Restricting key searches by remote hosts on Encryption Management Server
Last Updated July 31, 2018
By default, when an internal user tries to send an encrypted email message to an external user, Encryption Management Server will try to perform a key lookup for the external user's public key. For example, if an internal user sends a message to firstname.lastname@example.org, Encryption Management Server will attempt to connect to the host keys.example.com on LDAP port 389 and search for the public key of email@example.com.
Again by default, remote hosts can perform searches for public keys on Encryption Management Server, provided that:
The Keyserver service is running.
The Keyserver service is bound to a network interface that is reachable over the Internet on the LDAP port of 389.
Therefore, when two organizations both use Encryption Management Server, key lookups in either direction can occur automatically.
The keyserver service is designed so that public keys can be accessed easily by a variety of applications. Therefore it is deliberately flexible and allows key searches to be carried out using wildcard characters. For example, it will allow searches on firstname.lastname@example.org and return all email addresses starting with the letter u. By default it will return up to 100 results.
However, not all organizations are comfortable with this level of flexibility.
Encryption Management Server 3.3 and above.
This is by design.
The number of results that the keyserver service returns can be reduced to 1, though to prevent issues with users that have more than one key, in practice a limit of 10 is more reasonable.
In addition, Encryption Management Server 3.3.2 MP13 and above allows searches using wildcard characters to be disabled.
Note that automatic key searches by remote hosts running Encryption Management Server always use the full email address so disabling wild card searches will have no effect on such searches and not cause any problems. Only key searches by applications that use wildcard characters will be affected.
Please contact Symantec Technical Support for assistance in implementing these changes.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe