Is it possible to export a full list of all recovery tokens? We are migrating from PGP and wanted to know if this is possible so the server could be decommissioned. I was brought in late and have little working knowledge of the product, so I apologize if this is a basic question.
I am new to email and PGP Universal administration.
I'm looking for information about troubleshooting and resolving an NDR an external user received when they tried to send an email to a PGP user.
The NDR the external user received had the following SMTP error,
5.0.0 smtp; 554 PGP Universal; Error while processing (SMTP-20393)
and I've found the following errors in the PGP UNS mail log,
SMTP-20393: pgpproxy: error reading/processing message error=-11989 (write failed)
SMTP-20393: error handling SMTP DATA event write failed
SMTP-20393: pgpproxy: unable to send rset to server error=-11989 (write failed)
I'm not 100% sure that the NDR and PGP mail errors are for the same email because the timestamp on the NDR is 11:53 AM, while the time stamp on the log entries is 6:29:18 AM +10:00.
I would appreciate any information anyone can offer on this issue.
Thank You
Working on a Symantec Encryption Messenger (PGP 3.3) server, and the mail queue is filled with this error:
Host or domain name not found. Name service error for name=gmail.com type=MX: Host not found, try again
Looking at the mail proxies, the server is set to
Send mail directly to recipient mailserver
I know this must be done before and doable but I didn’t know how or what exactly should be done!
I’ve many customers –especially the ones follow any compliance policy- that required REVOKING all the PGP users’ key every year or even after 12 months. They use PGP for Drive Encryption “Whole Disk Encryption”, File & Folder Encryption and E-mail Encryption. Using SKM “Server Key Mode” for all the users
I want to know what exactly should be done to revoke those keys and generating new keys without effecting users/machines/files…etc. Also without impact the business! And what will happened for the WDE users after the key revoked, will they be able to login to the Boot-Guard screen normally? And what about the E-mail that been encrypted with the revoked key will they still be able to read them with the new key! –I guess No! - If no, how can this are solved?
Is there any limitation in this process?
We have PGP Universal server running and I've noticed that the Whole Disk Recovery Token, which I thought was supposed to be a one time key, never changes. It appears to stay the same every day.
Is this not suppose to update and change each day? Hence the term "one time recovery key" or is this not how the Whole Disk Recovery Token works on PGP?
Hi,
Is it possible with SEMS 3.3.0 mail gateway to run your Public key server seperate than your private key server when you run GKM for keys.
So the idea is placing your public key server keys.example.com in the DMZ zone and the server that keeps the privatekeys on your internal lan side.
Tnx,
TPZ
Installing PGP in a customer's test environment and experiencing some strange behavior. After the post-installation web configuration, the server goes down the first time as expected, after configuring networking. After the license / mail proxy portion, the server goes down again and notification screen comes up that says you need wait about 120 seconds for the server to return. It then transfers to another screen that states that the server is still coming up and the page will refresh every 10 seconds. It never recovers from this point and is stuck at this notification. We've tried reinstalling a few times now and have waited up to 20+ minutes for the management console to come up. We've tried rebooting the machine as well.
Some other info:
Anyone have any insight on this?
Thanks in advance!
Hi Guys,
Is absolutly necessary the convention keys.<domain> for SEMS..?
If not used, what implications might the service ..?
You need to use web messenger, messenger pdf, desktop mail, and some drive portable pgp encryption.
Thanks.
Good afternoon,
In a scenario where we are forced to install from scratch a long time wearing SEMS working, either because it is wrong mounting procedures and identified the problem or because there is no backup or because it is identified that is working poorly with many errors, which would be the recommendation and best practice for this task ..?
I thought to avoid problems with the keys, export them all from:
Route 1: Consumers -> Users -> All Users -> Options -> Export Keys for All with the dilemma of public or keypair
Route 2: Keys -> Managed Keys -> Options -> Export All with the dilemma of public or keypair
I have no certainty which of the two routes is adequate
Then export the organization key and the ADK to install from scratch (is necessary the same version..?) then import the key organization, the ADK and finally import all the keys just do not know where is the best alternative.
The other element that concerns me is the SSL certificate, do I have to do with it ..?
and finally ... if I import the certificates would have to do a re-enrollment of the encryption desktop and desktop email ..?
Thank you very much.
Hi, I'm receiving this log error every 20 seconds "validation error loading ovidprefs file /etc/ovid/prefs.xml : dlp is a required field. Trying to load without validation."
How do I fix this?
Hello
I need help.
I trying to make PGP Gateway email system in my site.
make gateway-email is the first time, so i read the administratol guide. but its too comprehensive..
just i want to know how to config gateway email setting
any one has "gateway-email setting guide"?? or similar guide(Best Practice)?
there are using exchange email & AD,, but connecting is too hard to me..
Please help!!
Hi,
Seems there is some sort of Anti-SPAM or Blacklist functionality in PGP Universal, the problem is I just can’t find it anywhere.
Can someone help us with this? (see the error below)...
Note that ourserver.com is our internal PGP Universal server
Is there a way to manage the anti-spam and blacklist functionality on PGP Universal Server
Thanks,
Ron66
-----Original Message-----
From: pgpuniversal-admin@ourserver.com
[mailto:pgpuniversal-admin@ourserver.com]
Sent: October-09-13 6:41 PM
To: BOB@ourserver.com
Subject: Message undeliverable: Returned to Sender
This is the mail system at host pgp.ourserver.com.
I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below.
For further assistance, please send mail to
If you do so, please include this problem report. You can delete your own text from the attached returned message.
The mail system
: host pzss-ca.mail.protection.outlook.com[xxx.xxx.xxx.xxx]
said: 550 5.7.1 Service unavailable; Client host [xxx.xxx.xxx.xxx] blocked
using Blocklist 1; To request removal from this list please forward this
message to delist@messaging.microsoft.com (in reply to RCPT TO command)
Hello,
we want to make use of the ignition keys to protect keys on server. It is our understanding that if we create an ignition key then in case of hardware theft keys within database should be encrypted and thus unreadable.
However during my tests before adding ignition key I accessed the database through SSH+psql and did a simple "select * from key" and got back the keys in readable format which is expected.
Problem is that after adding ignition key I restarted the server and as expected it asked for passphrase to unlock. I tried to run the above query on DB while server is still locked and I got the same keys as before in readable format.
Can you please explain what am I missing here as I would expect to get unreadable data from database if server is not unlocked?
Regards
HI there,
to have this listed as forum discussion, wanted to share my problem so other people find this thread too ;-)
i cant download the PGP Desktop MSI Installer via auto-detect policy , i get some java exception error, if you dont choose auto-detect the download is working. got some hint that perhaps some certificate is broken in trusted keys area and yes there are 2 certs that are broken , that's why the MSI cant be customized downloaded whcih includes all the trusted_keys in the .asc file which is later in the /appdata folder .
this error you see in admin log :
the first attempt was without customized policy.. the 2nd with the java error with auto-detect policy..
now if you try accessing the faulty certifitcate in the trusted keys (those are 2 startcom Root/Sub CA certs for the NIC's interface ssl tls cert.) not sure why this has been corrupted.
here more detail :
anyone knows the CLI command for the pgpkeymaint util to remove this broken/corrupt cert ?
thanks!
-ben
Hi,
I have a user who got the following message when trying to create a NetShare:
Which started me looking into how the ADK is configured on Universal server (we have had an ADK imported for quite some time).
You can seemingly add an ADK under Keys->Organization Keys AND as part of a Consumer Policy under the General tab.
The descriptions in the Admin Guide suggest the Organization ADK is used for email only, whereas a policy-specific ADK is used for all encrypted entities. Surely that isn't the case?
The Admin Guide also indicates that the ADK is "added" to all generated keys, but the message above would suggest it is missing, even though we have it configured.
Any ideas why the above error is being presented?
Thanks.
Hi,
Currently running PGP universal server 3.3.1 in gateway placement, email is working fine and messages are being encrypted/decrypted. I have created some external users for use with Web Messenger, they receive the message to create the passpharse and can login without any issues. The external users can recieve messages from an internal user fine, however when they reply to the internal user, the messgae states it has been sent although the internal user/s do not receive the message. The log file states that the the message has been passed.
any pointers greatly appreciated.
many thanks in advance.
I’m having some issues with the Symantec PGP encryption product key server.
Basically we are using it as a key server only completed with Blackberry Enterprise and MS Exchange integration.
The problem we are experiencing recently is that when the blackberry attempts to send an encrypted PGP e-mail, it first displays ‘Please Wait’ on the LCD / display then after a while displays ‘Updating Universal PGP policy’ then after another duration, displays ‘Policy is out of date’ and could not be downloaded.
This means our customers are unable to send e-mail.
It appears to be an intermittent issue which is happening all of the time now.
Internet connectivity is perfect and server software has not changed.
Can anyone please help?
Can pgp universal server using Global Catalog, or only LDAP?
Hi Guys,
Your recommendation please.
Which is the best placement when the internal mail server is Lotus domino and also requires encrypting from Lotus Notes (Desktop Email), internal or Gateway..?
Currently, the Lotus domino sends messages to message filter server (competitor Symantec Messaging Gateway, ) and this sends the messages to internet.
Thanks.
I am facing a problem i just cant figure out how to fix
Scenario
using PGP command line to connect to PGP KMS
PGP --delete-mak I am able to delete a users private key.
After that it looks like its gone.
If we search in the web admin of of PGP universal th eky is gone.
Now if we run an LDAP query we see the pub key still exists.
if I do LDAP search I see the key.
if I do --search-mak the key isnt there
I have tried to using an LDAP tool to delete the keys but without any knowledge of how to authenticate against the PGPU ldap server the keys do not get deleted.
They are also not visible in VD.
Help, what can I do to detele these keys? cmd line? LDAP? SSH in into the server?
What can we do... Please