Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

E-Mail blocked, key not found - PGP Desktop / Symantec Encryption Desktop

Created: 06 Mar 2014 • Updated: 07 Mar 2014 | 6 comments
This issue has been solved. See solution.

Hi everyone,

we are using a PGP Universal Server (now Symantec Encryption Server) - Version 3.3.1 - Build 13100 - which is dropped into the mailflow and is doing e-mail ancryption and decryption for us.

A couple of days ago a customer reported that he cannot encrypt e-mails to us with the keys our server created (in SKM). In order to reproduce the problem I have downloaded "Symantec Encryption Desktop", created a key for a testing e-mail address.

Whenever I try to force encrypt an e-mail to this test account (by adding [PGP] to the subject) with the created key I get a message stating that the e-mail was blocked because no key could be found.

This does not work wether the key is added to the local keyring (signed and trusted) or retrieving via LDAP through our keyserver. Using LDAP the software even finds and downloads a key and then the log states that the key is not usable for encryption.

I have tried using different ciphers and hash algorithms and have checked the key properties, which includes "PGP Messaging". Still to no avail...

This seems to work fine with alternate PGP products as some of our customers are using these keys without problem. This issue just seems to exist with Symantec's Desktop software.

If anyone can point me in the right direction I would be more than happy...

 

Operating Systems:

Comments 6 CommentsJump to latest comment

dcats's picture

Hi Teeyou,

If it was working so far check what may have changed in the environment. These would be two different issues because the lookup mechanisms are different for internal users and external lookups.

Some new firewall rules blocking the port needed for keylookup?
See PGP Universal Server Client Communication Ports - TECH149645.

Can you search for keys in the client interface?

Do you have your keyring in the local disk or is it mapped folders/rooming profiles? Please have a look at: https://www-secure.symantec.com/connect/forums/tro...

Can you reboot the server? Perhaps something hanging...

Rgs,
dcats
 

Teeyou's picture

Hi dcats,

thank you for your reply...

I'm not quite sure when this stopped working as we ourselves are not using PGP Desktop. I just never had any complaints so far until one of our customers told me that our "encryption keys are not working". I have downloaded PGP Desktop yesterday to reproduce our customers problems.

After I was also having trouble with the software I have updated our server 3.3.0 (including the obligatory reboot)...

I am able to search for the keys no problem whether it is in the local keyring, our keyserver or the global directory. So firewall cannot be the issue...

As suggested I moved the keyring to a local drive (we are using folder redirection for the Documents folder) but that did not help...

I have attached a newly created key for a testuser below. This key was created after the PGP Universal Server update I performed yesterday... From my point of view it looks ok but is it really? I mean at least it should work from a local keyring, shouldn't it?

 

Anthony_Betow's picture

I imported the key and change the Trust to trusted and signed the key and it was verified.

Make sure your key ring is on the Master key list.  Tools, Options, Master Key tab.

For the PGP messenging service, are you sending your e-mail straight to the internet or going through an exchange server first then out to the internet?

Thanks

Anthony

Anthony_Betow's picture

Also, with Outlook for a stand alone, you must change your account settings.

1. File, Account settings

2. highlight your name with the e-mail address

3. click on change above your name

4 click on more settings

5. click on advanced

6. change the POP3 to 110 and SMTP 25

7. Un-check the SSL and click on Okay.

8.  PGP should be able to proxy your e-mail without Outlook interfering.

Thanks

Anthony

dcats's picture

Hi Teeyou,

First of all, and very likely to be the issue is that the key has not usage flags.
- Open the key details and click View for Key Usage.
- Probably the users are assigned to a Consumer Group which has applied a Consumer Policy without anything selected, at least Email Messaging should be enabled for this use case.

After, please check if the service is running. Go to: Reporting > Overview (on the right hand-side) Keyserver ldap://keys.domain:389 "Running"?

- Check the configuration under Services > Keyserver.
- Verify the firewall rules.

I couldn't search this key via Keyserver, but I can see it if I query the Verified Directory (http://keys.domain).

Thanks and regards,
dcats

SOLUTION
Teeyou's picture

Hi dcats,

you were spot on with the matched consumer policy. Somewhere along the road I must have had a bad day and disabled the setting to "allow users to receive encrypted mail"... (see attached screenshot)

Thank you and everyone else who was trying to help me with my problem a thousand times!

Regards

Teeyou

doh.PNG