Symantec PGP Desktop Encryption

Raise/discuss any potential issues with MailEnable for consideration in project issue register.
Post Reply
aahq
Posts: 183
Joined: Sat Aug 07, 2010 11:08 am

Symantec PGP Desktop Encryption

Post by aahq » Sat Aug 17, 2013 6:26 am

I am raising this as an "issue" and not an "error".

Below is my communication with Symantec regarding their PGP Desktop Encryption software.

I am having a lot of trouble getting this software working with Mail Enable.

The Symantec Product is stating that I need to turn off SSL communication from the client level and that the PGP software wants to make the connection.

As the Mail Enable MAPI Client works via a "add in" I believe it is fighting against the other software to deliver the message. The end result is a stalemate that I can't seem to resolve by changing the configuration of ME or the Symantec software. Symantec Support is suggesting that the PGP product MUST initiate the SSL connection to the server.

There is another response from Andrew from last year that suggests the 2 products work together, but blow me if I can find it.

Either I am missing something very simple but I have just about tried everything that I can think of. I am about to move the client onto pure Outlook IMAP (which does not work as well as the MAPI client) or consider turning back on Clear Text authentication on the ME Server for email pickup. Both of these options are not great and I risk giving our Executive staff a bad "look and feel" for their email, which comes back at me in terms of beatings.

Can anyone assist with this? I will also send this to ME Support.

Scott


---------------------------

https://www-secure.symantec.com/connect ... nt-9119701

---------------------------



I have an email client that is set up to make an SSL connection to the mail server.



After installing Symantec Desktop Email encryption, I get a warning that my client is trying to make an "SSL connection" to the server and the message does not send and sits in the outbox.

This may sound a little stupid but really I want Symantec Desktop Email encryption to only do the PGP and let the mail server do the SSL connection.

I have tried changing a lot of settings and have read the manual but I am still missing something with getting this working.

BTW it works fine for collecting mail, it is sending mail that has the issue.

Can someone help me with this.



Thanks



Scott










Operating Systems:
Windows 7
Discussion Filed Under:
Security, PGP Desktop (Email and Netshare), Evaluating, Installing, Windows 7
Subscriptions (1)

Mark as offensive
Bookmark this
Email this page
Printer-friendly version
Comments RSS Feed

Comments 8 Comments • Jump to latest comment
Alex_CST's picture
Alex_CST Partner Accredited
15 Aug 2013 : Link

sounds like your PGP server is forcing SSL connections between client and server, or is this just the certificate warning when you first enrol?

Please mark posts as solutions if they solve your problem!

http://www.cstl.com
Mark as solution Request split solution
0

Actions
Reply
Mark as offensive

Tom Mc's picture
Tom Mc Symantec Employee Technical Support
15 Aug 2013 : Link

PGP encrypts email by use of its email proxy. Sent email goes through the email proxy, and is encrypted if there is a PGP messaging policy that calls for it. After the email proxy acts on the email, it will attempt to make an SSL connection to the server, and will then send the email on to the server. However, if the email client is encrypting the email via SSL before it is sent to the PGP email proxy, the PGP email proxy cannot encrypt, since is is already SSL encrypted.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base <
Mark as solution Request split solution
0

Actions
Reply
Mark as offensive

aahq's picture
aahq
15 Aug 2013 : Link

Hello Tom and Alex,

Yes, the email client has it's own "add-in" for delivering mail.

I have tried just about everything to turn off the "mail client" delivering it's mail (even disabling the add-in) but it still doesn't deliver and just sits in the outbox and I get the "SSL warning" from Symantec Desktop Email Encryption.

I am hoping you are not going to tell me to just use standard IMAP :(

The mail server works with standard IMAP if I had to, but it is very ugly.

I sort of understand, that there is some sort of fight going on, between the Mail Client wanting to deliver and the SDEE wanting to deliver. I take it that under usual conditions that Outlook is very passive and does not put up a fight against SDEE trying to assert control.

The Email product is called "Mail Enable" (I hope you don't mind it being mentioned) and their tech support info seems to suggest they work together.

Is there anyway to turn off the proxy so that it just does the PGP and lets the Mail Client do the SSL?

Thanks in advance, I know these questions are annoying to answer.



Scott












Mark as solution Request split solution
0

Actions
Edit
Reply
Mark as offensive

Alex_CST's picture
Alex_CST Partner Accredited
15 Aug 2013 : Link

Do your end users have PGP Desktop installed?

The SSL will be occuring when your mail client encrypts the COMMUNICATION between client and universal server. PGP encrypts the DATA. They can work hand in hand as they're separate processes.

But if you configure the environment for point to point encryption, i.e. the CLIENT encrypts the data, that should work no problem.

Please mark posts as solutions if they solve your problem!

http://www.cstl.com
Mark as solution Request split solution
0

Actions
Reply
Mark as offensive

aahq's picture
aahq
15 Aug 2013 : Link

Thank you Alex,

I am testing PGP Desktop at the moment.

This sounds really dumb and I think I must have missed something but where is the setting that changes the behaviour so that "PGP only encrypts the data" but does not secure the connection?

Scott


Mark as solution Request split solution
0

Actions
Edit
Reply
Mark as offensive

Alex_CST's picture
Alex_CST Partner Accredited
17 hours 2 min ago : Link

That's correct.



You can send PGP emails in the clear, but the actual content would be indecipherable. Obviously you want to both encrypt the communication and the data.

If you want the server to just act as management and doesnt encrypt, you need PGP Desktop installed, then you can encrypt from the workstations.

Please mark posts as solutions if they solve your problem!

http://www.cstl.com
Mark as solution Request split solution
0

Actions
Reply
Mark as offensive

Tom Mc's picture
Tom Mc Symantec Employee Technical Support
16 hours 11 min ago : Link

Please correct me if I've in error, but my understanding is that you are not using a PGP/SED Universal Server, and that your PGP/SED encryption trial is just with the PGP/SED Desktop software.

Please understand that while you can either enable or disable the PGP email proxy on the (Secure Email option) Messaging tab of PGP Options, that this affects all use of the email proxy. If you use the PGP email proxy, it will encrypt both the email and any email attachments, when the recipient has a public key you can encrypt to. If you disable the email proxy, no email or email attachments will be encrypted. Additionally, if you want the PGP email proxy to be able to encrypt email and email attachments, you must not have SSL enabled at the email software level.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base <
Mark as solution Request split solution
0

Actions
Reply
Mark as offensive

aahq's picture
aahq
3 sec ago : Link

Tom,

Thank you for that.

Yes I am using the PGP/SED Desktop software as you people call it "Symantec Desktop Email encryption".

I think there is a general incompatibility between the Mail Enable Client software and the "Symantec Desktop Email encryption" software that both are fighting over the delivery of the message. Turning off the Mail Enable client "add in" or turning off the "Mail Enable Client SSL requirements" still results in mail not sending".

I am pretty sure if I set the user in pure IMAP mode then this will most probably work as obviously Outlook in default configuration is a "passive" product. This worries me as IMAP in general does not work as well as the native Mail Enable Client "add in". With this being given to high level executives IMAP will be a bad solution.

I may consider allowing clear text authentication on the server for email pickup across the entire 600 users so that I can get this working for a few PGP users. (This is quite funny actually)

I think I will also try and get some support from Mail Enable to assist resolving this.

I am also wanting to investigate the "Gateway" version of the software to install on the server and get it to try and manage the encryption at the server end but its trialware is harder to get. I have been waiting 2 days for a response from Symantec on whether they want to give me the trialware for the product, or not.

Alex,

Can you confirm what Tom is saying?

I sort of understand why the software would want to take control of the SSL connection to the server, as many places do not secure their connections when sending email, and this is a good safeguard but it is actually a fairless useless exercise. The Mail Server will generally send in "clear text" across the internet so securing the initial SSL connection (though a great idea) really doesn't need to be a mandatory thing. The PGP message is literally "garbage" as it moves across the internet.

-------------

Thanks anyhow. If there is any further help that can be provided please continue the thread.



Scott




Mark as solution Request split solution
0

Actions
Edit
Reply
Mark as offensive

Post new comment
aahq
Switch to plain text editor

More information about formatting options
File attachments
Subscriptions (1)
Notifications
Links
Technical Support Symantec Training Symantec.com Purchase Endpoint Protection Small Business Edition Purchase SSL Certificates
Technical Support

Technical Support Home
Supported Products A to Z
Support Fundamentals
Customer Care
Contact Technical Support

Symantec.com

Small Business Overview
Enterprise Overview
Solutions
Products
Training
Services
Security Response
Resources

Store

Symantec Backup Exec for Windows Small Business Server
Endpoint Protection Small Business Edition
SSL Certificates

Community Stats
Total Posts
Members
310,043

Contact Us
Privacy Policy
Terms and Conditions
Earn Rewards
Rewards Terms and Conditions
Mobile Site

aahq
Posts: 183
Joined: Sat Aug 07, 2010 11:08 am

Re: Symantec PGP Desktop Encryption

Post by aahq » Wed Sep 11, 2013 11:22 am

I got the final word on this from Mail Enable, who spent some time on my server. It appears Symantec is not using extended IMAP command sets. At this stage I have got around this by opening up an obscure IMAP port without SSL that I am not telling my users about and using only for PGP.

Scott

Post Reply