to upload our public keys to their keyserver.  This is so that any employee can encrypt emails to me if required, but most of the ones I engage with regularly have their own local keyring.

I have asked them to delete my key from the keyserver to see if it works consistently using only local keyrings.

If I double click the pop-up in PGP Viewer, it attempts to connect to the corporate keyserver and / or the PGP Global Directory. I noticed that this latter keyserver cannot be removed in the keyservers dialog box.  What is the function at work here?  Is it that if a local copy of one of the public keys cannot be found then it looks in the keyservers?  I don't quite get what it's trying to do.

Tom Mc's picture

I can think of two possible reasons for checking the servers.  The first is that PGP may be trying to identify what key it is encrypted to.  The second is that if the file is signed, it may be looking for the public key needed to verify the signature.  I suspect that on the Keys tab of PGP Options, that you have Automatically Look Up Keys When Verifying Signatures enabled.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

tallbloke's picture

We managed to fix this issue but it's not yet clear what was going wrong.

At the remote end, the organisation I was communicating with had two different PGP public keys for me in two different Universal Servers.  Deleting one of them fixed the issue.  However, what hasn't been identified yet is why an email from the same person using the same method to classify and send the email to me would sometimes pick one key (that worked), sometimes pick the other key (that didn't) and sometimes pick both.

Tom Mc's picture

I can only guess what may be happening at the other end, but it sounds like a problem of them not having their servers synched, and that it is rather random as to which server the user first accesses in the search for your key.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &