search cancel

DLP: Outbound email fails with "Downstream TLS Handshake Failed" with Mimecast as the Upstream MTA

book

Article ID: 175301

calendar_today

Updated On:

Products

Data Loss Prevention Network Prevent for Email

Issue/Introduction

Symantec Data Loss Prevention (DLP)
Network Prevent for Email

Unable to send outbound email when using Network Prevent for Email and Mimecast

Downstream TLS Handshake failed

reason=general SSLEngine problem

Cause

Next-hop mail server certificates have not been added to Network Prevent for Email server.

Resolution

Digicert Root and Intermediate Certificate for Mimecast can be downloaded here: https://www.digicert.com/digicert-root-certificates.htm#roots

Mimecast support confirmed the following certs are used to authenticate (as of June 28, 2019):

Root Certificate: DigiCert Global Root G2

Intermediate Certificate: DigiCert Global CA G2

 

Refer to the MTA Integration guide for importing public key certificates to the Network Prevent for Email Server keystore

keytool -importcert -alias prevent_alias -file .\smtp_prevent.cer -keystore C:/ProgramData/Symantec/DataLossPrevention/EnforceServer/15.7/keystore/prevent.ks -trustcacerts