Video Screencast Help

PGP desktop unexpectedly started intercepting outgoing email

Created: 03 Aug 2014 | 8 comments

Does anyone have any idea why PGP desktop would have unexpectedly started intercepting my outgoing emails?

I use Mozilla Thunderbird (a version from a couple of years ago) to send mail and have PGP Desktop 10.2.0 installed on my Windows 7 computer (for its encrypted virtual disk feature).  I do not use PGP in connection with email, but a couple of days ago my outgoing emails suddenly started being routed via PGP uniiversal service (which reports "sent unsecured. Service disabled by user")  I have not updated Thunderbird or PGP in a long time.  (The routing via PGP started when another family member was sending an email, and it's possible she accidentally did something that changed things, but that seems unlikely to me.)  PGP is consistently intercepting all outgoing Thunderbird emails now, and so far as I can tell it has not done so before.for emails sent using Thunderbird.

I can probably find a way to turn this off (e.g. by turning off the messaging part of PGP desktop), but I'm puzzled by the mystery and would like to understand what happened.  I've looked at various things with no luck.  Any ideas will be appreciated.

Operating Systems:

Comments 8 CommentsJump to latest comment

_Adam_'s picture

Hi nick-l,

If you want to find the root cause of the issue the only way is to start investigating PGP Desktop 10.2.0 and PGP Universal Server logs dating back to the day when it happend for the first time.

You can always post the logs for investigation.

HTH

if/when you consider your issue is resolved, please click "Mark As Solution" on a response

 

indiraharshareddy's picture

I insist _Adam_'s recomendation to carryout first then

I recoment to check that your name is there in the mail group that corresponding consumer group.

also update the policy from the PGP Desktop and restart the PGP desktop service and check.

 

nick-l's picture

Thank you very much for your replies.  My computer froze just as I finished a response last night, wiping it out.  My computer has crashed a few times lately - I don't know if somehow this could be related to the change in behavior of PGP.
And enough other things have come up for me to deal with that it seems I don't have much time to
follow up on this right now.

The only PGP log I've found is the PGP desktop log.  When PGP desktop starts up the log reports:

*A 10:38:34 ----- PGP Desktop started -----
*A 10:38:34 PGP Desktop 10.2.0 (Build 1672) (1672)
*A 10:38:34 Today's date is Saturday, July 26, 2014
IP 10:38:37 Setting logging level to: normal
IE 10:38:38 Email proxying is enabled and active

This does not seem to have changed.
Before the behavior change, sent emails were not mentioned in the PGP log in the cases I've looked at.
After the change in behavior, I see in the log, for example:

WE 16:21:11 Server nb-smtpauth-vip2.prodigy.net presented a TLS certificate for a domain name which does not match (NLPI162.PRODIGY.NET)
IE 16:21:25 Processing outgoing message from XXXXXX <xxx@xxxx.com> with subject: Monday Aug 4
WE 16:21:25    Sending message unsecured

 

If I look at an email that I sent to myself, after the change, the header lines include two mentions of PGP Universal, for example header lines like the following:

Received: from [127.0.0.1]
  by echo (PGP Universal service);
  Fri, 01 Aug 2014 11:50:00 -0800
X-PGP-Universal: processed;
        by echo on Fri, 01 Aug 2014 11:50:00 -0800

(echo is the name of my computer.)
Neither of these lines appeared before the change.

When I compare old backup versions of the PGPpolicy and PGPprefs files and the Thunderbird prefs file with current versions, I don't spot any changes that to my eye look like they would account for the change in behavior.

What might have changed that could have changed whether or not PGP intercepts the emails - something I'm not seeing in the PGP or Thunderbird AppData files, or something somewhere else?

Any further thoughts will be appreciated.

Alex_CST's picture

Do you have a Universal Server within this environment?  It appears as if someone has enabled some form of mail processing policy, either through gateway or OOMS (out of mail stream)

 

You can see that it's not actually encrypting the email in question, just allowing it through.

Can you check your PGP Desktop local policy?  Is the PGP Messaging feature there?  If so, click into it.  Can you post a screenshot?

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

_Adam_'s picture

Hi nick-I

I am afraid we will not be able to find out more from this logs information.
 

You need to search a bit more on your SEMS server referencing your name or your computer name matching consumer policy logs as it was mentioned before. Anything which potentially had an impact on users moving from one group to the other.

Form this logs I only know that on PGP Desktop "Email proxying is enabled and active". I don't know from when ?

1. Do you remember having a PGP Messaging feature visible (left pane of PGP Desktop) since beginning on your PGP Desktop or not ?

2. Are you able to check on your SEMS server how many consumer policy do you have with/without Email messaging enabled ?

3. Can you navigate to SEMS > Reporting > Logs > Mail > Log Type Mail / Display: Information and use the search facility by typing there username and check if you see any unusual logs especially related to the moment were mail policy rules took place

if/when you consider your issue is resolved, please click "Mark As Solution" on a response

 

nick-l's picture

Thank you again.  I am afraid I am a bit lost and do not know what some of the terms mean.  Though clearly there are signs of "PGP universal service" ("service" rather than "server") I do not find signs of PGP universal server on my computer.  I am a home user and do not use my computer in conjuction with other computers (there is one other old computer that is usually turned off).  The processes with a company name "Symantec" shown by process explorer consist of 2 Norton 360 processes, 2 Norton Identity Safe processes plus PGPcbt64.exe, PGPtray.exe, RDDService.exe, and VIPAppService.exe.  (RDD is described as "PGP Universal RDD Client Service" - that does not sound like what I'm looking for to me).  Do you think that I actually have PGP Universal Server or SEMS?  If so, how do I identify it?

Screenshots might be helpful (I'm shy about email addresses).. The right hand side shows the only outgoing server that I actually use. (I notice that the first screen shot says "universal server: none"  and the second screen shot shows the server type as "internet mail"; another choice would have been "PGP universal")

Captureaa.jpg

Captureb.JPG

Alex_CST's picture

No you won't have a Universal Server.  But for someone who doesn't use email encryption, you have  a LOT of accounts.

I suggest reinstalling PGP Desktop without installing the Messaging part.  It may be a pain, but this will definately fix the issue as it simply just wont have those bits to mess with your email.

First, uninstall PGP desktop and reboot.

If you have the standalone installer, first follow this tech article to get the .msi file:

http://www.symantec.com/docs/TECH167331

Then run the following command (in a command prompt) to not install mail:

msiexec /i link_to_pgpdesktop_msi.msi PGP_INSTALL_MAPI=0 PGP_INSTALL_NOTES=0 PGP_INSTALL_LSP=0 PGP_INSTALL_MAPI_PLUGIN=0 PGP_INSTALL_RDD=0

Everything else will be fine, it'll install without installing the following bits:

Outlook mapi proxy and plugin

lotus notes proxy

imap/pop3 proxy

remote detect and destroy plugin (needs a universal server)

 

Please mark posts as solutions if they solve your problem!

http://www.cstl.com

nick-l's picture

Thank you for your suggestion and the detailed instructions. (I don't have nearly as many accounts as it appears I do.)

 I remain quite puzzled about what settings (or setup) might have changed (as well as why they changed).  But it's probably time to leave it as a puzzle, and I appreciate the information about how to proceed.