search cancel

Outbound email failure with error "Downstream TLS Handshake Failed"


Article ID: 172273


Updated On:


Data Loss Prevention Network Prevent for Email Email Data Loss Prevention


Unable to send outbound emails when using DLP Network Prevent and Email Security.Cloud

Downstream TLS Handshake Failed

TLS handshake with downstream MTA failed.


When TLS has been enforced on the Boundary Encryption settings in ClientNet portal, Symantec outbound smart host configured on the email send connector needs to authenticate the sending server certificates.  When using DLP  Network Prevent for Email, each mail server in the TLS proxy chain must authenticate the next-hop mail server.  If outdated certificates are used by the sending server or the next-hop mail server certificates are not added to the upstream mail server trust store, the TLS handshake will fail and eventually the outbound email is returned with the TLS handshake error.


Step 1:

Please import Digicert Global Root CA and Intermediate Certificate in to your exchange server and any other servers sending outbound emails via Symantec smart host. The certificate is available for download from here: INFO4722. After the complete certificate chain has been downloaded, please import them into the Trusted Root CA store.


Step 2:

Once the update is complete please import the public key certificates to the Network Prevent for Email Server key store.  Please refer to Importing public key certificates to the Network Prevent for Email Server keystore section in the MTA Integration guide.  It is important to repeat the commands for import certificates in to the key store on each MTA or hosted mail server that  DLP Network Prevent for Email Server might need to authenticate.