Error: "451 4.7.5 [internal] SSL cert must be signed by a valid CA"
Article ID: 152584
Updated On:
Products
Issue/Introduction
- Outbound TLS delivery is failing to one or more domains
- Messages requiring TLS delivery are stuck in the delivery queue.
maillog2010 Aug 17 19:01:11 GMT (debug) ecelerity: [6390] Host Name: mx1.example.com2010 Aug 17 19:01:11 GMT (debug) ecelerity: [6390] Host SSL certificate Subject: /C=US/ST=state/L=town/O=Example/CN=server1.example.com2010 Aug 17 19:01:11 GMT (debug) ecelerity: [6390] Subject Common Name: server1.example.com2010 Aug 17 19:01:11 GMT (info) ecelerity: [6390] Subject Common Name does not match host name2010 Aug 17 19:01:11 GMT (info) ecelerity: [6390] DNS Subject Alternative Name does not match host name
Also, these entries could be found in the maillog when the DNS Subject Alternative Name and Subject Common name do not match the hostname:
2011 Jan 4 19:08:25 GMT (info) ecelerity: [4791] Subject Common Name does not match host name 2011 Jan 4 19:08:25 GMT (info) ecelerity: [4791] DNS Subject Alternative Name does not match host name 2011 Jan 4 19:08:25 GMT (notice) ecelerity: [4791] ec_ssl_ctx 0x919b0f68 tls_verify_validca failed 2011 Jan 4 19:08:25 GMT (err) ecelerity: [4791] outbound_smtp_tls_verify_callback_hook: data is NULL 2011 Jan 4 19:08:25 GMT (notice) ecelerity: [4791] ec_ssl_ctx 0x919b0f68 tls_verify_validca failed
Cause
The TLS certificate on the remote MTA is failing the certificate verification. This may be due to an untrusted certificate authority in the certificate chain or a mismatch between the certificate's Common Name attribute in the Subject field with the DNS hostname of the destination mail server.
Resolution
Verify the CA root certificate for the receiving domain and any intermediate certs are installed in the SMG CC. (Administration > Certificates > Certificate Authority)
(NOTE: You may need to visit the CA's website and download the root CA cert and install it in SMG)
Workaround
This may be addressed by changing TLS delivery for the domain from "Require TLS delivery and verify certificate" to "Require TLS delivery and don't verify certificate" in the control center (Protocols > Domains) page.
Feedback
