Symantec Messaging Gateway (SMG) is unable to deliver outbound emails to one or more domains with enforced TLS (require TLS encryption and verify certificate).

"451 4.7.5 4.7.0 [internal] ssl cert must be signed by a valid ca" can be seen in the Message Audit Log.

 

The destination domain presents a CA certificate, that the SMG is unable to verify, because it does not have the relevant root and/or intermediary certificates installed. This might happen, if the relevant certificates are corrupted or for any reason unavailable.

It should be verified, that all necessary root and intermediary certificates of the CA certificates which the destination domain is using, are actually present on the SMG.

A potential workaround would be to use "Optional delivery encryption" options:

- Require TLS encryption and don't verify certificate

- Attempt TLS encryption