If the PDF Email Protection Secure Reply feature is enabled, when PDF Email Protection users receive an email message with a password protected PDF attachment, a link is included in the body of the message that enables the user to logon to the Web Email Protection portal and reply securely.
When the user clicks on the link and logs on, a new reply to the message they were sent is created automatically and they can compose and then send their response.
When the user clicks on the link, they must authenticate with their email address and passphrase.
Some PDF Email Protection users find that when they try to authenticate, their credentials are not accepted even if they enter their email address and password correctly. By default, they are locked out of their account after three unsuccessful attempts to authenticate.
By default, when a user fails to authenticate three times, Encryption Management Server sends them an email message with a link to unlock their account. Some users who find they cannot authenticate after clicking on the Secure Reply link find too that they are not sent the message with the unlock link.
Encryption Management Server prior to release 3.4.2 MP1 with PDF Email Protection enabled in consumer policy and this option enabled in the PDF Email Protection policy:
Provide users with the option to save Secure Reply messages on the server
The Web Email Protection log will contain entries like this when the user fails to authenticate and a message containing the account unlock link is sent. Note that the log states that email@example.com failed to login yet the account unlock email is sent to firstname.lastname@example.org:
2018/03/12 11:04:41 +00:00 INFO pgp/wm: 192.168.1.202 email@example.com Failed login
2018/03/12 11:04:41 +00:00 NOTICE pgp/wm: Sent account unlock email to [firstname.lastname@example.org] for user [user1]
The Message Template used to send PDF Email Protection messages containing a Secure Reply link is:
New PDF Email Protection Message Notification + Secure Reply
The variable within the template used for the Secure Reply link is:
The link that is sent to the PDF Email Protection user has a unique reference to the user account database record embedded within it.
Unless the email address that the user enters in the Web Email Protection logon page matches the email address that is associated with the Secure Reply link, the user will be unable to authenticate, even if the passphrase is correct.
In such situations, the Web Email Protection user will often enter their correct passphrase a sufficient number of times to be locked out. If this occurs they will be unable to unlock their account and the Encryption Management Server administrator will need to unlock it.
A user may have access to the secure reply URL of another user under the following circumstances:
The PDF Email Protection user has multiple email addresses associated with their mailbox.
Multiple PDF Email Protection users are using a shared mailbox.
The PDF Email Protection user forwards a PDF Email Protection message to another PDF Email Protection user.
Upgrade to release 3.4.2 MP3 HF1 or above.
In release 3.4.2 MP3 HF1 and above, if a PDF Email Protection user clicks on the secure reply URL sent to a different user and enters their own valid email address and passphrase then the following message is displayed to the user:
Access Restricted The requested resource is not available for this account. Please verify the account name and try again.
The Web Email Protection log will also contain the above entry and an entry like this: Secure reply link intended for [email@example.com] but login attempt by [firstname.lastname@example.org].
In releases prior to 3.4.2 MP3 HF1, PDF Email Protection users should be encouraged to logon to the Web Email Protection portal using only the email address that the PDF Email Protection message was sent to. Adding a sentence like this to the New PDF Email Protection Message Notification + Secure Reply Message Template might encourage this:
Note that you can only reply securely if you log in using the email address that this message was sent to.
Note that in releases 3.4.2 MP1, 3.4.2 MP2 and 3.4.2 MP3 the user will be unable to login if they enter their email address in a different case to the way it is stored in the Encryption Management Server database. For example, if the user enters email@example.com but the database contains First.Last@example.com they will be unable to login. This was resolved in release 3.4.2 MP3 HF1. Please contact Symantec Technical Support in order to obtain release 3.4.2 MP3 HF1.
Subscribing will provide email updates when this Article is updated. Login is required.