• Symantec Messaging Gateway (SMG) is not able to communicate with Office 365 over a forced TLS connection
• Office 365 is set up with TLS connectors to SMG
• Turning off forced TLS in SMG does allow flow to work

Microsoft routinely updates their root CA certificates, in order to provide enhanced security and new cyphers.

Messaging Gateway

Office 365

Get the current Certificate Authority root certificate

As of August 15, 2018, the current root certificates are listed in this article from Microsoft: How Exchange Online uses TLS to secure email connections in Office 365. Use this page to find out the current vendor for the root certificate and download from that vendor.

Example: On September 3, 2018, Office 365 is changing to GlobalSign Root CA – R1.

• Go to GlobalSign's root certificate page on their support.
• Download the R1 certificate.
• Convert the certificate to x509 if not in that format.
• Install the x509 certificate in the SMG.

After this point, if you turn on a forced TLS connection in the SMG, mail flow should return to normal.

For further information or troubleshooting if this fails, please contact Microsoft support.