When a Symantec Encryption Desktop client is managed by a Symantec Encryption Management Server and is configured with Messaging (Email Encryption), the client encrypts emails to recipients by requesting keys from Encryption Management Server. Encryption Desktop performs a key lookup and if available will encrypt the message using keys present in the key cache (found in the mail flow) or to the keys of External Users.
The issue arises if the key found is an S/MIME certificate (X.509) and the user key is only a PGP key (without a certificate attached). In these circumstances, the client will encrypt the message to the recipient's keys but will not be able to encrypt to the sender's keys.
The result is that the sender will not be able to open the message in their mail client's Sent Items.
When sending the message:
Email Info MAPI Proxy: Rejecting key "SENDER-Domain2 (SENDER - Domain2) <email@example.com>" (KeyID: 0xBBBBBBBB) because it has no valid certificate for S/MIME encryption
Email Info Encrypting S/MIME message to firstname.lastname@example.org with key(s):
Email Info 'RECIPIENT - Domain1 <email@example.com>'(0xEEEEEEEE)
Email Warning Not encrypting to key 'SENDER (SENDER-Domain2)<firstname.lastname@example.org>'(0xBBBBBBBB); no X.509 certificate on key
When attempting to read the message from Sent Items:
Email Info Processing message from SENDER (SENDER-Domain 2) <email@example.com> with subject: <message subject>
Email Error MAPI Proxy: Decryption failed with error: no secret key found
While sending the encrypted message, it is encrypted to the sender's and recipient's key, but as the sender does not have an X.509 certificate the message is not encrypted with the sender's key. This is expected behavior.
To mitigate this behavior there are two options:
add an S/MIME certificate to the user key
enable the following option in the user's Consumer policy: "Encrypt and Sign email stored in IMAP/MAPI sent message folders"
Subscribing will provide email updates when this Article is updated. Login is required.