MTA Takes Several Minutes to Start when FIPS, SMTP authentication, and TLS acceptance are enabled.

book

Article ID: 156213

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

Startup of the SMG MTA and configuration of the mail service or SMTP settings can take a number of minutes to complete when FIPS mode is enabled. Commands issued from the command line interface (CLI) or actions taken from the Messaging Gateway (SMG) Control Center can appear to hang where, prior to enabling FIPS mode, they returned in a few seconds.

 

Cause

The process of generating a self-signed certificate chain used in FIPS mode takes significantly longer than in non-FIPS secured mode.  The host may appear hung but, it is working correctly.

Resolution

 

  • Symantec Messaging Gateway (SMG)  is configured to accept authenticated SMTP connections.
    To verify this follow these steps:
    1. Login to the SMG Brightmail Control Center (BCC) Web UI
    2. Click on Administration->Hosts->Configuration
    3. Click on the scanner host to review the settings for
    4. Click on the SMTP tab, click on the Authentication tab
    5. Having the option 'Enable Authentication' turned on, indicates this condition.
     
  • SMG is configured to accept TLS encryption.
    To verify this follow these steps:
    1. Login to the SMG Brightmail Control Center (BCC) Web UI
    2. Click on Administration->Hosts->Configuration
    3. Click on the scanner host to review the settings for
    4. Click on the SMTP tab, click on the Authentication tab
    5. Having the option 'Accept TLS encryption' turned on, indicates this condition. 
     
  • SMG is configured to for FIPS.
    To verify this follow these steps:
    1. Login to the SMG CLI command line
    2. At the prompt run the following command
      fipsmode status
    3. Having the response FIPS mode indicates this condition.

Symantec Corporation has acknowledged that the above-mentioned issue is present in the current version(s) of the product(s) mentioned at the end of this article.

 

Symantec is committed to product quality and this issue is currently being considered by Symantec to be addressed in the next major revision of the product.

There are no plans to address this issue by way of a patch or hotfix in the current or previous versions of the software at the present time.

Please note that Symantec reserves the right to remove any fix from the targeted release if it does not pass quality assurance tests or introduces new risks to overall code stability.

Symantec’s plans are subject to change and any action taken by you based on the above information or your reliance upon the above information is made at your own risk.

 

Please be sure to refer back to this document periodically as any changes to the status of the issue will be reflected here.

Please contact your Symantec Sales representative or the Symantec Sales group for upgrade information including upgrade eligibility to the release containing the resolution for this issue.

For information on how to contact Symantec Sales, please refer to the following Web site: http://www.symantec.com/business/index.jsp

 

Workaround

 The following actions take significantly longer with FIPS mode turned on than they do with FIPS mode turned off:

  • Restarting the Message Transfer Agent (MTA) service
  • Any configuration change that implicitly restarts the MTA service

Administrators should consider it a best practice to enable FIPS mode as the final step in your setup process before you deploy the host in a production environment.