In Symantec Mail Security for Exchange (SMSMSE) when trying to enable Premium AntiSpam the deployment fails with generic error:
"Symantec Premium AntiSpam registration failed. The product will not receive definition updates".
After reviewing the conduit.log the following error is observed:
"SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"

The license is confirmed to be correct and the communication to register.brightmail.com 443 is also working fine.

SMSMSE console:
"Symantec Premium AntiSpam registration failed. The product will not receive definition updates".

Conduit.log:
(ERROR:4632.4636): [12034] Network error occurred, SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (60), check your network connection settings, check your proxy settings (if applicable), and check to ensure that port 443 (HTTPS) is open through any relevant firewalls.

Curl for Windows:
C:\Temp\curl>Curl.exe -v -1 -4 -i -cacert CURL_CA_BUNDLE https://register.brightmail.com:443
curl: (6) Could not resolve host: -v; Host not found
curl: (6) Could not resolve host: -i; Host not found
curl: (6) Could not resolve host: -cacert; Host not found
curl: (6) Could not resolve host: CURL_CA_BUNDLE; Host not found
curl: (1) Protocol https not supported or disabled in libcurl
 

The network Firewall or Proxy is inspecting and intercepting the SSL validation between the Exchange/SMSMSE server and register.brightmail.com
 

Although the Firewall port 443 is open there is an additional inspection done on SSL traffic which is intercepting the SSL traffic between the SMSMSE server and register.brightmail.com. This causes SMSMSE not being able to verify it´s internal SSL certificate and fail the registration. To get a clearer idea of the SSL error the tool curl for windows can be downloaded. Run the following command:

Curl.exe -v -1 -4 -i -cacert CURL_CA_BUNDLE https://register.brightmail.com:443

The output will provide a better idea on where in the Firewall the verification process is failing. In addtion the manual register script for PAS or a Wireshark capture can also be used for further output. Please see the attached articles on how to run the manual PAS register script and a Wireshark capture. Then provide the output to the Firewall administrator which can then disable the SSL inspection or whitelist the appropriate process. Once the SSL traffic is no longer being intercepted the Premium AntiSpam can be enabled and the antispam definitions downloaded correctly.

Applies To

Symantec Mail Security for Exchange version 6.x and 7.x