ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Outbound email failure with error "Downstream TLS Handshake Failed"

book

Article ID: 172273

calendar_today

Updated On:

Products

Data Loss Prevention Network Prevent for Email Email Security.cloud Data Loss Prevention

Issue/Introduction

Unable to send outbound emails when using DLP Network Prevent and Email Security.Cloud

Downstream TLS Handshake Failed

TLS handshake with downstream MTA smtp-outbound.domain.com/10.xxx.xxx.xxx:25 failed.

Cause

When TLS has been enforced on the Boundary Encryption settings in ClientNet portal, Symantec outbound smart host configured on the email send connector needs to authenticate the sending server certificates.  When using DLP  Network Prevent for Email, each mail server in the TLS proxy chain must authenticate the next-hop mail server.  If outdated certificates are used by the sending server or the next-hop mail server certificates are not added to the upstream mail server trust store, the TLS handshake will fail and eventually the outbound email is returned with the TLS handshake error.

Resolution

Step 1:

Please import Digicert Global Root CA and Intermediate Certificate in to your exchange server and any other servers sending outbound emails via Symantec smart host. The certificate is available for download from here: INFO4722. After the complete certificate chain has been downloaded, please import them into the Trusted Root CA store.

 

Step 2:

Once the update is complete please import the public key certificates to the Network Prevent for Email Server key store.  Please refer to Importing public key certificates to the Network Prevent for Email Server keystore section in the MTA Integration guide.  It is important to repeat the commands for import certificates in to the key store on each MTA or hosted mail server that  DLP Network Prevent for Email Server might need to authenticate.