Encryption Management Server cannot connect to a remote key server over LDAPS

Encryption Management Server can lookup keys on remote Encryption Management Servers over a secure LDAPS connection. Remote key servers are added on the Keys / Keyservers page of the administration console. The key server needs to be referenced within a rule in the Mail / Mail Policy page of the administration console.

Sometimes the LDAPS connection to the remote key server fails.

Encryption Management Server 3.3.2 MP13 and above.

The Mail log will contain an entry like this:

2019/08/30 11:23:20 +00:00  INFO   pgp/messaging[20843]:       SMTP-00001: key search <first.last@example.com> [keyserver.example.com]: Could not get recipient encryption key: server open failed

A secure connection to the remote key server could not be established. Creating a successful LDAPS connection involves satisfying a number of requirements.

Please try to ensure that the following recommendations are met. For ease of reference, the Encryption Management Server that is making the LDAPS connection is referred to below as the LDAPS client and the remote Encryption Management Server that is hosting the LDAPS service is referred to as the LDAPS server:

1. A valid TLS certificate, preferably issued by a public certification authority, is associated with the relevant network interface of both the LDAPS client and the LDAPS server.
2. The certificates in the issuing chain of both the LDAPS server and the LDAPS client are imported into Keys / Trusted Keys in the administration console and trusted for TLS on both the LDAPS server and the LDAPS client.
3. The issuing certificate (invariably an intermediate certificate) on both the LDAPS client and LDAPS server contains an Enhanced Key Usage field with the attributes Server Authentication and Client Authentication. This is always the case for certificates issued by a public certification authority but may not be true for private certification authorities.
4. The LDAPS client uses DNS name to connect to the LDAPS server. For example, keyserver.example.com.
5. The DNS name matches the CN attribute of the Subject field of the LDAPS server certificate.
6. Both the LDAPS client and LDAPS server are using Encryption Management Server release 3.4.2 MP3 or above.

If you cannot satisfy the above recommendations, a workaround is to use self-signed certificates on either or both the LDAPS client and LDAPS server. While not best practice, this will bypass the strict SSL checking used by Encryption Management Server.