Symantec Data Loss Prevention (DLP)
Network Prevent for Email

Unable to send outbound email when using Network Prevent for Email and Mimecast

Downstream TLS Handshake failed

reason=general SSLEngine problem

Next-hop mail server certificates have not been added to Network Prevent for Email server.

Digicert Root and Intermediate Certificate for Mimecast can be downloaded here: https://www.digicert.com/digicert-root-certificates.htm#roots

Mimecast support confirmed the following certs are used to authenticate (as of June 28, 2019):

Root Certificate: DigiCert Global Root G2

Intermediate Certificate: DigiCert Global CA G2

Refer to the MTA Integration guide for importing public key certificates to the Network Prevent for Email Server keystore

keytool -importcert -alias prevent_alias -file .\smtp_prevent.cer -keystore C:/ProgramData/Symantec/DataLossPrevention/EnforceServer/15.7/keystore/prevent.ks -trustcacerts