SMTP TLS errors in conversations between Messaging Gateway and remote Mail Servers

book

Article ID: 160991

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

This article contains information on how to troubleshoot MTP TLS errors in conversations between Symantec Messaging Gateway (SMG) and remote Mail Servers 

Errors that may be shown in maillog at WARNING level:

Attempted Delivery to: default-non-local-route Tuesday, May 20, 2014 05:02:24 PM EEST 451 4.4.2 [internal] no helo/ehlo response [email protected]
Attempted Delivery to: default-non-local-route Tuesday, May 20, 2014 05:05:40 PM EEST 421 4.4.0 [internal] failed to connect: no mail servers for this domain could be reached at this time [email protected]
Attempted Delivery to: default-non-local-route Tuesday, May 20, 2014 06:54:15 PM EEST 451 4.4.1 [internal] no valid hosts (unable to make any connections) [email protected]

 

Errors that may be shown in maillog at DEBUG level:

2014 Jun 10 17:01:11 EEST (debug) ecelerity: [22792] ssl connecting... 59 
2014 Jun 10 17:01:11 EEST (debug) ecelerity: [22792] SSL-00955 disabling SSL renegotiation 
2014 Jun 10 17:01:11 EEST (debug) ecelerity: [22792] SSL_connect() = -1 
2014 Jun 10 17:01:11 EEST (debug) ecelerity: [22792]   connect: SSL_ERROR_WANT_READ 

 

Cause

 Possible causes:

  • The remote MTA uses a cypher not compatible with the SMG
  • The endpoints are using different SSL verision in the certificate exchange

Resolution

SMG may not be able to negotiate and establish TLS connections on certain remote domains due to the type of certificates or ciphers being used.

The following is an example of ciphers that cannot be currently negotiated by the appliance:  DHE-RSA-AES256-SHA

In order to resolve this problem, a different cipher should be negotiated by the remote mail server.