search cancel

DLP: Outbound email fails with "Downstream TLS Handshake Failed" with Mimecast as the Upstream MTA


Article ID: 175301


Updated On:


Data Loss Prevention Network Prevent for Email


Symantec Data Loss Prevention (DLP)
Network Prevent for Email

Unable to send outbound email when using Network Prevent for Email and Mimecast

Downstream TLS Handshake failed

reason=general SSLEngine problem


Next-hop mail server certificates have not been added to Network Prevent for Email server.


Digicert Root and Intermediate Certificate for Mimecast can be downloaded here:

Mimecast support confirmed the following certs are used to authenticate (as of June 28, 2019):

Root Certificate: DigiCert Global Root G2

Intermediate Certificate: DigiCert Global CA G2


Refer to the MTA Integration guide for importing public key certificates to the Network Prevent for Email Server keystore

keytool -importcert -alias prevent_alias -file .\smtp_prevent.cer -keystore C:/ProgramData/Symantec/DataLossPrevention/EnforceServer/15.7/keystore/prevent.ks -trustcacerts