Messages queued after enabling opportunistic TLS

book

Article ID: 161039

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

After enabling opportunistic TLS delivery via Messaging Gateway's Administration->Configuration->host->SMTP->Advanced Settings page, you notice messages to one or more domains are queued with a queue message indicating that there was a problem negotiating a secure connection with TLS. Delivery attempts for these messages continue to fail until they are eventually bounced.

 maillog

2014 Jul 20 23:19:43 IST (notice) ecelerity: [30690] Failed to negotiate TLS wth #sms#0000002e
 
Queue message
451 4.7.5 [internal] TLS negotiation failed
 

Cause

 Whem Messaging Gateway (SMG) is unable to negotiate a TLS session the message is queued for redelivery but subsequent delivery attempts also attempt to secure the connection via TLS. Since a TLS connection can't be esablished, all attempts to deliver messages to that route will fail. This is a design choice to preserve the secure delivery of messages for which the receiving MTA offers the STARTTLS delivery option. Fail over to unencrypted delivery is meant for receiving MTAs that do not offer the STARTTLS delivery option.

Resolution

This issue has largely been addressed with the SMG 10.6 release. Messages are redelivered in plain text when opportunistic TLS is enabled but the TLS negotiation returns an error. If, however, the remote mail server does not return a TLS error but instead closes the connection this is registered as a failed network connection and the message is queued for redelivery without being marked to bypass TLS.

Currently, the only way to address the issue of routes which offer TLS but do not return a TLS error but instead close the connection is to either specify an alternate route for the affected domains via the Protocols->Domains page or to disable opportunistic TLS.

Configuring an alternate route for a domain

  1. Log into the Messaging Gateway Control Center as an administrator
  2. Open the Protocols->Domains page
  3. Click the 'Add' button
  4. Under domain, enter the domain name you want to re-route
  5. If this is for outbound delivery, uncheck the 'Local domain' checkbox
  6. Under the 'Delivery' tab, check 'Destination routing'
  7. Enter the alternate destination host or route in 'Destination hosts'
  8. Click save

Disabling oppotunistic TLS

  1. Log into the Messaging Gateway as an Administrator
  2. Open the 'Adminstration->Configuration' page
  3. Select the host you want to modify
  4. Select the SMTP tab
  5. Click the 'Advanced Settings' button
  6. Select the 'Delivery' tab
  7. Uncheck the 'Attempt TLS encryption of all messages' checkbox
  8. Click 'Continue'
  9. Click 'Save'

 

Applies To

 

 Symantec Messaging Gateway