Encryption Management Server 3.3.2 MP8 introduced a new configuration option designed to prevent the harvesting of email addresses by searching the keyserver for partial email addresses using wildcards.
However, in release 3.3.2 MP8, enabling this configuration option causes all key searches by email address to fail. This includes the key search that Encryption Management Server carries out by default on ldap://keys.$ADDRESS_DOMAIN:389 where $ADDRESS_DOMAIN is the email domain of the recipient, eg, ldap://keys.example.com:389
The Mail log will contain entries like this in debug mode when an LDAP key search fails. Failed searches result in an entry being added to the negative cache entry:
2015/04/23 11:04:48 +01:00 DEBUG pgp/messaging: SMTP-00001: Looking for key(s) on LDAP PGP keyserver keys.example.com:389
2015/04/23 11:04:48 +01:00 DEBUG pgp/messaging: SMTP-00001: Adding negative cache entry for key <firstname.lastname@example.org> [keys.example.com]
This issue is resolved in Encryption Management Server 3.3.2 MP9 and above, available to download from Symantec File Connect.
In Symantec Encryption Management Server 3.3.2 MP9 and above, disabling LDAP substring searches does not prevent key lookups being made using a full email address.
The allow-substring-key-search pref in 3.3.2 MP8 prevents searching by full email address.
Subscribing will provide email updates when this Article is updated. Login is required.