search cancel

Upon upgrading to version 10.6, an old TLS certificate may be selected within SMG, causing outbound delivery problems

book

Article ID: 162710

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

Upon upgrading to version 10.6, an old TLS certificate may be selected within SMG, causing outbound delivery problems.

Outbound delivery to some domains (those that require/use TLS) may fail with a 451 4.4.2 [internal] send helo/ehlo failed.

Logs may reflect problems with DNS, or errors with SMG communicating out...

SAMPLES:
Brightmaillog.log:
 
Dec 08 2015 23:11:18 [BrightmailScheduler_Worker-6] [ThreatConManager] WARN - An IP address of a DNS Server could not be determined. Please check the DNS server settings.
 
MALLOG
 
2015 Dec 10 18:54:11 CET (warning) ecelerity: [20514] sms_banner_fail_continue: Error processing DNS results - NULL domain record.
2015 Dec 10 18:54:11 CET (warning) ecelerity: [20514] sms_banner_fail_continue: Error processing DNS results - NULL domain record.
 
MESSAGES
 
2015 Dec 10 19:21:30 (info) named: [18413] error (network unreachable) resolving 'xxx.xxx.xxx.xxx.in-addr.arpa/PTR/IN': xxx.xxx.xxx.xxx#53
[[-REPEATED-]]
 
CONDUIT
 
2015-12-10T18:26:19+01:00 (ERROR:11256.3436828640): [12034] Network error occurred, Problem with the SSL CA cert (path? access rights?) (77), check your network connection settings, check your proxy settings (if applicable), and check to ensure that port 443 (HTTPS) is open through any relevant firewalls.
 
 

451 4.4.2 [internal] send helo/ehlo failed
or
421 4.4.0 [internal] Failed to connect: no mail servers for this domain could be reached at this time.

LOGS:
Brightmaillog.log:
 
Dec 08 2015 23:11:18 [BrightmailScheduler_Worker-6] [ThreatConManager] WARN - An IP address of a DNS Server could not be determined. Please check the DNS server settings.
 
MALLOG
 
2015 Dec 10 18:54:11 CET (warning) ecelerity: [20514] sms_banner_fail_continue: Error processing DNS results - NULL domain record.
2015 Dec 10 18:54:11 CET (warning) ecelerity: [20514] sms_banner_fail_continue: Error processing DNS results - NULL domain record.
 
MESSAGES
 
2015 Dec 10 19:21:30 (info) named: [18413] error (network unreachable) resolving 'xxx.xxx.xxx.xxx.in-addr.arpa/PTR/IN': xxx.xxx.xxx.xxx#53
[[-REPEATED-]]
 
CONDUIT
 
2015-12-10T18:26:19+01:00 (ERROR:11256.3436828640): [12034] Network error occurred, Problem with the SSL CA cert (path? access rights?) (77), check your network connection settings, check your proxy settings (if applicable), and check to ensure that port 443 (HTTPS) is open through any relevant firewalls.
 

 

Cause

Upon upgrading to version 10.6, SMG selects an old or otherwise expired TLS certificate for use, thereby causing TLS to fail during SMTP transmission.

This can be observed by running a TCP Dump on the applicable SMG device, and then flushing the delivery queue to capture send attempts to problem domains.  The TCP Stream for mail to such domains will show as normal up until the TLS handshake begins, but will be abruptly cut off by the receiving server....

Resolution

Check the settings for TLS certificates (where you add the certificate in SMG).  Ensure that the correct certificate is selected, then flush the queue and observe.  You should see messages start to pass through as normal after the correct certificate is applied.

Note: you need not attempt to enforce TLS if not already configured... This did not seem to apply.