Video Screencast Help

outbound mails are rejected - not signed by a trusted key

Created: 31 Aug 2011 • Updated: 02 Dec 2011 | 3 comments
This issue has been solved. See solution.
after defining an outbound policy with pgp encryption the outbound test message which should match the new defined policy is bounced. In reporting the following error entries appeared:
SMTP-16509: recipient 1/1 ( bouncing: unable to locate a valid encryption key
SMTP-16509: key search <> [internal user keys]: found key "" (KeyID: 0xF6D33F10) [rejected - not signed by a trusted key]
Outbound policy is configured similar as below:
- Conditions / If all of the following are true / Recipient address is
- Actions / Send (encrypted/signed) / Encrypt to recipient's key; Sign; When suitable key not found bounce message; Preferred encoding format: PGP/MIME
- Key Search / The following locations will be searched for keys by default: Internal users; External users; No additional locations will be searched
The outbound message will only be delivered if the option "Require verified key" is disabled. In Administration Guide of PGP Universal Server there is recommended to enable that option. If an external key is imported and is listed in the external user list I assume that the concerning key is trusted. To ensure that I exported the key, signed it via PGP Desktop and reimported it to Universal Server. The result is the same as before.
Where is my error in reasoning?
I'm still using Universal Server version 3.1.2 Build 9 (update to 3.2 is planned). I guess that I had no problems with that issue until using 2.12 and former versions. The "Require verified key" option was enabled in all outbound policies. 
In Admin Guide I only found a hint about outbound S/MIME messages - to verify a S/MIME certificate the corresponding root certificate has to be listed in Trusted Keys.
Any hints are appreciated..

Comments 3 CommentsJump to latest comment

Julian_M's picture

check your keyservers under Keys tab . should point the server that provides recipient´s key. If this server is you own Universal, Keyserver mode should be enabled , from Services. tab.

You might also want to enable Verified directory as well as a managed domain (consumers tab). You will need algo organization key for your server in order to sign user´s keys being shared.

What happens if you disable "Require verified key" ?

Share results

When you consider the issue resolved, please click Mark As Solution on the post that best provided the solution.

CBtz's picture

Hello Julian,

thank you for your reply. Now I want to return to that case...

I analysed the points that you suggested:

- in keyservers overview there are two areas: "Default Keyservers" and "All Keyservers"
.. in "Default Keyservers" there's only listed the PGP Global Directoy
.. in "All Keyservers" there are two entries ("Keyserver of Recipient Domain" and "PGP Global Directoy" again)

- the server is our own internal Universal and the keyserver mode is enabled

- Verified Directory is the only service that is DISABLED

- in Managed Domains there are defined our external domain names which are associated with our mailboxes and our own keys

- of course there is also an Organisation Key present

Currently the "Require verified key" option is disabled in all outbound policies where the encoding format is PGP/MIME or PGP/Partitioned. In outbound S/MIME policies the option is still enabled and we do not have any troubles with it.

Until I leave the "Require verified key" option disabled in outbound PGP policies the outbound mail delivery also works without any problems.

But my question is what exactly is required in order that the "Require verified key" option can be used in outbound PGP policies? Is a key only regarded as verified if the key itself is listed in Global Directory? Is it really necessary to enable Verified Directory at our own Universal Server? Up to now I assumed that a key is trusted after manual import into the Consumer's database.



PGP_Ben's picture

For the key to be "verified" it either needs to be manually uploaded to the keyserver using Verified Directory or else the key needs to be signed by an organization that we trust (such as your own organization) or it needs to be on another keyserver that we trust such as our global directory.

Right now, it sounds like the software is working as designed. If you manually upload a key that is not verified we won't encrypt to it (if require verification is enabled). Furthermore, if you have all other keysearchs disabled, then we have no way of verifying that key on another keyserver such as global directory or the reciepient domain's keyserver as well.

If/when you consider your issue resolved, please click Mark As Solution on the most helpful response.