Error: "Downstream TLS Handshake Failed" when sending Outbound emails using DLP Network Prevent and Email Security.Cloud
search cancel

Error: "Downstream TLS Handshake Failed" when sending Outbound emails using DLP Network Prevent and Email Security.Cloud


Article ID: 172273


Updated On:


Data Loss Prevention Network Prevent for Email Email Data Loss Prevention


Unable to send outbound emails when using DLP Network Prevent and Email Security.Cloud.

Attempts to send the emails fail with the error "Downstream TLS Handshake Failed. TLS handshake with downstream MTA failed"..


When TLS has been enforced on the Boundary Encryption settings in ClientNet portal, Symantec outbound smart host configured on the email send connector needs to authenticate the sending server certificates. 
When using DLP Network Prevent for Email, each mail server in the TLS proxy chain must authenticate the next-hop mail server. 
If outdated certificates are used by the sending server or the next-hop mail server certificates are not added to the upstream mail server trust store, the TLS handshake will fail and eventually the outbound email is returned with the TLS handshake error.


Step 1:

Please import Digicert Global Root CA and Intermediate Certificate in to your exchange server and any other servers sending outbound emails via Symantec smart host.
The certificate is available for download from here: Certificate Authority used by the Email infrastructure
After the complete certificate chain has been downloaded, please import them into the Trusted Root CA store.


Step 2:

Once the update is complete please import the public key certificates to the Network Prevent for Email Server key store. 
Please refer to Importing public key certificates to the Network Prevent for Email Server keystore section in the Help Center topic Configuring keys and certificates for TLS (
It is important to repeat the commands for import certificates in to the key store on each MTA or hosted mail server that DLP Network Prevent for Email Server might need to authenticate.