ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Messaging Gateway fails during TLS transaction to Office 365

book

Article ID: 172276

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

  • Symantec Messaging Gateway (SMG) is not able to communicate with Office 365 over a forced TLS connection
  • Office 365 is set up with TLS connectors to SMG
  • Turning off forced TLS in SMG does allow flow to work

 

Cause

Microsoft routinely updates their root CA certificates, in order to provide enhanced security and new cyphers.

Environment

Messaging Gateway

Office 365

Resolution

Get the current Certificate Authority root certificate

As of August 15, 2018, the current root certificates are listed in this article from Microsoft: How Exchange Online uses TLS to secure email connections in Office 365. Use this page to find out the current vendor for the root certificate and download from that vendor.

Example: On September 3, 2018, Office 365 is changing to GlobalSign Root CA – R1.

  • Go to GlobalSign's root certificate page on their support.
  • Download the R1 certificate.
  • Convert the certificate to x509 if not in that format.
  • Install the x509 certificate in the SMG.

After this point, if you turn on a forced TLS connection in the SMG, mail flow should return to normal.

For further information or troubleshooting if this fails, please contact Microsoft support.