Emails going to exception chain on the PGP Encryption Server (Symantec Encryption Management Server)
search cancel

Emails going to exception chain on the PGP Encryption Server (Symantec Encryption Management Server)

book

Article ID: 156100

calendar_today

Updated On:

Products

Symantec Products

Issue/Introduction

The PGP Server has the capability to encrypt and decrypt content and does so according to strict RFC protocols.  Because it needs to be able to parse the content of the message, if the message does not adhere to RFC Compliance, it may not be able to encapsulate the message and encrypt properly. This article will cover the scenarios of inbound and outbound messages that may not be RFC Compliant.

 

Resolution

The PGP Server cannot parse and process mails that are non RFC compliant or malformed.

When this condition happens, there is a built-in chain called the Exception Chain that will bounce the message so that the message is not sent outbound. 

 

For inbound messages coming to the PGP Server for processing, it is possible that a message was allowed to be sent outside of a sender domain that was non-RFC compliant, and in this scenario, it may not be possible for the PGP Server to parse this message. 

In these cases, the message could be bounced, but rather than bounce the inbound message back to sender, there is an option to "Pass through unmodified".  When this happens, the PGP Server may not decrypt the content, but will not bounce.
This is an option that can be configured. 

 

example logs:

SMTP-162150: recipient [email protected]: policy rule match: chain: "Default", rule: "Inbound Mail" Thu Dec 6, 2012 at 10:52:50 AM +01:00
SMTP-162150: recipient [email protected]: policy rule match: chain: "Inbound", rule: "Decrypt Message (SMTP)" Thu Dec 6, 2012 at 10:52:50 AM +01:00
SMTP-162150: fatal exception evaluating policy for recipient [email protected]: string operation failed - jumping to Exception chain Thu Dec 6, 2012 at 10:52:53 AM +01:00
SMTP-162150: recipient [email protected]: policy rule match: chain: "Exception", rule: "Bounce Inbound Message" Thu Dec 6, 2012 at 10:52:53 AM +01:00
SMTP-162150: recipient 1/1 ([email protected]): bouncing: internal server error Thu Dec 6, 2012 at 10:52:53 AM +01:00

 

Ideally, the solution is to inform the sender to review the content being sent to ensure they are RFC-compliant emails.

 

The Exception chain can be configured to either bounce the affected message or pass it through unmodified without processing it.

For more information on Policies, see the Additional Information below.

 

Troubleshooting


Item 1 of 3: Creating a rule to force action
Sometimes emails from only a certain domain cannot be parsed. This might for example occur due to mail disclaimers being added to the encrypted and signed mail after is was processed by PGP server. 
The mail is then not recognized anymore as encrypted and signed and will not be decrypted by PGP server.

As the problem is only for one specific domain, it might help to create a rule in the Inbound Policy to always decrypt these mails. Below are the steps:

1. Go to Mail>Mail Policy. Click on Inbound policy.

2. Click on Add Rule and choose condition 'if any of the following are true'.

3. In the drop down choose 'Sender Domain', condition would be 'is' and add the domain name of the sender.

4. In the Action select Decrypt and Verify using Smart Annotation.

5. Save the new rule.

The mails would be automatically decrypted by the required domains.

 

The above workaround may not help for email that are malformed or not RFC compliant.

 

Item 2 of 3: Content-Transfer-Encoding: 8bit
It is useful to review the headers of emails to ensure compatible encoding types.
If "Content-Transfer-Encoding: 8bit" is being used, this will likely be problematic.
The 8bit encoding is not considered a valid encoding type for internet-ready emails.
Although many MTAs will process this just fine, it is not good practice to allow this content outside if a sender's domain and should subsequently not be used.

The PGP Server may flag a message as unable to process if 8bit is being used, such as the following message:

2023/01/11 10:11:00 -05:00  WARN   pgp/messaging[11175]:      
SMTP-00111: fatal exception evaluating policy for recipient [email protected]: Input data are not Unicode-conformant or conversion between Unicode formats failed - jumping to Exception chain

EPG-32905

Item 3 of 3: UTF-8 Errors or other general Exception Chain Scenarios:

158556 - Symantec Encryption Management Server exhibits UTF-8 errors and goes to Exception Chain for Quoted-Printable encoded emails

 

 

Additional Information

153426 - Troubleshooting: Mailflow with Symantec Encryption Management Server (PGP Server)

150133 - Header and body flags that indicate PGP encrypted email for SPAM filter and mail server configuration

180151 - HOW TO: Create Policy Chains to Set Mail Policy in PGP Server (Symantec Encryption Management Server)

181072 - Configuring Mail Proxies with the PGP Server (Symantec Encryption Management Server)

156100 - Emails going to exception chain on the PGP Server (Symantec Encryption Management Server)