Certificate warning message appears in Encryption Management Server mail log

book

Article ID: 209250

calendar_today

Updated On:

Products

Encryption Management Server Encryption Management Server Powered by PGP Technology Gateway Email Encryption Gateway Email Encryption Powered by PGP Technology

Issue/Introduction

If Encryption Management Server has mail proxies configured under Mail / Proxies in the administration console with TLS permitted, the mail log under Reporting / Logs / Mail in the administration console may contain a warning. There will be an information entry and a warning entry similar to the following where mail.example.com is the DNS name of the mail proxy:

SMTP-12345: mail.example.com (DNS name) presented a TLS certificate with domain name (example.com), which does not match DNS name
SMTP-12345: remote TLS certificate: "CN=example.com" (issuer: "CN=example.com")

This means that there is a mismatch between the DNS name of the mail proxy and the CN (Common Name) of its TLS certificate. Valid TLS connections require that the DNS name matches either the CN or one of the SAN (Subject Alternative Name) entries of the certificate.

If there is no mismatch, only the information entry appears in the mail log. For example:

SMTP-12345: remote TLS certificate: "CN=mail.example.com" (issuer: "CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US")

If you have recently made changes to either of the following, you may see incorrect warnings in the Mail log:

  1. Settings under Mail / Proxies in the administration console.
  2. Settings under System / Network in the administration console.

The warning is incorrect if:

  1. The information entry contains what appears to be an incorrect CN. For example, CN=example.com rather than CN=mail.example.com.
  2. Either the CN or one of the SAN (Subject Alternative Name) entries of the mail proxy certificate does match the DNS name that Encryption Management Server is using.

Environment

Symantec Encryption Management Server release 3.4.2 and above.

Resolution

Restart the Encryption Management Server mail proxy service by doing the following in the administration console:

  1. Click on System / General Settings.
  2. Click on the Restart Services button.

Alternatively, to restart just the mail proxy service, ssh to the Encryption Management Server and enter the following command:

pgpsysconf --restart pgpuniversal

Additional Information

EPG-22645